IETF Logo Mail Archive

Re: [Privacy-pass] Updated WG charter text

Joseph Salowey <joe@salowey.net> Fri, 08 May 2020 16:01 UTC

Return-Path: <joe@salowey.net>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0BC13A0BDC for <privacy-pass@ietfa.amsl.com>; Fri, 8 May 2020 09:01:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lNQzmrhrQgJ2 for <privacy-pass@ietfa.amsl.com>; Fri, 8 May 2020 09:01:55 -0700 (PDT)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA1613A0BBF for <privacy-pass@ietf.org>; Fri, 8 May 2020 09:01:54 -0700 (PDT)
Received: by mail-qt1-x836.google.com with SMTP id 4so1654815qtb.4 for <privacy-pass@ietf.org>; Fri, 08 May 2020 09:01:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3XPl3fgja669Zn7rBfaL4XW1lmTP2WtZ6jzsPfw957g=; b=FAJZOIGApbM/XQLAMrQB7q8kEU4cJ5R2Nbl7JGyC6qKB8C2yqg2sCUKyHQ20MvW5gM mZMSLvRapE1ay24f9HOuteueKh7CEbSimAe9QLfB6svC+ZgQMy6y3XNsu+f0sVeC7gA1 wN/9Wdgtqyx/J49p0NknanAjwam7YnTkYl0bVlsvA+o2FcUiY6z7FEni7dKY+M2UtTyA i5s4Mbg/8z8tI60j12hh2+My5ZqtS0BXvi7q7uea3TtEcXnbpMEvnnNZ9ejhjuL0EsTP FMV+5utq7T5gpJZlQTjcSyZwmczqVRQMyVnMtu0Qn4q4TKdC1O6Mo9zW0RYQkfSnfJoT njHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3XPl3fgja669Zn7rBfaL4XW1lmTP2WtZ6jzsPfw957g=; b=bx/VocA06Oqz2HivWSJjnq7Nm84Hs9sFau7FDqxKAz/M9j6u8iHip49l7rOGuWeWcV U+tHHrONpvOYJeYLnKeCkF8LTfymtJ6DPovuBp99/Qgg5oQEY6lnDMbIY/kjQKmJzos0 ZIeLFbtb9jEKdTbOf7J88wb7oDa+DETGR7+/uXARpDgCFnu/IM+SYC446mS10VCG71Uz ypH0tnPbGMyT9xALiufG//njQ4pDM0o6hfSuM2B7DnJa1xB8A0s32uywA+ILTcZBhilD 059bUjCGNfsewacudPTJCqPjHzEqmDnyizZrgfx34JTbZ/7nf4lWr7BC0GSZwybZnPZk dZVQ==
X-Gm-Message-State: AGi0PuY6pbbsKFuQA6ksprH/gy3b3b4r3iD/tkZAK/skayRmJGxeqRoY Oj4CRtO/pXpR9uHEmTePUxhSmhk18RTiKwGhBm5+Aw==
X-Google-Smtp-Source: APiQypKQx7txsM3GrH8bi7eKeOlErEsY3R6IhgyM92YgJV3ldPKPmweGrEXa1rYlDY5G3JSy+ffWQ2aBRH5qEFexEgg=
X-Received: by 2002:aed:234f:: with SMTP id i15mr3944619qtc.249.1588953713355; Fri, 08 May 2020 09:01:53 -0700 (PDT)
MIME-Version: 1.0
References: <40600024-A6F1-41D7-B7A8-4B4D7D48201B@cloudflare.com> <4239f287-9a96-4700-ac32-8583ca451115@www.fastmail.com> <a469cd36-dcae-4d15-8b7b-a86071ea6d3d@www.fastmail.com> <E574167C-92BD-48B1-8BE3-9BE67F401ECE@cloudflare.com> <427CC8A8-F741-4E63-89E3-28B361A06F68@cloudflare.com> <CANduzxAamgX2hnrKA7AxSQDMJ=78gCVed+7tVEaSMLbkgywpMQ@mail.gmail.com> <EC4AE394-552A-45D8-B688-E3B9D723373C@cloudflare.com> <7e21339a-a0fd-48d2-bcd4-171c7db8f9ef@www.fastmail.com>
In-Reply-To: <7e21339a-a0fd-48d2-bcd4-171c7db8f9ef@www.fastmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Fri, 08 May 2020 09:01:38 -0700
Message-ID: <CAOgPGoD+0EqC+PYS8A+UHLtRQpV1STjwpoPtOMeG-dhLmm3GLw@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: privacy-pass@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a646ad05a5251d24"
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/zD5H_W5x_VNTbvl56Q8wHUA_UYI>
Subject: Re: [Privacy-pass] Updated WG charter text
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 16:02:01 -0000

On Fri, May 8, 2020 at 8:01 AM Christopher Wood <caw@heapingbits.net> wrote:

> On Fri, May 8, 2020, at 3:12 AM, Alex Davidson wrote:
> > Yeah, this is a good point. So we could potentially rewrite the
> milestones as:
> >
> > - Specification of protocol & surrounding architecture.
> > - Specification of application-layer requirements (including HTTP
> integration).
> > - Specification of HTTP browser API (in coordination with W3C).
> > - Formal analysis of protocol.
> > - Concrete implementations.
> > - Any protocol extensions.
> >
> > I think we may be able to stick to the same timeline? Because the W3C
> > coordination on the browser API can happen whilst the remaining
> > milestones are completed, and after the application-layer requirements
> > have been specced out.
>
> These look good to me! I agree that this lines up with the timeline you
> proposed earlier, which seems quite reasonable.
>
> One small nit: I might fold formal analysis and implementation efforts
> into the first milestone, as I'd expect them to happen in tandem.
>
>
[Joe] Agreed, the working group milestones mostly reflect document
deliverables.  Implementation and analysis are important.  Including a
statement about formal analysis in the text of the charter might be good,
maybe something like the following at then end of the fourth charter
paragraph:

"Formal analysis of the protocol will make sure the security and privacy
properties of the protocol
are well-understood and well-documented."

I think we might also need some estimates on target dates for milestones.
Below are some guesses.  Do you think it is reasonable to complete the
protocol and formal analysis in this time? Does the W3C have any milestones
in this area?

- Specification of protocol & surrounding architecture  - February 2021
- Specification of application-layer requirements (including HTTP
integration) - March 20201
- Specification of HTTP browser API (in coordination with W3C) - April 20201


> Best,
> Chris
>
> >
> > > On 6 May 2020, at 15:05, Steven Valdez <svaldez=
> 40google.com@dmarc.ietf.org> wrote:
> > >
> > > One distinction possibly worth making for milestones is that there are
> two sorts of HTTP-level APIs.
> > >
> > > There's the wrapping for communication between client and issuers, the
> headers/endpoints/HTTP requests/responses made as part of issuance and
> redemption requests, as well as the key management story/recommendations
> for how to distribute key materials and configuration information.
> > >
> > > Then there's the API that HTTP consumers/websites/etc would be using
> to call into the protocol, the JS/HTML attributes that you might need to
> hook into PrivacyPass, allow a website to include tokens or request tokens.
> > >
> > > I think the first is probably more important initially to provide some
> sort of API that can be used for implementations of the protocol. But also
> shouldn't require much (if any) W3C coordination.
> > >
> > > The second one is more important for building use cases on top of and
> seeing what interfaces to expose to developers/consumers and will likely be
> the HTTP-level API that will need more coordination with the W3C
> specs/Fetch/etc.
> > >
> > > On Wed, May 6, 2020 at 5:40 AM Alex Davidson <adavidson=
> 40cloudflare.com@dmarc.ietf.org> wrote:
> > >> It has been mentioned off-list that the charter would benefit from
> having explicit milestones laid out in the document. To this end, here are
> the key tasks that need to be completed by the WG (in my opinion):
> > >>
> > >> - Specification of protocol & protocol architecture.
> > >> - Specification of HTTP API (in coordination with W3C).
> > >> - Formal analysis of protocol.
> > >> - Concrete implementations.
> > >> - Any protocol extensions.
> > >>
> > >> I think getting the first two milestones done for the core
> instantiation of the protocol (currently documented) will be important in
> facilitating the three steps afterwards.. The final three steps can be done
> in parallel, since they do not depend on each other. In terms of a rough
> timeline, I would expect that achieving the first step would be doable by
> Spring 2021, and then the HTTP API could follow in mid-2021. The rest of
> the steps are slightly variable, but I would expect that the rest of the
> work could completed in a further 6-12 months.
> > >>
> > >> Questions: Do these milestones reflect the scope of required work to
> everyone else? Does the proposed timeline make sense?
> > >>
> > >> Next steps: Once we have agreement (/if no-one disagrees with what is
> written), then I’ll add it to the charter. We will then take this version
> of the charter forward in the WG formation process.
> > >>
> > >>> On 28 Apr 2020, at 11:47, Alex Davidson <adavidson@cloudflare.com>
> wrote:
> > >>>
> > >>> Thanks all for the feedback! I’ve pushed updated wording to the
> GitHub PR (
> https://github.com/alxdavids/privacy-pass-ietf/pull/12/commits/e987d2ba60fa7b0ba986a65c29214ce893d7b667)
> and also added it at the bottom of this email. I’ve inlined some responses
> to the specific points explaining the changes below.
> > >>>
> > >>>> On 23 Apr 2020, at 17:52, Christopher Wood <caw@heapingbits.net>
> wrote:
> > >>>>
> > >>>> On Wed, Apr 22, 2020, at 5:32 PM, Martin Thomson wrote:
> > >>>>>> First, specify an extensible protocol for creating and redeeming
> > >>>>>> anonymous and transferrable tokens. The protocol should permit
> suitable
> > >>>>>> cryptographic ciphersuites and security parameterization for
> > >>>>>> cryptographic agility. Negotiation of cryptographic parameters is
> an
> > >>>>>> application-specific property and thus out of scope for the
> Working
> > >>>>>> Group. Specification of the underlying cryptographic algorithms or
> > >>>>>
> > >>>>> This bit about choosing parameters seems to be in tension with the
> > >>>>> previous sentence. One of the problems with a system like this is
> > >>>>> coordinating algorithm changes. I think that we need a plan, not a
> big
> > >>>>> punt.
> > >>>>
> > >>>> I'm thinking about this more like the DoH effort, which focused
> first and foremost on the protocol itself and punted other concerns such as
> discovery and whatnot.
> > >>>
> > >>> Due to the restrictions on key material updates for client privacy,
> the ciphersuite is determined explicitly by the key that the server is
> currently using. Moreover, the supported ciphersuites should be specified
> by the underlying cryptographic protocol that is being used. Therefore, I
> think the choice of ciphersuite is a unilateral decision made by the
> server, and so the negotiation framework does not really belong to the
> protocol description.
> > >>>
> > >>>>>> protocols is also out of scope. The Working Group will specify a
> > >>>>>> preliminary set of extensions, including Issuer-supplied metadata
> and
> > >>>>>> public verifiability, as well as any additional extensions that
> may
> > >>>>>
> > >>>>> What does "public verifiability" mean here?
> > >>>>
> > >>>> I think it means that someone beyond the party which issued the
> token (and holds the OPRF private key) can verify the authenticity of a
> token.. As an example, blind signatures have this property.
> > >>>
> > >>> Yes, this is what we were alluding to. I’ve updated the wording to
> be more explicit on this.
> > >>>
> > >>>>
> > >>>>>> 1. Describing use cases and interfaces that allow the protocol to
> be
> > >>>>>> used for those use cases.
> > >>>>>> 2. Defining the privacy goals for each Client during protocol
> execution,
> > >>>>>> along with expectations placed on the Issuers and the ecosystem at
> > >>>>>> large.
> > >>>>>> 3. Describing parameterizations that control the Client privacy
> budget
> > >>>>>> and Issuer security parameters.
> > >>>>>
> > >>>>> What is a "privacy budget"? To be clear, I think that I know, and
> my
> > >>>>> opinion is that it is not a good framing for this. I also think
> that
> > >>>>> it is not a good reference model to use in general.
> > >>>
> > >>> This makes sense, I’ve changed the wording to directly refer to the
> size of the client’s anonymity set, which is what we were implicitly
> referring to here and is also used elsewhere in the charter.
> > >>>
> > >>>>>> 4. Describing verification mechanisms for sanctioning or trusting
> > >>>>>> Issuers and their corresponding keying material.
> > >>>>>
> > >>>>> Sanctioning implies punishment, which we can't write a protocol
> for.
> > >>>>
> > >>>> That's a good point. Maybe we should just say, "Describing
> verification mechanisms for trusting Issuers and their corresponding keying
> material”?
> > >>>
> > >>> Agree, incorporated this wording.
> > >>>
> > >>>>> If this is about providing technical safeguards against the
> potential
> > >>>>> for issuers to abuse key management for a covert channel, then say
> that.
> > >>>>>
> > >>>>>> 5. Describing where key material is stored and how it is accessed.
> > >>>>>
> > >>>>> I don't think that we need this in a charter.
> > >>>
> > >>> Removed this point.
> > >>>
> > >>>>>> 6. Specifying mechanisms for ensuring that Issuers are not acting
> > >>>>>> maliciously.
> > >>>>>
> > >>>>> This seems a bit open-ended. Will this extend to audits of their
> > >>>>> processes? I don't think we have a protocol for that either.
> > >>>>
> > >>>> Maybe we could refine this by specifying particular attacks we're
> concerned about, such as key tagging?
> > >>>
> > >>> I removed this point as I think it is now covered by what is written
> in point 4. However, I mentioned specifically the attack surface that is
> being considered with the verification mechanisms that we will specify.
> > >>>
> > >>> Thanks,
> > >>> Alex
> > >>>
> > >>> Updated Charter text
> > >>> ================
> > >>>
> > >>> The Privacy Pass protocol provides a performant, application-layer
> > >>> mechanism for anonymous token creation and redemption. Servers
> (Issuers)
> > >>> create and later verify tokens that are redeemed by an ecosystem of
> > >>> clients, such that:
> > >>>
> > >>> - Any token granted by a given Issuer is unlinkable with all other
> > >>>  tokens granted by the same Issuer.
> > >>> - Clients can verify that a token granted by an Issuer corresponds
> to a
> > >>>  committed keypair.
> > >>> - Tokens are unforgeable.
> > >>> - The token issuance and redemption mechanisms are efficient.
> > >>>
> > >>> The primary purpose of the Privacy Pass Working Group is to develop
> and
> > >>> standardize a protocol that meets these requirements, influenced by
> > >>> applications that have arisen from the wider community. The aims of
> the
> > >>> Working Group can be split into three distinct goals:
> > >>>
> > >>> First, specify an extensible protocol for creating and redeeming
> > >>> anonymous and transferrable tokens. The protocol should permit
> suitable
> > >>> cryptographic ciphersuites and security parameterization for
> > >>> cryptographic agility. Negotiation of cryptographic parameters during
> > >>> the protocol is an application-specific property and thus out of
> scope
> > >>> for the Working Group. Specification of the underlying cryptographic
> > >>> algorithms or protocols is also out of scope. The Working Group will
> > >>> specify a preliminary set of extensions, including Issuer-supplied
> > >>> metadata and alternative cryptographic instantiations that support
> > >>> public verifiability of Issued tokens, as well as any additional
> > >>> extensions that may arise in the future. Security and privacy
> properties
> > >>> of the protocol shall be well-documented.
> > >>>
> > >>> Second, describe and develop protocol use cases and properties
> thereof.
> > >>> This includes, though is not limited to:
> > >>>
> > >>> 1. Describing use cases and interfaces that allow the protocol to be
> > >>>  used for those use cases.
> > >>> 2. Defining the privacy goals for each Client during protocol
> execution,
> > >>>  along with expectations placed on the Issuers and the ecosystem at
> > >>>  large.
> > >>> 3. Describing recommended parameterizations of variables associated
> with
> > >>>  the protocol ecosystem that control the size of the anonymity set
> > >>>  that the client belongs to.
> > >>> 4. Describing verification mechanisms for trusting Issuers and their
> > >>>  corresponding keying material. Such mechanisms should prevent
> Issuers
> > >>>  from presenting any key material that could be used to deanonymize
> > >>>  clients.
> > >>> 5. Describing the procedure for including small amounts of metadata
> with
> > >>>  Issued tokens, as well as the associated impacts on privacy.
> > >>> 6. Describing the risk and possible ramifications of Issuer
> > >>>  centralization, and exploring possible mechanisms to mitigate these
> > >>>  risks.
> > >>>
> > >>> Third, and finally, specify a HTTP-layer API for the protocol. This
> > >>> includes a common understanding of how Privacy Pass is integrated
> with
> > >>> HTTP requests and responses for web-based applications.
> > >>>
> > >>> Note that the specifications developed by this working group will be
> > >>> informed by the following initial drafts:
> > >>>
> > >>> - draft-davidson-pp-protocol-00;
> > >>> - draft-davidson-pp-architecture-00;
> > >>> - draft-svaldez-pp-http-api-00.
> > >>>
> > >>> These existing drafts may be further developed into the core
> > >>> deliverables of the working group, supplemented by any additional
> > >>> extensions. Alternatively, they may contribute indirectly to a future
> > >>> set of documents that meet the core goals of the working group.
> > >>>
> > >>>
> > >>
> > >> --
> > >>  Privacy-pass mailing list
> > >> Privacy-pass@ietf.org
> > >> https://www.ietf.org/mailman/listinfo/privacy-pass
> > >
> > >
> > > --
> > >
> > > Steven Valdez | Chrome Privacy Sandbox | svaldez@google.com |
> 210-692-4742
> >
> > --
> > Privacy-pass mailing list
> > Privacy-pass@ietf.org
> > https://www.ietf.org/mailman/listinfo/privacy-pass
> >
>
> --
> Privacy-pass mailing list
> Privacy-pass@ietf.org
> https://www.ietf.org/mailman/listinfo/privacy-pass
>

v2.23.0 | Report a Bug | By Email