Privacy Pass Protocol Specification
Network Working Group S. Celi
Intended status: Informational A. Davidson
Expires: 9 July 2021 LIP
5 January 2021
Privacy Pass Protocol Specification
This document specifies the Privacy Pass protocol. This protocol
provides anonymity-preserving authorization of clients to servers.
In particular, client re-authorization events cannot be linked to any
previous initial authorization. Privacy Pass is intended to be used
as a performant protocol in the application-layer.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 9 July 2021.
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
3.1. Motivating use-cases
3.2. Anonymity and security guarantees
3.3. Basic assumptions
4. Protocol description
4.1. Server setup
4.2. Client setup
4.3. Issuance phase
4.4. Redemption phase
4.4.1. Client info
4.4.2. Double-spend protection
4.5. Handling errors
5.1. Data structures
5.2. API functions
5.3. Error types
6. Security considerations
6.2. One-more unforgeability
6.3. Double-spend protection
6.4. Additional token metadata
6.5. Maximum number of tokens issued
7. VOPRF instantiation
7.1. Recommended ciphersuites
7.2. Protocol contexts
7.4. Security justification
8. Protocol ciphersuites
9. Extensions framework policy
10.1. Normative References
10.2. Informative References
Appendix A. Document contributors
A common problem on the Internet is providing an effective mechanism
for servers to derive trust from clients that they interact with.
Typically, this can be done by providing some sort of authorization
challenge to the client. But this also negatively impacts the
experience of clients that regularly have to solve such challenges.
To mitigate accessibility issues, a client that correctly solves the
challenge can be provided with a cookie. This cookie can be
presented the next time the client interacts with the server, instead
of performing the challenge. However, this does not solve the
problem of reauthorization of clients across multiple domains. Using
current tools, providing some multi-domain authorization token would
allow linking client browsing patterns across those domains, and
severely reduces their online privacy.
The Privacy Pass protocol provides a set of cross-domain
authorization tokens that protect the client's anonymity in message
exchanges with a server. This allows clients to communicate an
Show full document text