This document defines a set of four protocols for computing the RSA-based blind
signatures, named RSABSSA. Implementation recommendations are given, as well as
information about the security of the defined protocols in standard and
extended security models. The blind signatures protocols are of great
importance for various applications; RSA-based variants are well-studied and
ready for usage in practice. The Security Considerations section contains a lot
of important recommendations that should help implementers to take various
potential attack vectors into account. This document is a product of the Crypto
Forum Research Group (CFRG) in the IRTF.
Research Group Summary
After adopting the document after the presentation at the CFRG meeting at IETF
110 it was presented in CFRG meetings at IETF 111 and IETF 114. There was a
Research Group Last Call for the draft in 2022 (October-December). There were
no major concerns raised during the RGLC. A number of minor concerns raised
during the RGLC were addressed by the authors. The authors have answered the
questions raised during the Research Group Last Call, no questions have
remained unanswered. Crypto Review Panel review was solicited in September
2022. The review was provided by Bjoern Tackmann. Comments from that review
were addressed in -05.
There are at least five publicly available implementations: the Python
reference implementation , the C  and Zig  implementations with
dependencies on OpenSSL/BoringSSL, the Rust  and Go (Cloudflare, CIRCL) 
implementations. There is also at least one private interoperable
implementation for Private Access Tokens . All authors of the document have
confirmed that they are not aware of any IPRs related to the document.
Stanislav Smyshlyaev is the Document Shepherd.
Colin Perkins is the IRTF Chair.