PrivacyPass at IETF 115 Meeting Notes

Note Taker: Robin Wilton

Administrivia (5 min)

We need to get good reviews of core documents, please get your reviews
in.

Tommy Pauly: We got some good reviews on the auth scheme. Would like
some reviews on the issuance protocol.

Joe Salowey (WG Chair): If you've read the docs and you think they're
ready to move forward please comment on the list.

Key Consistency draft removed from agenda.

Status update on draft-privacypass-rate-limit-tokens

Slides:
https://datatracker.ietf.org/meeting/115/materials/slides-115-privacypass-rate-limited-issuance-00

Tommy Pauly (TP)

Rate Limited Tokens - extension to basic issuance protocol. Based on
publicly issuably variant. This is always done in the split attester and
issuer model. Attester needs to maintain some state on behalf of the
client. Issuer provides rate limit to enforce when token is issued.
Attester drops request if rate limit is reached.

Minor changes to issuance and challenge protocols to enable the rate
limiting. Rate limited token request adds a HPKE-protected request to
the issuer and a signature with a blinded key pair to validate origin
uniqueness.

Issues

Issue 6 - linkability with malicious issuer. Malicious issuer uses
issuer origin secret across different origins. Based on current text
when an attester detects a collision the token request is immediately
dropped. The problem is that this can act as a signal of what's going
on. Not a huge privacy leak but a bit of information.

Proposed fix: Attesters shouldn't silently drop requests due to mapping
collision. This is a potential information leak and it also doesn't
penalise malicious clients. Instead attesters should flag collisions to
re-evaluate trust in clients or issuers. With non-malicious
implementations you should never have these collisions, so having a
collision does indicate something bad is going on. E.g. Attester could
choose to remove an issuer as a trusted partner if this was happening
across many different clients. Or if it was just happening with one
client the issuer could be removed as a trusted client.

Sidebar: document needs more on how the attester trusts an issuer e.g.
what does an attester need to validate, what are acceptable rate limits,
number of origins to create anonymity set.

Alternative fix for issue 6: Zero-Knowledge Proof that the client
presents to both the attester and the issuer. This relies on crypto that
isn't specified yet. More impact on the protocol than fix above.
Recommendation of the authors: for basic rate limited type do the simple
fix (flagging collisions) and have ZKP solution as a future token type.

John Bradley: The JOSE working group is in the process of being
rechartered by the IESG to formalise JWP which is exactly what you were
just talking about (JSON token ZKPs).

Richard Barnes: +1 to skipping the addition of ZKP, which looks like a
big change. [...] For clarity, I don't think the JOSE ZKP work is
producing fully general ZKP, but it might be enough ot address what
PrivacyPass needs.

Jonathan Hoyland: I don't object to skipping it, but the concept seems
worth exploring.

Steven Valdez: It's not a massive change to the core PrivacyPass
protocol itself, but would need an extension to the crypto.

Jonathan Hoyland: How does Sybil protection work?
Nikita Borisov: AIUI, the attester verifies client identity and is
responsible for Sybil protection.

TP: Other open issues:

Next step is to update the document based on issues discussed here.
Still tracking CFRG dependency of signature key blinding.

Nick Doty: Does the origin choose a singular issuer and give the client
a particular key to use to encapsulate a request? Seems like a potential
tracking vector. Is the assumption that there should be a single key for
each origin?
Tommy Pauly: Some overlap here with the Key Consistency ID's approach.
There would be one "slowly rotating" key for a given issuer. Working
with the attester is one way to achieve that.
ND: In that case, does the key even need to come from the origin?
TP: No, it's optional. Origins include e.g. RSA client sig public key
they're going to use. That therefore doesn't need to be in the
PrivacyPass protocol's challenge, if the client has another way to get
it.

Ben Schwartz: Is the "blinding" mechanism here actually equivalent to
taking the public key and encrypting under symmetric encryption?
Steven Valdez: It's more complicated than that. It's using the public
key update issuer but there's some extra blinding. If we didn't care
about the origin learning ?? we could do something simpler but we need
the key blinding here.
Ben Schwartz: Can take this up offline.
TP: Would rather that Chris Wood or other authors commented on that.

Joe Salowey: Sounds like we have a way forward. Expect to see some
revisions over the next couple of months.

Status of relevant work in the W3C

Steven Valdez

Slides:
https://datatracker.ietf.org/meeting/115/materials/slides-115-privacypass-slides-115-privacypass-w3c-00

There is relevant work in W3C:

How much of this do we want to pursue in the PrivacyPass Group?

Private Access Tokens - Quite mature. Very similar to what's going on in
Privacy Pass, specifically the Blind RSA version of the protocol and
rate-limited tokens. There are some API changes to hook into/understand
responses to do with Private Access Tokens. Currently not in a
particular group.

In W3C there are interest groups where there are different types of
groups. Privacy Pass work will probably end up in web ? group, but there
might be some stuff that belongs in a new group.

Private Access Tokens - Token issuance via a trusted attester/platform.
In Apple case this is the Apple platform. Then any origin can redeem
tokens. Rate limiting is important, token farming is quite common in the
web space.

Private State Tokens - Previously known as Trust Tokens. Based on an old
version of Privacy Pass - VOPRF tokens, and a non-standardised version
using PMBTokens. Plan to update this to a newer version of PP. Not clear
how much interest here. PST work is currently in the Web Incubation
Community Group (WICG) - might migrate to the Antifraud CG because
that's the core use case for this API. Any website can issue tokens.
Other origins can redeem tokens. Needs to be relationship between
issuers and redeemers to share understanding of what the tokens are for.
Minor different to Privacy Pass - concept of redemption context, stored
local cache version of redemption per top-level (e.g. per page, to avoid
having dozens of tokens for a single page. There are some other deltas
between PSTs and Privacy Pass but it's hopeful these will go away as the
work progresses (see slide 8 for details).

Device Attestation - Slightly less fleshed out. This has come up in W3C
anti-fraud group. Way to attest to facts about device or client. Needs a
mechanism to do this without leaking information about device ID.
Something privacy pass-esque might be good here, potentially building on
PATs or PSTs, or maybe something else.

Other uses:

Martin Thomson: This might be misrepresenting a bit what PATCG is
working on. Some designs don't require anything like Privacy Pass, some
do.
SV: These are places where something like Privacy Pass has come up,
might be helpful.

Joe Salowey: There are connections, are there any problems we need to
address or any expectations from W3C?
SV: It's in early days so nothing major yet. For some things,
particularly key consistency, it might be useful to have some baseline
information in the IETF.

Ben Schwartz: Sounds like W3C work is nascent. None of these proposals
have moved into a WG. What are the odds that by the time this is moved
into a WG the specs we're writing now aren't what's needed?
SV: That's one of the benefits of how the protocol models are
structured. If we need new properties we can design new token types.
Core protocol structure is what we need.
Tommy Pauly: HTTP-Auth scheme is usable by various websites without a
change to JS APIs or the need for W3C to adopt it. W3C is not our only
customer, people can benefit independently. There is probably some
minimal work to be done in W3C that would integrate well with what we're
defining in Privacy Pass (e.g. to allow specification per iframe of
which elements are allowed to request challenges). There are other use
cases that may be able to use Privacy Pass as we're designing it, or may
need new token types.

Nick Doty: Is there documentation on Private Access Tokens?
TP: Private Access Token name is not a formal thing, it's what marketing
at Apple wanted to call it. Really all it is is a basic, publicly
verifiable Privacy Pass token. We also intend to support type 3 and
other attesters and platforms can support them as well. The question is
do we have changes to fetch or permissions policy saying what resources
are allowed to include privacy pass auth scheme challenge?
ND: Is there a dependency on or adoption of newly adopted rate limited
tokens?
TP: It's a bit separate. Type 2 is supported in production with us with
different issuers. We support beta testing with rate limited version.
Type doesn't impact permissions policy in W3C. View this more as a way
to enable communication about Privacy Pass in the permissions policy.

Next steps for Privacy Pass

Chairs

Ben Schwartz: Want to ask the WG where they think this work should be
going.

Where we are:

What else do we want to work on?

What topics does the WG think are interesting and consistent with the
Charter?

MT: In the consistency space we need a good definition of consistency.
There has been some discussion about the exact shape of consistency
protocols - e.g Richard Barnes' comments about producing something like
"CT without all of the warts". That discussion should happen here. I
don't know that we're in a good position here to make a strong decision
about the exact nature of those protocols.

SV: In W3C we're flying by the seat of our pants with regards to
consistency. Would be nice to have something standardised. Chris's draft
is a good start, but we need more.

SV: As a new token type there might be some interesting work coming out
of the ZKP extension mentioned in Tommy's presentation. (cf. Issue #6)

BS: Formal verification might be interesting, we don't have any formal
verification of the cryptographic arrangements we have been specifying:
that might be nice to have.
TP: Chris Wood might be better to talk about this, but the basic token
types for rate limiting have formal verification, that's how issue 6
came up.
Nikita Borisov: There is a formal verification of the current protocol
usingProverif, which shows the secutiry properties - other than the
unlinkability issue Tommy discussed. I think there will be publication
soon (in the next month or two).

Philipp Pfeiffenberger: Regarding future work and concerns: currently,
when an attestation mechanism is compromised, any abuse of the mechanism
will impact on Relying Parties, but the attester has no way of homing in
on which devices are compromised - i.e. blinding has some side effects,
in that it may be impossible to block or fix a misbehaving endpoint.
It's also unclear how issuers can choose attesters, and how relying
parties assess the relative strength of these attesters and issuers.

[From chat]:
Daniel Gillmor: +1 to Philipp for explicitly identifying some core
tensions of this work.

Ben Schwartz: One thing that might be useful is something about the
architecture, how is the privacy pass system used and how could it be
used. What are we expecting defence against, like, can a single origin
"drain" your entire stock of PrivacyPass tokens, or are we expecting
that to be defended against at some upper layer. I'd love to see an
informational draft about that.

Richard Barnes: OHAI has a similar Key Consistency challenge and has
been discussing the issue. More general consistency property for http
resources is desirable, to guarantee that a given client is getting the
same service as other equivalent clients. A more generalisable approach
would be good, without prejudging whether the work would be done here,
in OHAI or elsewhere.

Ben Schwartz: I hope you've been inspired to contribute to the WG. If
you're working on formal analysis it would be great to see the results
of those.