| Internet-Draft | Privacy Pass Architecture | September 2022 |
| Davidson, et al. | Expires 24 March 2023 | [Page] |
- Workgroup:
- Network Working Group
- Internet-Draft:
- draft-ietf-privacypass-architecture-07
- Published:
- Intended Status:
- Informational
- Expires:
The Privacy Pass Architecture
Abstract
This document specifies the Privacy Pass architecture and requirements for its constituent protocols used for constructing anonymous-credential authentication mechanisms. It provides recommendations on how the architecture should be deployed to ensure the privacy of clients and the security of all participating entities.¶
Status of This Memo
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 March 2023.¶
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
1. Introduction
Privacy Pass is an architecture for authorization based on anonymous-credential authentication mechanisms. Typical approaches for authorizing clients, such as through the use of long-term cookies, are not privacy-friendly since they allow servers to track clients across sessions and interactions. Privacy Pass takes a different approach: instead of presenting linkable state carrying information to servers, e.g., a cookie indicating whether or not the client is an authorized user or has completed some prior challenge, clients present unlinkable proofs that attest to this information. These proofs, or tokens, are anonymous in the sense that a given token cannot be linked to the protocol instance in which that token was initially issued.¶
At a high level, the Privacy Pass architecture consists of two protocols: issuance and redemption. The issuance protocol runs between an endpoint referred to as a Client and two functions in the Privacy Pass architecture: Attestation and Issuance. These two network functions can be implemented by the same protocol participant, but can also be implemented separately. The entity that implements Issuance, referred to as the Issuer, is responsible for issuing tokens in response to requests from Clients. The entity that implements Attestation, referred to as the Attester, is responsible for attesting to properties about the Client for which tokens are issued. The Issuer needs to be trusted by the server that later redeems the token. Attestation can be performed by the Issuer or by an Attester that is trusted by the Issuer. Clients might prefer to select different Attesters, separate from the Issuer, to be able to use preferred authentication methods or to improve privacy by not directly communicating with an Issuer. Depending on the attestation, Attesters can store state about a Client, such as the number of overall tokens issued thus far. As an example of an issuance protocol, in the original Privacy Pass protocol [PPSRV], tokens were only issued to Clients that solved CAPTCHAs. In this context, the Attester attested that some client solved a CAPTCHA and the resulting token produced by the Issuer was proof of this fact.¶
The redemption protocol runs between Client and Origin (server). It allows Origins to challenge Clients to present one or more tokens for authorization. Depending on the type of token, e.g., whether or not it can be cached, the Client either presents a previously obtained token or invokes the issuance protocol to acquire one for authorization.¶
The issuance and redemption protocols operate in concert as shown in the figure below.¶
Origin Client Attester Issuer
/--------------------------------------------------------------------
| /-----------------------------------------\
| Challenge ----> Attest ---> |
| | TokenRequest ---------------> |
| Redemption | (validate) | Issuance
| Flow | (evaluate) | Flow
| | <------------------- TokenResponse |
| <--- Response | |
| \-----------------------------------------/
\--------------------------------------------------------------------
This document describes requirements for both issuance and redemption protocols. It also provides recommendations on how the architecture should be deployed to ensure the privacy of clients and the security of all participating entities.¶
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.