]> The PrivateToken HTTP Authentication Scheme Extensions Parameter Google
scott@shendrickson.com
caw@heapingbits.net
Security Privacy Pass token This document specifies new parameters for the "PrivateToken" HTTP authentication scheme, called extensions. The purpose of these extensions is to negotiate and carry public metadata for Privacy Pass protocols. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Privacy Pass Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction The primary Token structure in the "PrivateToken" HTTP authentication scheme is composed as follows: Functionally, this structure conveys a single bit of information from the issuance protocol: whether or not the token is valid (as indicated by a valid authenticator value). This structure does not admit any additional information to flow from the issuance protocol, including, for example, public metadata that is incorporated into the issuance protocol. This document specifies a new parameter for the "PrivateToken" HTTP authentication scheme for carrying extensions. This extensions parameter is cryptographically bound to the Token structure via the Privacy Pass issuance protocol. This document additionally defines an optional extension negotiation scheme which allows origins to indicate what extension types they expect, and allows clients to respond with the extensions appropriate for their context.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
PrivateToken Extensions Parameter As defined in , the "PrivateToken" authentication scheme defines one parameter, "token", which contains the base64url-encoded Token struct. This document defines a new parameter, "extensions," which contains the base64url-encoded representation of the following Extensions structure. This document follows the default padding behavior described in , so the base64url value MUST include padding. ; } Extension; enum { reserved(0), (65535) } ExtensionType; struct { Extension extensions<0..2^16-1>; } Extensions; ]]> The contents of Extensions are a list of Extension values, each of which is a type-length-value structure whose semantics are determined by the type. The type and length of each extension are 2-octet integers, in network byte order. The length of the extensions list is also a 2-octet integer, in network byte order. Clients, Issuers, and Origins all agree on the content and encoding of this Extensions structure, i.e., they agree on the same type-length-value list. The list MUST be ordered by ExtensionType value, from 0 to 65535. Extension types MAY be repeated. The value of the Extensions structure is used as-is when verifying the value of the corresponding "token" parameter in the "PrivateToken" authentication header. As an example, Clients presenting this extension parameter to origins would use an Authorization header field like the following: Since the new parameters (extensions, extension-set) are defined as containing base64url-encoded data, they will contain characters that require double-quotes. Therefore, parameter values for "token" and "extensions" MUST be enclosed in double-quotes. Future documents may specify extensions to be included in this structure. Registration details for these extensions are in . Each Privacy Pass issuance protocol, identified by a token type, specifies the structure of the PrivateToken value to be used. Extensions are bound to the resulting tokens via the issuance protocol. In particular, the value of an Extensions structure is provided as metadata for the issuance protocol. Issuance protocols are specified in .
PrivateToken Challenge Extension Parameter As defined in , the "PrivateToken" authentication scheme defines two parameters, "challenge" which contains the base64url-encoded TokenChallenge struct, and a "token-key" which contains the base64url-encoded public key used for this challenge. This document defines two OPTIONAL new parameters, "extension-set," which contains the base64url-encoded representation of the following ExtensionSet structure, and "extensions" which contain the base64url-encoded representation of the Extensions structure defined in . This document follows the default padding behavior described in , so the base64url value MUST include padding. ; } ExtensionSet; ]]> The contents of ExtensionSet is a list of ExtensionEntry structs containing extensions (defined in ), each of which is a type-length-value structure whose semantics are determined by the type, and a bit marking whether the extension is required or optional. The type and length of each ExtensionType is a 2-octet integer, in network byte order. The length of the extension_types list is also a 2-octet integer, in network byte order. ExtensionTypes are to be defined outside of this document. The extensions parameter is to be used for pre-populated extension structs the origin suggests to the client. When presented with an ExtensionSet, a client should expect to be rejected if not providing required extensions. A client MAY provide optional extensions. A client MAY use the pre-populated extension provided by the origin, or craft its own.
Extensions Negotiation In some Privacy Pass deployments, the set of extensions may be well known to Clients and Origins and thus do not require negotiation. In this case, no extension-set or extensions are provided by the origin in the PrivateToken. In other settings, negotiation may be required. However, negotiation can raise privacy risks, by partitioning Clients by their chosen provided extensions risking Origin-Client unlinkability. Some of these risks may be mitigated if all Clients in a given redemption context respond to negotiation in the same manner. However, if Clients have different observable behavior, e.g., if certain extension use is determined by user choice, Origins can observe this differential behavior and therefore partition Clients in a redemption context.
Security Considerations Privacy considerations for tokens that include additional information are discussed in . Additional considerations for use of extensions, including those that arise when deciding which extensions to use, are described in . The TLS Protocol provides the transport layer security guarantees that protect the transmission of the PrivateToken and its extensions. The primary security concern introduced by the extensions parameter is the risk of client tagging or tracking through the metadata itself. The size and specific content of the extension metadata can potetntially add extra, observable bits of information that a service could use to tag clients. Mitigations include mechanisms to monitor that clients are getting evenly distributed bits, mechanisms to ensure clients fairly pick their own metadata, and mechanisms to ensure that clients understand the total traffic on the system. These are out of scope.
IANA Considerations IANA is requested to create a new "Privacy Pass PrivateToken Extensions" registry in the "Privacy Pass Parameters" page to list possible extension values and their meaning. Each extension has a two-byte type, so the maximum possible value is 0xFFFF = 65535. Template:
  • Type: The two-byte extension type
  • Name: Name of the extension
  • Value: Syntax and semantics of the extension
  • Reference: Where this extension and its value are defined
  • Notes: Any notes associated with the entry
New entries in this registry are subject to the Specification Required registration policy (). Designated experts need to ensure that the extension is sufficiently clearly defined and, importantly, has a clear description of the privacy implications of using the extension, framed in the context of partitioning the client anonymity set as described in .
References Normative References The Privacy Pass HTTP Authentication Scheme Apple Inc. Google LLC Cloudflare This document defines an HTTP authentication scheme for Privacy Pass, a privacy-preserving authentication mechanism used for authorization. The authentication scheme in this document can be used by clients to redeem Privacy Pass tokens with an origin. It can also be used by origins to challenge clients to present Privacy Pass tokens. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The Base16, Base32, and Base64 Data Encodings This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. Guidelines for Writing an IANA Considerations Section in RFCs Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. Informative References Public Metadata Issuance Google Cloudflare, Inc. This document specifies Privacy Pass issuance protocols that encode public information visible to the Client, Attester, Issuer, and Origin into each token. Privacy Pass Issuance Protocols This document specifies two variants of the two-message issuance protocol for Privacy Pass tokens: one that produces tokens that are privately verifiable using the Issuer Private Key and one that produces tokens that are publicly verifiable using the Issuer Public Key. Instances of "issuance protocol" and "issuance protocols" in the text of this document are used interchangeably to refer to the two variants of the Privacy Pass issuance protocol.