Internet Engineering Task Force (IETF) A. Davidson
Request for Comments: 9576 NOVA LINCS, Universidade NOVA de Lisboa
Category: Informational J. Iyengar
ISSN: 2070-1721 Fastly
C. A. Wood
Cloudflare
June 2024
The Privacy Pass Architecture
Abstract
This document specifies the Privacy Pass architecture and
requirements for its constituent protocols used for authorization
based on privacy-preserving authentication mechanisms. It describes
the conceptual model of Privacy Pass and its protocols, its security
and privacy goals, practical deployment models, and recommendations
for each deployment model, to help ensure that the desired security
and privacy goals are fulfilled.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9576.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction
2. Terminology
3. Architecture
3.1. Overview
3.2. Use Cases
3.3. Privacy Goals and Threat Model
3.4. Redemption Protocol
3.5. Issuance Protocol
3.5.1. Attester Role
3.5.2. Issuer Role
3.5.3. Issuance Metadata
3.5.4. Future Issuance Protocol Requirements
3.6. Information Flow
3.6.1. Token Challenge Flow
3.6.2. Attestation Flow
3.6.3. Issuance Flow
3.6.4. Token Redemption Flow
4. Deployment Models
4.1. Shared Origin, Attester, Issuer
4.2. Joint Attester and Issuer
4.3. Joint Origin and Issuer
4.4. Split Origin, Attester, Issuer
5. Deployment Considerations
5.1. Discriminatory Treatment
5.2. Centralization
6. Privacy Considerations
6.1. Partitioning by Issuance Metadata
6.2. Partitioning by Issuance Consistency
6.3. Partitioning by Side Channels
7. Security Considerations
7.1. Token Caching
8. IANA Considerations
9. References
9.1. Normative References
9.2. Informative References
Acknowledgements
Authors' Addresses
1. Introduction
Privacy Pass is an architecture for authorization based on privacy-
preserving authentication mechanisms. In other words, relying
parties authenticate Clients in a privacy-preserving way, i.e.,
without learning any unique, per-Client information through the
authentication protocol, and then make authorization decisions on the
basis of that authentication succeeding or failing. Possible
authorization decisions might be to provide Clients with read access
to a particular resource or write access to a particular resource.
Typical approaches for authorizing Clients, such as through the use
of long-term state (cookies), are not privacy friendly, since they
allow servers to track Clients across sessions and interactions.
Privacy Pass takes a different approach: instead of presenting
linkable state-carrying information to servers, e.g., a cookie
indicating whether or not the Client is an authorized user or has
completed some prior challenge, Clients present unlinkable proofs
that attest to this information. These proofs, or tokens, are
private in the sense that a given token cannot be linked to the
protocol interaction where that token was initially issued.
At a high level, the Privacy Pass architecture consists of two
protocols: redemption and issuance. The redemption protocol,
described in [AUTHSCHEME], runs between Clients and Origins
(servers). It allows Origins to challenge Clients to present tokens
for consumption. Origins verify the token to authenticate the Client
-- without learning any specific information about the Client -- and
then make an authorization decision on the basis of the token
verifying successfully or not. Depending on the type of token, e.g.,
whether or not it can be cached, the Client either presents a
previously obtained token or invokes an issuance protocol, e.g., the
protocols described in [ISSUANCE], to acquire a token to present as
authorization.
This document describes requirements for both redemption and issuance
protocols and how they interact. It also provides recommendations on
how the architecture should be deployed to ensure the privacy of
Clients and the security of all participating entities.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
The following terms are used throughout this document:
Client: An entity that seeks authorization to an Origin. Using
terminology from [RFC9334], Clients implement the Remote
ATtestation procedureS (RATS) Attester role.
Token: A cryptographic authentication message used for authorization
decisions, produced as output from an issuance mechanism or
protocol.
Origin: An entity that consumes tokens presented by Clients and uses
them to make authorization decisions.
Token challenge: The mechanism by which Origins request tokens from
Clients, often denoted TokenChallenge.
Token request: A message used by Clients to request a token from an
Issuer, often denoted TokenRequest.
Token response: A message used by Issuers to send tokens to a
Client, often denoted TokenResponse.
Redemption: The mechanism by which Clients present tokens to Origins
for the purposes of authorization.
Issuer: An entity that issues tokens to Clients for properties
attested to by the Attester.
Issuance: The mechanism by which an Issuer produces tokens for
Clients.
Attester: An entity that attests to properties of Clients for the
purposes of token issuance. Using terminology from [RFC9334],
Attesters implement the RATS Verifier role.
Attestation procedure: The procedure by which an Attester determines
whether or not a Client has the specific set of properties that
are necessary for token issuance.
The trust relationships between each of the entities in this list are
further elaborated upon in Section 3.3.
3. Architecture
The Privacy Pass architecture consists of four logical entities --
Client, Origin, Issuer, and Attester -- that work in concert for
token redemption and issuance. This section presents an overview of
Privacy Pass, a high-level description of the threat model and
privacy goals of the architecture, and the goals and requirements of
the redemption and issuance protocols. Deployment variations for the
Origin, Issuer, and Attester in this architecture, including
considerations for implementing these entities, are further discussed
in Section 4.
3.1. Overview
This section describes the typical interaction flow for Privacy Pass,
as shown in Figure 1.
1. A Client interacts with an Origin by sending a request or
otherwise interacting with the Origin in a way that triggers a
response containing a token challenge. The token challenge
indicates a specific Issuer to use.
2. If the Client already has a token available that satisfies the
token challenge, e.g., because the Client has a cache of
previously issued tokens, it can skip to step 6 and redeem its
token; see Section 7.1 for security considerations regarding
cached tokens.
3. If the Client does not have a token available and decides it
wants to obtain one (or more) bound to the token challenge, it
then invokes the issuance protocol. As a prerequisite to the
issuance protocol, the Client runs the deployment-specific
attestation process that is required for the designated Issuer.
Client attestation can be done via proof of solving a CAPTCHA,
checking device or hardware attestation validity, etc.; see
Section 3.5.1 for more details.
4. If the attestation process completes successfully, the Client
creates a token request to send to the designated Issuer
(generally via the Attester, though it is not required to be sent
through the Attester). The Attester and Issuer might be
functions on the same server, depending on the deployment model
(see Section 4). Depending on the attestation process, it is
possible for attestation to run alongside the issuance protocol,
e.g., where Clients send necessary attestation information to the
Attester along with their token request. If the attestation
process fails, the Client receives an error and issuance aborts
without a token.
5. The Issuer generates a token response based on the token request,
which is returned to the Client (generally via the Attester).
Upon receiving the token response, the Client computes a token
from the token challenge and token response. This token can be
validated by anyone with the per-Issuer key but cannot be linked
to the content of the token request or token response.
6. If the Client has a token, it includes it in a subsequent request
to the Origin, as authorization. This token is sent only once in
reaction to a challenge; Clients do not send tokens more than
once, even if they receive duplicate or redundant challenges.
The Origin validates that the token was generated by the expected
Issuer and has not already been redeemed for the corresponding
token challenge. If the Client does not have a token, perhaps
because issuance failed, the Client does not reply to the
Origin's challenge with a new request.
+--------+ +--------+ +----------+ +--------+
| Origin | | Client | | Attester | | Issuer |
+---+----+ +---+----+ +----+-----+ +---+----+
| | | |
|<----- Request ------+ | |
+-- TokenChallenge -->| | |
| |<== Attestation ==>| |
| | | |
| +--------- TokenRequest ------->|
| |<-------- TokenResponse -------+
|<-- Request+Token ---+ | |
| | | |
Figure 1: Privacy Pass Redemption and Issuance Protocol Interaction
3.2. Use Cases
Use cases for Privacy Pass are broad and depend greatly on the
deployment model as discussed in Section 4. The initial motivating
use case for Privacy Pass [PrivacyPassCloudflare] was to help rate-
limit malicious or otherwise abusive traffic from services such as
Tor [DMS2004]. The generalized and evolved architecture described in
this document also works for this use case. However, for added
clarity, some more possible use cases are described below.
* Low-quality, anti-fraud signal for open Internet services. Tokens
can attest that the Client behind the user agent is likely not a
bot attempting to perform some form of automated attack such as
credential stuffing. Example attestation procedures for this use
case might be solving some form of CAPTCHA or presenting evidence
of a valid, unlocked device in good standing.
* Privacy-preserving authentication for proprietary services.
Tokens can attest that the Client is a valid subscriber for a
proprietary service, such as a deployment of Oblivious HTTP
[OHTTP].
3.3. Privacy Goals and Threat Model
The end-to-end flow for Privacy Pass described in Section 3.1
involves three different types of contexts:
Redemption context: The interactions and set of information shared
between the Client and Origin, i.e., the information that is
provided or otherwise available to the Origin during redemption
that might be used to identify a Client and construct a token
challenge. This context includes all information associated with
redemption, such as the timestamp of the event, Client-visible
information (including the IP address), and the Origin name.
Issuance context: The interactions and set of information shared
between the Client, Attester, and Issuer, i.e., the information
that is provided or otherwise available to the Attester and Issuer
during issuance that might be used to identify a Client. This
context includes all information associated with issuance, such as
the timestamp of the event, any Client-visible information
(including the IP address), and the Origin name (if revealed
during issuance). This does not include the token challenge in
its entirety, as that is kept secret from the Issuer during the
issuance protocol.
Attestation context: The interactions and set of information shared
between the Client and Attester only, for the purposes of
attesting the validity of the Client, that is provided or
otherwise available during attestation that might be used to
identify the Client. This context includes all information
associated with attestation, such as the timestamp of the event
and any Client-visible information, including information needed
for the attestation procedure to complete.
The privacy goals of Privacy Pass assume a threat model in which
Origins trust specific Issuers to produce tokens, and Issuers in turn
trust one or more Attesters to correctly run the attestation
procedure with Clients. This arrangement ensures that tokens that
validate for a given Issuer were only issued to a Client that
successfully completed attestation with an Attester that the Issuer
trusts. Moreover, this arrangement means that if an Origin accepts
tokens issued by an Issuer that trusts multiple Attesters, then a
Client can use any one of these Attesters to issue and redeem tokens
for the Origin. Whether or not these different entities in the
architecture collude for learning redemption, issuance, or
attestation contexts, as well as the necessary preconditions for
context unlinkability, depends on the deployment model; see Section 4
for more details.
The mechanisms for establishing trust between each entity in this
arrangement are deployment specific. For example, in settings where
Clients interact with Issuers through an Attester, Attesters and
Issuers might use mutually authenticated TLS to authenticate one
another. In settings where Clients do not communicate with Issuers
through an Attester, the Attesters might convey this trust via a
digital signature that Issuers can verify.
Clients explicitly trust Attesters to perform attestation correctly
and in a way that does not violate their privacy. In particular,
this means that Attesters that may be privy to private information
about Clients are trusted to not disclose this information to non-
colluding parties. Colluding parties are assumed to have access to
the same information; see Section 4 for more about different
deployment models and non-collusion assumptions. However, Clients
assume that Issuers and Origins are malicious.
Given this threat model, the privacy goals of Privacy Pass are
oriented around unlinkability based on redemption, issuance, and
attestation contexts, as described below.
1. Origin-Client unlinkability. This means that given two
redemption contexts, the Origin cannot determine if both
redemption contexts correspond to the same Client or two
different Clients. Informally, this means that a Client in a
redemption context is indistinguishable from any other Client
that might use the same redemption context. The set of Clients
that share the same redemption context is referred to as a
redemption anonymity set.
2. Issuer-Client unlinkability. This is similar to Origin-Client
unlinkability in that a Client in an issuance context is
indistinguishable from any other Client that might use the same
issuance context. The set of Clients that share the same
issuance context is referred to as an issuance anonymity set.
3. Attester-Origin unlinkability. This is similar to Origin-Client
and Issuer-Client unlinkability. It means that given two
attestation contexts, the Attester cannot determine if both
contexts correspond to the same Origin or two different Origins.
The set of Origins that share the same attestation context is
referred to as an attestation anonymity set.
4. Redemption context unlinkability. Given two redemption contexts,
the Origin cannot determine which issuance and attestation
contexts each redemption corresponds to, even with the
collaboration of the Issuer and Attester (should these be
different parties). This means that any information that may be
learned about the Client during the issuance and attestation
flows cannot be used by the Origin to compromise Client privacy.
These unlinkability properties ensure that only the Clients are able
to correlate information that might be used to identify them with
activity on the Origin. The Attester, Issuer, and Origin only
receive the information necessary to perform their respective
functions.
The manner in which these unlinkability properties are achieved
depends on the deployment model, type of attestation, and issuance
protocol details. For example, as discussed in Section 4, in some
cases it is necessary to use an anonymization service that hides
Client IP addresses, such as Tor [DMS2004]. In general,
anonymization services ensure that all Clients that use the service
are indistinguishable from one another, though in practice there may
be small distinguishing features (TLS fingerprints, HTTP headers,
etc.). Moreover, Clients generally trust these services to not
disclose private Client information (such as IP addresses) to
untrusted parties. Failure to use an anonymization service when
interacting with Attesters, Issuers, or Origins can allow the set of
possible Clients to be partitioned by the Client's IP address and can
therefore lead to unlinkability violations. Similarly, malicious
Origins may attempt to link two redemption contexts together by using
Client-specific Issuer Public Keys. See Sections 5 and 6 for more
information.
Sections 3.4 and 3.5 describe the functional properties and security
requirements of the redemption and issuance protocols in more detail.
Section 3.6 describes how information flows between the Issuer,
Origin, Client, and Attester through these protocols.
3.4. Redemption Protocol
The Privacy Pass redemption protocol, described in [AUTHSCHEME], is
an authorization protocol wherein Clients present tokens to Origins
for authorization. Normally, redemption is preceded by a challenge,
wherein the Origin challenges Clients for a token with a
TokenChallenge ([AUTHSCHEME], Section 2.1) and, if possible, Clients
present a valid token ([AUTHSCHEME], Section 2.2) in reaction to the
challenge. This interaction is shown below.
+--------+ +--------+
| Origin | | Client |
+---+----+ +---+----+
| |
|<----- Request ------+
+-- TokenChallenge -->|
| | <== Issuance protocol ==>
|<-- Request+Token ---+
| |
Figure 2: Challenge and Redemption Protocol Interaction
Alternatively, when configured to do so, Clients may
opportunistically present token values to Origins without a
corresponding TokenChallenge.
The structure and semantics of the TokenChallenge and token messages
depend on the issuance protocol and token type being used; see
[AUTHSCHEME] for more information.
The challenge provides the Client with the information necessary to
obtain tokens that the server might subsequently accept in the
redemption context. There are a number of ways in which the token
may vary based on this challenge, including the following:
* Issuance protocol. The challenge identifies the type of issuance
protocol required for producing the token. Different issuance
protocols have different security properties, e.g., some issuance
protocols may produce tokens that are publicly verifiable, whereas
others may not have this property.
* Issuer identity. Token challenges identify which Issuers are
trusted for a given issuance protocol. As described in
Section 3.3, the choice of Issuer determines the type of Attesters
and attestation procedures possible for a token from the specified
Issuer, but the Origin does not learn exactly which Attester was
used for a given token issuance event.
* Redemption context. Challenges can be bound to a given redemption
context, which influences a Client's ability to pre-fetch and
cache tokens. For example, an empty redemption context always
allows tokens to be issued and redeemed non-interactively, whereas
a fresh and random redemption context means that the redeemed
token must be issued only after the Client receives the challenge.
See Section 2.1.1 of [AUTHSCHEME] for more details.
* Per-Origin or cross-Origin. Challenges can be constrained to the
Origin for which the challenge originated (referred to as per-
Origin tokens) or can be used across multiple Origins (referred to
as cross-Origin tokens). The set of Origins for which a cross-
Origin token is applicable is referred to as the cross-Origin set.
Opting into this set is done by explicitly agreeing on the
contents of the set. Every Origin in a cross-Origin set, by
opting in, agrees to admit tokens for any other Origin in the set.
See Section 2.1.1 of [AUTHSCHEME] for more information on how this
set is created.
Origins that admit cross-Origin tokens bear some risk of allowing
tokens issued for one Origin to be spent in an interaction with
another Origin. In particular, cross-Origin tokens issued based on a
challenge for one Origin can be redeemed at another Origin in the
cross-Origin set, which can make it difficult to regulate token
consumption. Depending on the use case, Origins may need to maintain
state to track redeemed tokens. For example, Origins that accept
cross-Origin tokens across shared redemption contexts SHOULD track
which tokens have already been redeemed in those redemption contexts,
since these tokens can be issued and then spent multiple times for
any such challenge. Note that Clients that redeem the same token to
multiple Origins do risk those Origins being able to link Client
activity together, which can disincentivize this behavior. See
Section 2.1.1 of [AUTHSCHEME] for discussion.
How Clients respond to token challenges can have privacy
implications. For example, if an Origin allows the Client to choose
an Issuer, then the choice of Issuer can reveal information about the
Client used to partition anonymity sets; see Section 6.2 for more
information about these privacy considerations.
3.5. Issuance Protocol
The Privacy Pass issuance protocols, such as those described in
[ISSUANCE], are two-message protocols that take as input a
TokenChallenge from the redemption protocol ([AUTHSCHEME],
Section 2.1) and produce a token ([AUTHSCHEME], Section 2.2), as
shown in Figure 1.
The structure and semantics of the TokenRequest and TokenResponse
messages depend on the issuance protocol and token type being used;
see [ISSUANCE] for more information.
Clients interact with the Attester and Issuer to produce a token for
a challenge. The context in which an Attester vouches for a Client
during issuance is referred to as the attestation context. This
context includes all information associated with the issuance event,
such as the timestamp of the event and Client-visible information,
including the IP address or other information specific to the type of
attestation done.
Each issuance protocol may be different, e.g., in the number and
types of participants, underlying cryptographic constructions used
when issuing tokens, and even privacy properties.
Clients initiate the issuance protocol using the token challenge, a
randomly generated nonce, and a public key for the Issuer, all of
which are the Client's private input to the protocol and ultimately
bound to an output token; see Section 2.2 of [AUTHSCHEME] for
details. Future specifications may change or extend the Client's
input to the issuance protocol to produce tokens with a different
structure.
Token properties vary based on the issuance protocol. Important
properties supported in this architecture are described below.
1. Public verifiability. This means that the token can be verified
using the Issuer Public Key. A token that does not have public
verifiability can only be verified using the Issuer secret key.
2. Public metadata. This means that the token can be
cryptographically bound to arbitrary public information. See
Section 6.1 for privacy considerations regarding public metadata.
3. Private metadata. This means that the token can be
cryptographically bound to arbitrary private information, i.e.,
information that the Client does not observe during token
issuance or redemption. See Section 6.1 for privacy
considerations regarding private metadata.
The issuance protocol itself can be any interactive protocol between
the Client, Issuer, or other parties that produces a valid token
bound to the Client's private input, subject to the following
security requirements.
1. Unconditional input secrecy. The issuance protocol MUST NOT
reveal anything about the Client's private input, including the
challenge and nonce, to the Attester or Issuer, regardless of the
hardness assumptions of the underlying cryptographic protocol(s).
This property is sometimes also referred to as blindness.
2. One-more forgery security. The issuance protocol MUST NOT allow
malicious Clients or Attesters (acting as Clients) to forge
tokens offline or otherwise without interacting with the Issuer
directly.
3. Concurrent security. The issuance protocol MUST be safe to run
concurrently with arbitrarily many Clients, Attesters, and
Issuers.
See Section 3.5.4 for requirements on new issuance protocol variants
and related extensions.
In the sections below, we describe the Attester and Issuer roles in
more detail.
3.5.1. Attester Role
In Privacy Pass, attestation is the process by which an Attester
bears witness to, confirms, or authenticates a Client so as to verify
properties about the Client that are required for issuance. Issuers
trust Attesters to perform attestation correctly, i.e., to implement
attestation procedures in such a way that those procedures are not
subverted or bypassed by malicious Clients.
[RFC9334] describes an architecture for attestation procedures.
Using that architecture as a conceptual basis, Clients are RATS
Attesters that produce attestation evidence, and Attesters are RATS
Verifiers that appraise the validity of attestation evidence.
The type of attestation procedure is a deployment-specific option and
outside the scope of the issuance protocol. Example attestation
procedures are below.
* Solving a CAPTCHA. Clients that solve CAPTCHA challenges can be
attested to have this capability for the purpose of being ruled
out as a bot or otherwise automated Client.
* Presenting evidence of Client device validity. Some Clients run
on trusted hardware that is capable of producing device-level
attestation evidence.
* Proving properties about Client state. Clients can be associated
with state, and the Attester can verify this state. Examples of
state include the Client's geographic region and whether the
Client has a valid application-layer account.
Attesters may support different types of attestation procedures.
Each attestation procedure has different security properties. For
example, attesting to having a valid account is different from
attesting to running on trusted hardware. Supporting multiple
attestation procedures is an important step towards ensuring
equitable access for Clients; see Section 5.1.
The role of the Attester in the issuance protocol and its impact on
privacy depend on the type of attestation procedure, issuance
protocol, and deployment model. For instance, increasing the number
of required attestation procedures could decrease the overall
anonymity set size. As an example, the number of Clients that have
solved a CAPTCHA in the past day, that have a valid account, and that
are running on a trusted device is less than the number of Clients
that have solved a CAPTCHA in the past day. See Section 6.2 for more
discussion of how the variety of attestation procedures can
negatively impact Client privacy.
Depending on the issuance protocol, the Issuer might learn
information about the Origin. To ensure Issuer-Client unlinkability,
the Issuer should be unable to link that information to a specific
Client. For such issuance protocols where the Attester has access to
Client-specific information, such as is the case for attestation
procedures that involve Client-specific information (such as
application-layer account information) or for deployment models where
the Attester learns Client-specific information (such as Client IP
addresses), Clients trust the Attester to not share any Client-
specific information with the Issuer. In deployments where the
Attester does not learn Client-specific information or where the
Attester and Issuer are operated by the same entity (such as in the
Joint Attester and Issuer model described in Section 4.2), the Client
does not need to explicitly trust the Attester in this regard.
Issuers trust Attesters to correctly and reliably perform
attestation. However, certain types of attestation procedures can
vary in value over time, e.g., if the attestation procedure is
compromised. Broken attestation procedures are considered
exceptional events and require configuration changes to address the
underlying cause. For example, if an attestation procedure is
compromised or subverted because of a zero-day exploit on devices
that implement the attestation procedure, then the corresponding
attestation procedure should be untrusted until the exploit is
patched. Addressing changes in attestation quality is therefore a
deployment-specific task. In Split Origin, Attester, and Issuer
deployments (see Section 4.4), Issuers can choose to remove
compromised Attesters from their trusted set until the compromise is
patched.
From the perspective of an Origin, tokens produced by an Issuer with
at least one compromised Attester cannot be trusted, assuming that
the Origin does not know which attestation procedure was used for
issuance. This is because the Origin cannot distinguish between
tokens that were issued via compromised Attesters and tokens that
were issued via uncompromised Attesters, absent some distinguishing
information in the tokens themselves or from the Issuer. As a
result, until the attestation procedure is fixed, the Issuer cannot
be trusted by Origins. Moreover, as a consequence, any tokens issued
by an Issuer with a compromised Attester may no longer be trusted by
Origins, even if those tokens were issued to Clients interacting with
an uncompromised Attester.
3.5.2. Issuer Role
In Privacy Pass, the Issuer is responsible for completing the
issuance protocol for Clients that complete attestation through a
trusted Attester. As described in Section 3.5.1, Issuers explicitly
trust Attesters to correctly and reliably perform attestation.
Origins explicitly trust Issuers to only issue tokens from trusted
Attesters. Clients do not explicitly trust Issuers.
Depending on the deployment model case, issuance may require some
form of Client anonymization service, similar to an IP-hiding proxy,
so that Issuers cannot learn information about Clients. This can be
provided by an explicit participant in the issuance protocol, or it
can be provided via external means, such as through the use of an IP-
hiding proxy service like Tor [DMS2004]. In general, Clients SHOULD
minimize or remove identifying information where possible when
invoking the issuance protocol.
Issuers are uniquely identifiable by all Clients with a consistent
identifier. In a web context, this identifier might be the Issuer
hostname. Issuers maintain one or more configurations, including
issuance key pairs, for use in the issuance protocol. Each
configuration is assumed to have a unique and canonical identifier,
sometimes referred to as a key identifier or key ID. Issuers can
rotate these configurations as needed to mitigate the risk of
compromise; see Section 6.2 for more considerations around
configuration rotation. The Issuer Public Key for each active
configuration is made available to Origins and Clients for use in the
issuance and redemption protocols.
3.5.3. Issuance Metadata
Certain instantiations of the issuance protocol may permit public or
private metadata to be cryptographically bound to a token. As an
example, one trivial way to include public metadata is to assign a
unique Issuer Public Key for each value of metadata, such that N keys
yield log_2(N) bits of metadata. Metadata may be public or private.
Public metadata is metadata that Clients can observe as part of the
token issuance flow. Public metadata can be either transparent or
opaque. For example, transparent public metadata is a value that
either the Client generates itself or the Issuer provides during the
issuance flow and that the Client can check for correctness. Opaque
public metadata is metadata the Client can see but cannot check for
correctness. As an example, the opaque public metadata might be a
"fraud detection signal", computed on behalf of the Issuer, during
token issuance. Generally speaking, Clients cannot determine if this
value is generated in a way that permits tracking.
Private metadata is metadata that Clients cannot observe as part of
the token issuance flow. Such instantiations can be built on the
private metadata bit construction from Kreuter et al. [KLOR20] or the
attribute-based Verifiable Oblivious Pseudorandom Function (VOPRF)
from Huang et al. [HIJK21].
Metadata can be arbitrarily long or bounded in length. The amount of
permitted metadata may be determined by an application or by the
underlying cryptographic protocol. The total amount of metadata bits
included in a token is the sum of public and private metadata bits.
Every bit of metadata can be used to partition the Client issuance or
redemption anonymity sets; see Section 6.1 for more information.
3.5.4. Future Issuance Protocol Requirements
The Privacy Pass architecture and ecosystem are both intended to be
receptive to extensions that expand the current set of
functionalities through new issuance protocols. Each new issuance
protocol and extension MUST adhere to the following requirements:
1. Include a detailed analysis of the privacy impacts of the
extension, why these impacts are justified, and guidelines on how
to use the protocol to mitigate or minimize negative deployment
or privacy consequences discussed in Sections 5 and 6,
respectively.
2. Adhere to the guidelines specified in Section 3.5.2 for managing
Issuer Public Key data.
3. Clearly specify how to interpret and validate TokenChallenge and
token messages that are exchanged during the redemption protocol.
3.6. Information Flow
The end-to-end process of redemption and issuance protocols involves
information flowing between the Issuer, Origin, Client, and Attester.
That information can have implications on the privacy goals that
Privacy Pass aims to provide as outlined in Section 3.3. In this
section, we describe the flow of information between each party. How
this information affects the privacy goals in particular deployment
models is further discussed in Section 4.
3.6.1. Token Challenge Flow
To use Privacy Pass, Origins choose an Issuer from which they are
willing to accept tokens. Origins then construct a token challenge
using this specified Issuer and information from the redemption
context it shares with the Client. This token challenge is then
delivered to a Client. The token challenge conveys information about
the Issuer and the redemption context, such as whether the Origin
desires a per-Origin or cross-Origin token. Any entity that sees the
token challenge might learn things about the Client as known to the
Origin. This is why input secrecy is a requirement for issuance
protocols, as it ensures that the challenge is not directly available
to the Issuer.
3.6.2. Attestation Flow
Clients interact with the Attester to prove that they meet some
required set of properties. In doing so, Clients contribute
information to the attestation context, which might include sensitive
information such as application-layer identities, IP addresses, and
so on. Clients can choose whether or not to contribute this
information based on local policy or preference.
3.6.3. Issuance Flow
Clients use the issuance protocol to produce a token bound to a token
challenge. In doing so, there are several ways in which the issuance
protocol contributes information to the attestation or issuance
contexts. For example, a token request may contribute information to
the attestation or issuance contexts as described below.
* Issuance protocol. The type of issuance protocol can contribute
information about the Issuer's capabilities to the attestation or
issuance contexts, as well as the capabilities of a given Client.
For example, if a Client is presented with multiple issuance
protocol options, then the choice of which issuance protocol to
use can contribute information about the Client's capabilities.
* Issuer configuration. Information about the Issuer configuration,
such as its identity or the public key used to validate tokens it
creates, can be revealed during issuance and contribute to the
attestation or issuance contexts.
* Attestation information. The issuance protocol can contribute
information to the attestation or issuance contexts based on what
attestation procedure the Issuer uses to trust a token request.
In particular, a token request that is validated by a given
Attester means that the Client that generated the token request
must be capable of completing the designated attestation
procedure.
* Origin information. The issuance protocol can contribute
information about the Origin that challenged the Client; see
Section 3.6.1. In particular, a token request designated for a
specific Issuer might imply that the resulting token is for an
Origin that trusts the specified Issuer. However, this is not
always true, as some token requests can correspond to cross-Origin
tokens, i.e., they are tokens that would be accepted at any Origin
that accepts the cross-Origin token.
Moreover, a token may contribute information to the issuance
attestation or contexts as described below.
* Origin information. The issuance protocol can contribute
information about the Origin in how it responds to a token
request. For example, if an Issuer learns the Origin during
issuance and is also configured to respond in some way on the
basis of that information, and the Client interacts with the
Issuer transitively through the Attester, that response can reveal
information to the Attester.
* Token. The token produced by the issuance protocol can contain
information from the issuance context. In particular, depending
on the issuance protocol, tokens can contain public or private
metadata, and Issuers can choose that metadata on the basis of
information in the issuance context.
Exceptional cases in the issuance protocol, such as when either the
Attester or Issuer aborts the protocol, can contribute information to
the attestation or issuance contexts. The extent to which
information in this context harms the Issuer-Client or Attester-
Origin unlinkability goals as discussed in Section 3.3 depends on the
deployment model; see Section 4. Clients can choose whether or not
to contribute information to these contexts based on local policy or
preference.
3.6.4. Token Redemption Flow
Clients send tokens to Origins during the redemption protocol. Any
information that is added to the token during issuance can therefore
be sent to the Origin. Information can be either (1) explicitly
passed in a token or (2) implicit in the way the Client responds to a
token challenge. For example, if a Client fails to complete issuance
and consequently fails to redeem a token for a token challenge, this
can reveal information to the Origin that it might not otherwise have
access to. However, an Origin cannot necessarily distinguish between
a Client that fails to complete issuance and one that ignores the
token challenge altogether.
4. Deployment Models
The Origin, Attester, and Issuer portrayed in Figure 1 can be
instantiated and deployed in a number of ways. The deployment model
directly influences the manner in which attestation, issuance, and
redemption contexts are separated to achieve Origin-Client, Issuer-
Client, and Attester-Origin unlinkability.
This section covers some expected deployment models and their
corresponding security and privacy considerations. Each deployment
model is described in terms of the trust relationships and
communication patterns between the Client, Attester, Issuer, and
Origin. Entities drawn within the same bounding box are assumed to
be operated by the same party and are therefore able to collude.
Collusion can enable linking of attestation, issuance, and redemption
contexts. Entities not drawn within the same bounding box (i.e.,
operated by separate parties) are assumed to not collude. Mechanisms
for enforcing non-collusion are out of scope for this architecture.
4.1. Shared Origin, Attester, Issuer
In this model, the Origin, Attester, and Issuer are all operated by
the same entity, as shown in Figure 3.
+---------------------------------------------.
+--------+ | +----------+ +--------+ +--------+ |
| Client | | | Attester | | Issuer | | Origin | |
+---+----+ | +-----+----+ +----+---+ +---+----+ |
| `-------|---------------|-------------|------'
|<-------------------------------- TokenChallenge --+
| | | |
|<=== Attestation ===>| | |
| | | |
+----------- TokenRequest ----------->| |
|<---------- TokenResponse -----------+ |
| |
+--------------------- Token ----------------------->
| |
Figure 3: Shared Deployment Model
This model represents the initial deployment of Privacy Pass, as
described in [PrivacyPassCloudflare]. In this model, the Attester,
Issuer, and Origin share the attestation, issuance, and redemption
contexts. As a result, attestation mechanisms that can uniquely
identify a Client, e.g., requiring that Clients authenticate with
some type of application-layer account, are not appropriate, as they
could lead to unlinkability violations.
Origin-Client, Issuer-Client, and Attester-Origin unlinkability
requires that issuance and redemption events be separated over time,
such as through the use of tokens that correspond to token challenges
with an empty redemption context (see Section 3.4), or that they be
separated over space, such as through the use of an anonymizing
service when connecting to the Origin.
4.2. Joint Attester and Issuer
In this model, the Attester and Issuer are operated by the same
entity, separate from the Origin. The Origin trusts the joint
Attester and Issuer to perform attestation and issue tokens. Clients
interact with the joint Attester and Issuer for attestation and
issuance. This arrangement is shown in Figure 4.
+------------------------------.
+--------+ | +----------+ +--------+ | +--------+
| Client | | | Attester | | Issuer | | | Origin |
+---+----+ | +-----+----+ +----+---+ | +---+----+
| `-------|---------------|-----' |
|<---------------------------------- TokenChallenge --+
| | | |
|<==== Attestation ====>| | |
| | | |
+------------- TokenRequest ----------->| |
|<----------- TokenResponse ------------+ |
| |
+----------------------- Token ----------------------->
| |
Figure 4: Joint Attester and Issuer Deployment Model
This model is useful if an Origin wants to offload attestation and
issuance to a trusted entity. In this model, the Attester and Issuer
share an attestation and issuance context for the Client, separate
from the Origin's redemption context.
Similar to the shared Origin, Attester, Issuer model, Issuer-Client
and Origin-Client unlinkability in this model requires that issuance
and redemption events, respectively, be separated over time or space.
Attester-Origin unlinkability requires that the Attester and Issuer
do not learn the Origin for a particular token request. For this
reason, issuance protocols that require the Issuer to learn
information about the Origin, such as the issuance protocol described
in [RATE-LIMITED], are not appropriate, since they could lead to
Attester-Origin unlinkability violations through the Origin name.
4.3. Joint Origin and Issuer
In this model, the Origin and Issuer are operated by the same entity,
separate from the Attester, as shown in Figure 5. The Issuer accepts
token requests that come from trusted Attesters. Since the Attester
and Issuer are separate entities, this model requires some mechanism
by which Issuers establish trust in the Attester (as described in
Section 3.3). For example, in settings where the Attester is a
Client-trusted service that directly communicates with the Issuer,
one way to establish this trust is via mutually authenticated TLS.
However, alternative authentication mechanisms are possible. In this
model, the Origin and Issuer are operated by the same entity,
separate from the Attester, as shown in the figure below.
+----------------------------.
+--------+ +----------+ | +--------+ +--------+ |
| Client | | Attester | | | Issuer | | Origin | |
+---+----+ +-----+----+ | +----+---+ +---+----+ |
| | `------|-------------|------'
|<-------------------------------- TokenChallenge --+
| | | |
|<=== Attestation ===>| | |
| | | |
+------------ TokenRequest ---------->| |
|<---------- TokenResponse -----------+ |
| |
+--------------------- Token ----------------------->
| |
Figure 5: Joint Origin and Issuer Deployment Model
This model is useful for Origins that require Client-identifying
attestation, e.g., through the use of application-layer account
information, but do not otherwise want to learn information about
individual Clients beyond what is observed during the token
redemption, such as Client IP addresses.
In this model, attestation contexts are separate from Issuer and
redemption contexts. As a result, any type of attestation is
suitable in this model.
Moreover, assuming that there is more than one Origin involved, any
type of token challenge is suitable, since no single party will have
access to the identifying Client information and unique Origin
information. Issuers that produce tokens for a single Origin are not
suitable in this model, since an Attester can infer the Origin from a
token request, as described in Section 3.6.3. However, since the
issuance protocol provides input secrecy, the Attester does not learn
details about the corresponding token challenge, such as whether the
token challenge is per Origin or across Origins.
4.4. Split Origin, Attester, Issuer
In this model, the Origin, Attester, and Issuer are all operated by
different entities. As with the Joint Origin and Issuer model
(Section 4.3), the Issuer accepts token requests that come from
trusted Attesters, and the details of that trust establishment depend
on the issuance protocol and relationship between the Attester and
Issuer; see Section 3.3. This arrangement is shown in Figure 1.
This is the most general deployment model and is necessary for some
types of issuance protocols where the Attester plays a role in token
issuance; see [RATE-LIMITED] for one such type of issuance protocol.
In this model, the Attester, Issuer, and Origin have a separate view
of the Client: the Attester sees potentially sensitive Client-
identifying information, such as account identifiers or IP addresses;
the Issuer sees only the information necessary for issuance; and the
Origin sees token challenges, corresponding tokens, and Client source
information, such as their IP address. As a result, attestation,
issuance, and redemption contexts are separate, and therefore any
type of token challenge is suitable in this model as long as there is
more than a single Origin.
As with the Joint Origin and Issuer model (Section 4.3), and as
described in Section 3.6.3, if the Issuer produces tokens for a
single Origin, then per-Origin tokens are not appropriate, since the
Attester can infer the Origin from a token request.
5. Deployment Considerations
Section 4 discusses deployment models that are possible in practice.
Beyond possible implications on security and privacy properties of
the resulting system, Privacy Pass deployments can impact the overall
ecosystem in two important ways: (1) discriminatory treatment of
Clients and the gated access to otherwise open services and
(2) centralization. This section describes considerations relevant
to these topics.
5.1. Discriminatory Treatment
Origins can use tokens as a signal for distinguishing between
(1) Clients that are capable of completing attestation with one
Attester trusted by the Origin's chosen Issuer and (2) Clients that
are not capable of doing the same. A consequence of this is that
Privacy Pass could enable discriminatory treatment of Clients based
on attestation support. For example, an Origin could only authorize
Clients that successfully authenticate with a token, prohibiting
access to all other Clients.
The types of attestation procedures supported for a particular
deployment depend greatly on the use case. For example, consider a
proprietary deployment of Privacy Pass that authorizes Clients to
access a resource such as an anonymization service. In this context,
it is reasonable to support specific types of attestation procedures
that demonstrate that Clients can access the resource, such as with
an account or specific type of device. However, in open deployments
of Privacy Pass that are used to safeguard access to otherwise open
or publicly accessible resources, diversity in attestation procedures
is critically important so as to not discriminate against Clients
that choose certain software, hardware, or identity providers.
In principle, Issuers should strive to mitigate discriminatory
behavior by providing equitable access to all Clients. This can be
done by working with a set of Attesters that are suitable for all
Clients. In practice, this may require trade-offs in what type of
attestation Issuers are willing to trust so as to enable more
widespread support. In other words, trusting a variety of Attesters
with a diverse set of attestation procedures would presumably
increase support among Clients, though most likely at the expense of
decreasing the overall value of tokens issued by the Issuer.
For example, to disallow discriminatory behavior between Clients with
and without device attestation support, an Issuer may wish to support
Attesters that support CAPTCHA-based attestation. This means that
the overall attestation value of a Privacy Pass token is bound by the
difficulty in spoofing or bypassing either one of these attestation
procedures.
5.2. Centralization
A consequence of limiting the number of participants (Attesters or
Issuers) in Privacy Pass deployments for meaningful privacy is that
it forces concentrated centralization among those participants.
[CENTRALIZATION] discusses several ways in which this might be
mitigated. For example, a multi-stakeholder governance model could
be established to determine what candidate participants are fit to
operate as participants in a Privacy Pass deployment. This is
precisely the system used to control the Web's trust model.
Alternatively, Privacy Pass deployments might mitigate this problem
through implementation. For example, rather than centralize the role
of attestation in one or a few entities, attestation could be a
distributed function performed by a quorum of many parties, provided
that neither Issuers nor Origins learn which Attester implementations
were chosen. As a result, Clients could have more opportunities to
switch between attestation participants.
6. Privacy Considerations
The previous section discusses the impact of deployment details on
Origin-Client, Issuer-Client, and Attester-Origin unlinkability. The
value these properties afford to end users depends on the size of
anonymity sets in which Clients or Origins are unlinkable. For
example, consider two different deployments, one wherein there exists
a redemption anonymity set of size two and another wherein there
exists a redemption anonymity set of size 2^32. Although Origin-
Client unlinkability guarantees that the Origin cannot link any two
requests to the same Client based on these contexts, respectively,
the smaller these sets become, the higher the probability of
determining the "true" Client.
In practice, there are a number of ways in which the size of
anonymity sets may be reduced or partitioned, though they all center
around the concept of consistency. In particular, by definition, all
Clients in an anonymity set share a consistent view of information
needed to run the issuance and redemption protocols. The Issuer
Public Key is an example of the type of information needed to run
these protocols. When two Clients have inconsistent information,
these Clients effectively have different redemption contexts and
therefore belong in different anonymity sets.
The following subsections discuss issues that can influence anonymity
set size. For each issue, we discuss mitigations or safeguards to
protect against the underlying problem.
6.1. Partitioning by Issuance Metadata
Any public or private metadata bits of information can be used to
further segment the size of the Client anonymity set. Any Issuer
that wanted to track a single Client could add a single metadata bit
to Client tokens. For the tracked Client, it would set the bit to 1,
and 0 otherwise. Adding additional bits provides an exponential
increase in tracking granularity in a manner similar to introducing
more Issuers (though with more potential targeting).
For this reason, deployments should take the amount of metadata used
by an Issuer in creating tokens, together with the bits of
information that Issuers may learn about Clients through other means,
into account. Since this metadata may be useful for practical
deployments of Privacy Pass, Issuers must balance this against the
reduction in Client privacy.
The number of permitted metadata values often depends on deployment-
specific details. In general, limiting the amount of metadata
permitted helps limit the extent to which metadata can uniquely
identify individual Clients. Failure to bound the number of possible
metadata values can therefore lead to a reduction in Client privacy.
Most token types do not admit any metadata, so this bound is
implicitly enforced.
6.2. Partitioning by Issuance Consistency
Anonymity sets can be partitioned by information used for the
issuance protocol, including metadata, Issuer configuration (keys),
and Issuer selection.
Any issuance metadata bits of information can be used to partition
the Client anonymity set. For example, any Issuer that wanted to
track a single Client could add a single metadata bit to Client
tokens. For the tracked Client, it would set the bit to 1, and 0
otherwise. Adding additional bits provides an exponential increase
in tracking granularity in a manner similar to introducing more
Issuers (though with more potential targeting).
The number of active Issuer configurations also contributes to
anonymity set partitioning. In particular, when an Issuer updates
their configuration and the corresponding key pair, any Client that
invokes the issuance protocol with this configuration becomes part of
a set of Clients that also ran the issuance protocol using the same
configuration. Issuer configuration updates, e.g., due to key
rotation, are an important part of hedging against long-term private
key compromise. In general, key rotations represent a trade-off
between Client privacy and Issuer security. Therefore, it is
important that key rotations occur on a regular cycle to reduce the
harm of an Issuer key compromise.
Lastly, if Clients are willing to issue and redeem tokens from a
large number of Issuers for a specific Origin and that Origin accepts
tokens from all Issuers, partitioning can occur. As an example, if a
Client obtains tokens from many Issuers and an Origin later
challenges that Client for a token from each Issuer, the Origin can
learn information about the Client. This arrangement might happen if
Clients request tokens from different Issuers, each of which has
different Attester preferences. Each per-Issuer token that a Client
holds essentially corresponds to a bit of information about the
Client that the Origin learns. Therefore, there is an exponential
loss in privacy relative to the number of Issuers.
The fundamental problem here is that the number of possible issuance
configurations, including the keys in use and the Issuer identities
themselves, can partition the Client anonymity set. To mitigate this
problem, Clients SHOULD bound the number of active issuance
configurations per Origin as well as across Origins. Moreover,
Clients SHOULD employ some form of consistency mechanism to ensure
that they receive the same configuration information and are not
being actively partitioned into smaller anonymity sets. See
[CONSISTENCY] for possible consistency mechanisms. Depending on the
deployment, the Attester might assist the Client in applying these
consistency checks across Clients. Failure to apply a consistency
check can allow Client-specific keys to violate Origin-Client
unlinkability.
6.3. Partitioning by Side Channels
Side-channel attacks, such as those based on timing correlation,
could be used to reduce anonymity set size. In particular, for
interactive tokens that are bound to a Client-specific redemption
context, the anonymity set of Clients during the issuance protocol
consists of those Clients that started issuance between the time of
the Origin's challenge and the corresponding token redemption.
Depending on the number of Clients using a particular Issuer during
that time window, the set can be small. Applications should take
such side channels into consideration before choosing a particular
deployment model and type of token challenge and redemption context.
7. Security Considerations
This document describes security and privacy requirements for the
Privacy Pass redemption and issuance protocols. It also describes
deployment models built around non-collusion assumptions and privacy
considerations for using Privacy Pass within those models. Ensuring
Client privacy -- separation of attestation and redemption contexts
-- requires active work on behalf of the Client, especially in the
presence of malicious Issuers and Origins. Implementing the
mitigations discussed in Sections 4 and 6 is therefore necessary to
ensure that Privacy Pass offers meaningful privacy improvements to
end users.
7.1. Token Caching
Depending on the Origin's token challenge, Clients can request and
cache more than one token using an issuance protocol. Cached tokens
help improve privacy by separating the time of token issuance from
the time of token redemption; they also allow Clients to reduce the
overhead of receiving new tokens via the issuance protocol.
As a consequence, Origins that send token challenges that are
compatible with cached tokens need to take precautions to ensure that
tokens are not replayed. This is typically done via keeping track of
tokens that are redeemed for the period of time in which cached
tokens would be accepted for particular challenges.
Moreover, since tokens are not intrinsically bound to Clients, it is
possible for malicious Clients to collude and share tokens in a so-
called "hoarding attack". As an example of this attack, many
distributed Clients could obtain cacheable tokens and then share them
with a single Client to redeem the tokens in a way that would violate
an Origin's attempt to limit tokens to any one particular Client. In
general, mechanisms for mitigating hoarding attacks depend on the
deployment model and use case. For example, in the Joint Origin and
Issuer model, comparing the issuance and redemption contexts can help
detect hoarding attacks, i.e., if the distribution of redemption
contexts is noticeably different from the distribution of issuance
contexts. Rate-limiting issuance, at either the Client, Attester, or
Issuer, can also help mitigate these attacks.
8. IANA Considerations
This document has no IANA actions.
9. References
9.1. Normative References
[AUTHSCHEME]
Pauly, T., Valdez, S., and C. A. Wood, "The Privacy Pass
HTTP Authentication Scheme", RFC 9577,
DOI 10.17487/RFC9577, June 2024,
<https://www.rfc-editor.org/info/rfc9577>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
9.2. Informative References
[CENTRALIZATION]
Nottingham, M., "Centralization, Decentralization, and
Internet Standards", RFC 9518, DOI 10.17487/RFC9518,
December 2023, <https://www.rfc-editor.org/info/rfc9518>.
[CONSISTENCY]
Davidson, A., Finkel, M., Thomson, M., and C. A. Wood,
"Key Consistency and Discovery", Work in Progress,
Internet-Draft, draft-ietf-privacypass-key-consistency-01,
10 July 2023, <https://datatracker.ietf.org/doc/html/
draft-ietf-privacypass-key-consistency-01>.
[DMS2004] Dingledine, R., Mathewson, N., and P. Syverson, "Tor: The
Second-Generation Onion Router", May 2004,
<https://svn.torproject.org/svn/projects/design-paper/tor-
design.html>.
[HIJK21] Huang, S., Iyengar, S., Jeyaraman, S., Kushwah, S., Lee,
C-K., Luo, Z., Mohassel, P., Raghunathan, A., Shaikh, S.,
Sung, Y-C., and A. Zhang, "DIT: De-Identified
Authenticated Telemetry at Scale", January 2021,
<https://research.fb.com/privatestats>.
[ISSUANCE] Celi, S., Davidson, A., Valdez, S., and C. A. Wood,
"Privacy Pass Issuance Protocols", RFC 9578,
DOI 10.17487/RFC9578, June 2024,
<https://www.rfc-editor.org/info/rfc9578>.
[KLOR20] Kreuter, B., Lepoint, T., Orrù, M., Raykova, M., and
Springer International Publishing, "Anonymous Tokens with
Private Metadata Bit", Advances in Cryptology - CRYPTO
2020, pp. 308-336, DOI 10.1007/978-3-030-56784-2_11, 2020,
<https://doi.org/10.1007/978-3-030-56784-2_11>.
[OHTTP] Thomson, M. and C. A. Wood, "Oblivious HTTP", RFC 9458,
DOI 10.17487/RFC9458, January 2024,
<https://www.rfc-editor.org/info/rfc9458>.
[PrivacyPassCloudflare]
Sullivan, N., "Cloudflare supports Privacy Pass", November
2017, <https://blog.cloudflare.com/cloudflare-supports-
privacy-pass/>.
[RATE-LIMITED]
Hendrickson, S., Iyengar, J., Pauly, T., Valdez, S., and
C. A. Wood, "Rate-Limited Token Issuance Protocol", Work
in Progress, Internet-Draft, draft-ietf-privacypass-rate-
limit-tokens-06, 1 April 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-
privacypass-rate-limit-tokens-06>.
[RFC9334] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
W. Pan, "Remote ATtestation procedureS (RATS)
Architecture", RFC 9334, DOI 10.17487/RFC9334, January
2023, <https://www.rfc-editor.org/info/rfc9334>.
Acknowledgements
The authors would like to thank Eric Kinnear, Scott Hendrickson,
Tommy Pauly, Christopher Patton, Benjamin Schwartz, Martin Thomson,
Steven Valdez, and other contributors of the Privacy Pass Working
Group for many helpful contributions to this document.
Authors' Addresses
Alex Davidson
NOVA LINCS, Universidade NOVA de Lisboa
Largo da Torre
Caparica
Portugal
Email: alex.davidson92@gmail.com
Jana Iyengar
Fastly
Email: jri@fastly.com