Markdown Version | Session Recording

Session Date/Time: 20 Mar 2024 05:00

privacypass

Summary

The privacypass meeting at IETF 119 covered several topics including updates on core documents, discussions on key resource consistency, metadata extensions, and privacy pass APIs on the web. A key focus was on the trade-offs between privacy and utility when using metadata and tokens, as well as the need for clear definitions of trust models and anonymity sets.

Key Discussion Points

• Key Resource Consistency:
  • Discussion on whether to encapsulate only the content and specific headers (e.g., Content-Type) or the entire resource in the key consistency draft.
  • Debate on how to handle configuration rotation (resource changes before expiration) and if the draft should mandate specific solutions or leave it to the application layer.
  • Concerns about client IP leakage when clients directly access mirrors.
  • Clarification needed on whether the mirror provides authenticity or only consistency.
• Metadata Extensions:
  • Discussion on the potential for metadata extensions to be used to identify individual clients and the need for privacy considerations.
  • Example of how extensions are being used in Chrome IP protection, including expiration timestamp, geo hint, service type, debug mode, and proxy layer metadata.
  • Debate on whether to adopt an expiration extension draft.
  • Concerns about potential pollution of the extension namespace with proprietary extensions and the need for a private use space.
• Privacy Pass APIs on the Web:
  • Overview of private access tokens and private state tokens.
  • Challenges of reasoning about and limiting interactions between members of the ecosystem.
  • The meaning of a token bit is essentially unknowable to the client.
  • Discussion about the trust model on the web and how to ensure trustworthiness of issuers.
  • Need for ways to measure anonymity set size.
  • The client's IP address is highly identifying.

Decisions and Action Items

• Key Resource Consistency:
  • Open an issue to discuss using digests and Content-Type header instead of encapsulating the entire resource.
  • Add language to the draft about the challenges of configuration rotation and its implications for application design.
• Metadata Extensions:
  • Consider adopting an expiration extension draft.
  • Consider a private use space to prevent polluting the IANA registry with proprietary extensions.
  • Investigate the existing review feedback on reverting to private use blocks.
• Rate Limit Tokens: Watson Led to send out an email with more content explaining the main differences of his proposal.

Next Steps

• Continue iterating on the existing metadata drafts.
• Discuss the rate limit token proposal on the mailing list.
• Further discussion on the BBS proposal for selective disclosure.
• Continue the discussion on privacy pass and the web, focusing on trust models, anonymity sets, and governance.