Privacy Pass T. Pauly
Internet-Draft Apple
Intended status: Informational S. Hendrickson
Expires: 4 September 2025 Google
3 March 2025
Including Privacy Pass Tokens in TLS Handshakes
draft-pauly-privacypass-for-tls-00
Abstract
This document defines a mechanism for TLS servers to request, and TLS
clients to provide, Privacy Pass tokens as part of the Encrypted
Client Hello in the TLS handshake. This creates a way to add support
for anonymous attestation and rate-limiting to servers that are
enforcing denial-of-service protections as part of processing TLS
handshakes.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-pauly-privacypass-for-tls/.
Discussion of this document takes place on the Privacy Pass mailing
list (mailto:privacy-pass@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/privacy-pass/. Subscribe at
https://www.ietf.org/mailman/listinfo/privacy-pass/.
Source for this draft and an issue tracker can be found at
https://github.com/tfpauly/draft-privacypass-for-tls.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Pauly & Hendrickson Expires 4 September 2025 [Page 1]
�
Internet-Draft Privacy Pass for TLS March 2025
This Internet-Draft will expire on 4 September 2025.
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Requesting Privacy Pass Tokens . . . . . . . . . . . . . . . 4
5. Presenting Privacy Pass Tokens in Encrypted Client Hello . . 5
5.1. Handling Inability to Present Tokens . . . . . . . . . . 5
6. Applicable Token Types . . . . . . . . . . . . . . . . . . . 5
7. Security Considerations . . . . . . . . . . . . . . . . . . . 6
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
8.1. Update of the TLS ExtensionType Registry . . . . . . . . 6
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.1. Normative References . . . . . . . . . . . . . . . . . . 6
9.2. Informative References . . . . . . . . . . . . . . . . . 7
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
Privacy Pass Tokens [PPARCH] are cryptographic authentication
messages that can be used to verify properties of a network entity,
such as proving that a client passed some attestation check, without
being linkable to other tokens or revealing identities.
[PPAUTH] defines how Privacy Pass Tokens can be requested by HTTP
servers (via an authentication challenge) and provided by HTTP
clients. This is useful for providing privacy-preserving
authentication or attestation in HTTP workflows. However, Privacy
Pass Tokens can also be used in other contexts and protocols. For
example, [I-D.sawant-eap-ppt] defines how to include tokens in EAP
(Extensible Authentication Protocol) exchanges.
Pauly & Hendrickson Expires 4 September 2025 [Page 2]
�
Internet-Draft Privacy Pass for TLS March 2025
Some server deployments enforce rate-limiting on TLS [TLS13]
handshakes to prevent denial-of-service (DoS) attacks, particularly
by rate limiting the number of connections allowed from individual
client IP addresses or IP address subnets. This is common in
scenarios where the cost of handling a terminated TLS connection is
significantly higher than handling the initial handshake, like in L7
loadbalancers with heavy-weight protocol conversions after
termination.
This enforcement can particularly impact cases where many clients are
using a particular IP subnet due to using a privacy-preserving proxy
(some examples are described in [PRIVACYPARTITIONING]). For such
cases, even if clients are able to provide Privacy Pass Tokens or
similar proofs at the HTTP layer, their connections might be denied
or rate-limiting during TLS session establishment.
In order to signal that clients meet certain criteria (rate-limiting,
etc), without disclosing individual client identities or pseudonyms,
this document defines a way to include Privacy Pass Tokens within the
TLS handshake. Specifically, these tokens are sent within the TLS
Encrypted Client Hello [ECH]. This prevents network observers from
being able to directly observe the tokens, while still allowing the
TLS server to observe the token early in the handshake.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Overview
Clients can include Privacy Pass tokens as part of the TLS Client
Hello via the privacy_pass_token extension. This is described in
Section 5. Clients MAY be configured to always present tokens when
performing a TLS handshake with a particular server. However, in
general, clients SHOULD NOT automatically include Privacy Pass
tokens; without an explicit challenge, clients won't know the
relevant token type or issuer to use.
Servers can request tokens by adding the privacy_pass_challenge
extension to a TLS Hello Retry Request. This is described in
Section 4. Servers that want to receive Privacy Pass tokens as a way
to enforce DoS protection SHOULD send challenges to clients when
these clients would otherwise be blocked or rate-limited in some
fashion.
Pauly & Hendrickson Expires 4 September 2025 [Page 3]
�
Internet-Draft Privacy Pass for TLS March 2025
4. Requesting Privacy Pass Tokens
In order to request that a client sends a Privacy Pass token, a
server can send a Hello Retry Request ([TLS13], Section 4.1.4) that
includes a privacy_pass_challenge extension.
The privacy_pass_challenge extension has the following format:
struct {
opaque challenge<1..2^16-1>;
opaque token_key<0..2^16-1>;
} PrivacyPassChallenge;
The fields are defined as follows:
* challenge contains a TokenChallenge structure, as defined in
[PPAUTH], Section 2.1.1.
* token_key contains a public key for use with the issuance
protocol, where applicable. This is equivalent to the token-key
parameter used in HTTP authentication challenges discussed in
[PPAUTH], Section 2.1.1. The token_key may be empty (have a zero
length), in which case clients are expected to fetch the token key
for a particular issuer name in another way.
If a client does not include the token in the Client Hello (or
subsequent Client Hello after being challenged), the server MAY
reject the request or apply rate-limiting.
Clients SHOULD apply some form of consistency check on the token
challenge to avoid (malicious) anonymity set partitioning by the
server; see Section 6.2 of [PPARCH] for more details.
Servers sending challenges can use a non-empty redemption_context in
order to bind the token challenge to a particular context (such as
the client IP address, or a time window) to aid in token replay
prevention. Servers MAY combine sending privacy_pass_challenge
extensions with a cookie extension ([TLS13], Section 4.2.2). For
example, servers that cannot statefully persist the token challenge
presented to the client in the privacy_pass_challenge extension can
use the cookie extension to encode this challenge.
Pauly & Hendrickson Expires 4 September 2025 [Page 4]
�
Internet-Draft Privacy Pass for TLS March 2025
5. Presenting Privacy Pass Tokens in Encrypted Client Hello
Clients can include Privacy Pass tokens in TLS handshakes using the
privacy_pass_token extension. This extension MUST be sent in the
Inner Client Hello, using [ECH]. If ECH is not supported, clients
SHOULD NOT use Privacy Pass tokens in TLS in order to avoid adding
more tracking entropy visible on the wire, and making it easier to
trivially replay tokens to a server.
The privacy_pass_token extension has the following format:
struct {
opaque token<1..2^16-1>;
} PrivacyPassToken;
The token field uses the Token structure defined in [PPAUTH],
Section 2.1.1.
Tokens are generally presented after receiving a challenge, but a
client MAY include a token without having received a challenge if it
has other out-of-band configuration to do so.
5.1. Handling Inability to Present Tokens
Servers need to be able to detect when clients are unable to present
a token after receiving a challenge. A client might be unable to
present tokens because it has reached a token rate limit, because it
does not have a way to generate tokens for the required token issuer,
or simply because it does not support this specification.
The RECOMMENDED approach to handle such cases is for the server to
include a cookie extension ([TLS13], Section 4.2.2) along with the
challenge, and for clients to retry the handshake including the
cookie extension, but not including the privacy_pass_token extension.
Servers can then assume that the client received the challenge and
was unable to generate a valid token. The policy for what servers do
in such cases will be specific to the overall use case, and beyond
the scope of this document.
6. Applicable Token Types
This document is defined such that any Privacy Pass token type would
be possible to use in the TLS handshake. However, different token
types will have different properties for latency, replay protection,
and privacy.
Pauly & Hendrickson Expires 4 September 2025 [Page 5]
�
Internet-Draft Privacy Pass for TLS March 2025
Ideally, deployments can use token types that allow for unique
redemption contexts (to prevent replay attacks) that also do not
require communicating with a token attester or issuer for each token
creation (thus improving latency, and not creating new activity that
can be used to fingerprint clients). Some proposed token types like
[ARC] and [BBS] have these properties.
7. Security Considerations
Servers redeeming Privacy Pass tokens in TLS handshakes need to take
care to avoid replay attacks. Using a fresh redemption context in
the challenge ensures that tokens are equally fresh and unique.
As discussed in Section 6, token issuance types that don't require
clients talking to an issuance server with a new network request for
every token generation will have better properties for privacy, since
the client won't make a new request after each TLS handshake
challenge.
8. IANA Considerations
8.1. Update of the TLS ExtensionType Registry
IANA is requested to create the following entries in the existing
registry for ExtensionType (defined in [TLS13]):
1. privacy_pass_challenge(0xfd00), with the "TLS 1.3" column values
set to "HRR", "DTLS-Only" column set to "N", "Recommended" column
set to "Yes".
2. privacy_pass_token(TBD), with "TLS 1.3" column values set to
"CH", "DTLS-Only" column set to "N", and "Recommended" column set
to "Yes", and the "Comment" column set to "Only appears in inner
CH."
9. References
9.1. Normative References
[ECH] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS
Encrypted Client Hello", Work in Progress, Internet-Draft,
draft-ietf-tls-esni-23, 19 February 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-tls-
esni-23>.
[PPARCH] Davidson, A., Iyengar, J., and C. A. Wood, "The Privacy
Pass Architecture", RFC 9576, DOI 10.17487/RFC9576, June
2024, <https://www.rfc-editor.org/rfc/rfc9576>.
Pauly & Hendrickson Expires 4 September 2025 [Page 6]
�
Internet-Draft Privacy Pass for TLS March 2025
[PPAUTH] Davidson, A., Iyengar, J., and C. A. Wood, "The Privacy
Pass Architecture", RFC 9576, DOI 10.17487/RFC9576, June
2024, <https://www.rfc-editor.org/rfc/rfc9576>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/rfc/rfc8446>.
9.2. Informative References
[ARC] Yun, C. and C. A. Wood, "Privacy Pass Issuance Protocol
for Anonymous Rate-Limited Credentials", Work in Progress,
Internet-Draft, draft-yun-privacypass-arc-00, 5 February
2025, <https://datatracker.ietf.org/doc/html/draft-yun-
privacypass-arc-00>.
[BBS] Ladd, W., "BBS for PrivacyPass", Work in Progress,
Internet-Draft, draft-ladd-privacypass-bbs-01, 26 February
2024, <https://datatracker.ietf.org/doc/html/draft-ladd-
privacypass-bbs-01>.
[I-D.sawant-eap-ppt]
Sawant, P. and B. Brinckman, "Extensible Authentication
Protocol (EAP) Using Privacy Pass Token", Work in
Progress, Internet-Draft, draft-sawant-eap-ppt-01, 20
October 2024, <https://datatracker.ietf.org/doc/html/
draft-sawant-eap-ppt-01>.
[PRIVACYPARTITIONING]
Kühlewind, M., Pauly, T., and C. A. Wood, "Partitioning as
an Architecture for Privacy", RFC 9614,
DOI 10.17487/RFC9614, July 2024,
<https://www.rfc-editor.org/rfc/rfc9614>.
Acknowledgments
TODO acknowledge.
Pauly & Hendrickson Expires 4 September 2025 [Page 7]
�
Internet-Draft Privacy Pass for TLS March 2025
Authors' Addresses
Tommy Pauly
Apple
Email: tpauly@apple.com
Scott Hendrickson
Google
Email: scott@shendrickson.com
Pauly & Hendrickson Expires 4 September 2025 [Page 8]