| rfc9577v4.txt | rfc9577.txt | |||
|---|---|---|---|---|
| skipping to change at line 348 ¶ | skipping to change at line 348 ¶ | |||
| share redemption contexts. Failure to successfully synchronize this | share redemption contexts. Failure to successfully synchronize this | |||
| state and use it for double-spend prevention can allow Clients to | state and use it for double-spend prevention can allow Clients to | |||
| redeem tokens to one Origin that were issued after an interaction | redeem tokens to one Origin that were issued after an interaction | |||
| with another Origin that shares the context. | with another Origin that shares the context. | |||
| 2.1.2. Sending Token Challenges | 2.1.2. Sending Token Challenges | |||
| When used in an authentication challenge, the "PrivateToken" scheme | When used in an authentication challenge, the "PrivateToken" scheme | |||
| uses the following parameters: | uses the following parameters: | |||
| * "challenge", which contains a base64url TokenChallenge value, | * challenge, which contains a base64url TokenChallenge value, | |||
| encoded per [RFC4648]. This document follows the default padding | encoded per [RFC4648]. This document follows the default padding | |||
| behavior described in Section 3.2 of [RFC4648], so the base64url | behavior described in Section 3.2 of [RFC4648], so the base64url | |||
| value MUST include padding. As an authentication parameter (auth- | value MUST include padding. As an authentication parameter (auth- | |||
| param from [HTTP], Section 11.2), the value can be either a token | param from [HTTP], Section 11.2), the value can be either a token | |||
| or a quoted-string and might be required to be a quoted-string if | or a quoted-string and might be required to be a quoted-string if | |||
| the base64url string includes "=" characters. This parameter is | the base64url string includes "=" characters. This parameter is | |||
| required for all challenges. | required for all challenges. | |||
| * "token-key", which contains a base64url encoding of the public key | * token-key, which contains a base64url encoding of the public key | |||
| for use with the issuance protocol indicated by the challenge. | for use with the issuance protocol indicated by the challenge. | |||
| See [ISSUANCE] for more information about how this public key is | See [ISSUANCE] for more information about how this public key is | |||
| used by the issuance protocols described in that specification. | used by the issuance protocols described in that specification. | |||
| The encoding of the public key is determined by the token type; | The encoding of the public key is determined by the token type; | |||
| see Section 6.2. As with "challenge", the base64url value MUST | see Section 6.2. As with challenge, the base64url value MUST | |||
| include padding. As an authentication parameter (auth-param from | include padding. As an authentication parameter (auth-param from | |||
| [HTTP], Section 11.2), the value can be either a token or a | [HTTP], Section 11.2), the value can be either a token or a | |||
| quoted-string and might be required to be a quoted-string if the | quoted-string and might be required to be a quoted-string if the | |||
| base64url string includes "=" characters. This parameter MAY be | base64url string includes "=" characters. This parameter MAY be | |||
| omitted in deployments where Clients are able to retrieve the | omitted in deployments where Clients are able to retrieve the | |||
| Issuer key using an out-of-band mechanism. | Issuer key using an out-of-band mechanism. | |||
| * "max-age", which is an optional parameter that consists of the | * max-age, which is an optional parameter that consists of the | |||
| number of seconds for which the challenge will be accepted by the | number of seconds for which the challenge will be accepted by the | |||
| Origin. | Origin. | |||
| The header field MAY also include the standard realm parameter, if | The header field MAY also include the standard realm parameter, if | |||
| desired. Issuance protocols MAY define other parameters, some of | desired. Issuance protocols MAY define other parameters, some of | |||
| which might be required. Clients MUST ignore parameters in | which might be required. Clients MUST ignore parameters in | |||
| challenges that are not defined for the issuance protocol | challenges that are not defined for the issuance protocol | |||
| corresponding to the token type in the challenge. | corresponding to the token type in the challenge. | |||
| As an example, the WWW-Authenticate header field could look like | As an example, the WWW-Authenticate header field could look like | |||
| skipping to change at line 525 ¶ | skipping to change at line 525 ¶ | |||
| The authenticator value in the token structure is computed over the | The authenticator value in the token structure is computed over the | |||
| token_type, nonce, challenge_digest, and token_key_id fields. A | token_type, nonce, challenge_digest, and token_key_id fields. A | |||
| token is considered valid if token verification succeeds; see | token is considered valid if token verification succeeds; see | |||
| Section 2.2.3 for details about verifying the token and its | Section 2.2.3 for details about verifying the token and its | |||
| authenticator value. | authenticator value. | |||
| 2.2.2. Sending Tokens | 2.2.2. Sending Tokens | |||
| When used for Client authorization, the "PrivateToken" authentication | When used for Client authorization, the "PrivateToken" authentication | |||
| scheme defines one parameter, "token", which contains the base64url- | scheme defines one parameter, token, which contains the base64url- | |||
| encoded token structure. As with the challenge parameters | encoded token structure. As with the challenge parameters | |||
| (Section 2.1), the base64url value MUST include padding. As an | (Section 2.1), the base64url value MUST include padding. As an | |||
| authentication parameter (auth-param from [HTTP], Section 11.2), the | authentication parameter (auth-param from [HTTP], Section 11.2), the | |||
| value can be either a token or a quoted-string and might be required | value can be either a token or a quoted-string and might be required | |||
| to be a quoted-string if the base64url string includes "=" | to be a quoted-string if the base64url string includes "=" | |||
| characters. All unknown or unsupported parameters to "PrivateToken" | characters. All unknown or unsupported parameters to "PrivateToken" | |||
| authentication credentials MUST be ignored. | authentication credentials MUST be ignored. | |||
| Clients present this token structure to Origins in a new HTTP request | Clients present this token structure to Origins in a new HTTP request | |||
| using the Authorization header field as follows: | using the Authorization header field as follows: | |||
| skipping to change at line 721 ¶ | skipping to change at line 721 ¶ | |||
| for discussion about safety considerations for 0-RTT HTTP data. | for discussion about safety considerations for 0-RTT HTTP data. | |||
| 5.3. Reflection Attacks | 5.3. Reflection Attacks | |||
| The security properties of token challenges vary, depending on | The security properties of token challenges vary, depending on | |||
| whether the challenge contains a redemption context or not, as well | whether the challenge contains a redemption context or not, as well | |||
| as whether the challenge is a per-Origin challenge or not. For | as whether the challenge is a per-Origin challenge or not. For | |||
| example, cross-Origin tokens with empty contexts can be reflected | example, cross-Origin tokens with empty contexts can be reflected | |||
| from one party by another, as shown below. | from one party by another, as shown below. | |||
| +--------+ +----------+ +--------+ | +--------+ +----------+ +--------+ | |||
| | Origin | | Attacker | | Client | | | Origin | | Attacker | | Client | | |||
| +---+----+ +----+-----+ +---+----+ | +---+----+ +----+-----+ +---+----+ | |||
| | | | | | | | | |||
| +-- TokenChallenge -->| | | +--- TokenChallenge -->| | | |||
| | +-- (reflect challenge) ->| | | +-- (reflect challenge) -->| | |||
| | |<-------- token ---------+ | | |<-------- Token ----------+ | |||
| |<-- (reflect token) -+ | | |<-- (reflect token) --+ | | |||
| | | | | | | | |||
| Figure 2: Reflection Attack Example | Figure 2: Reflection Attack Example | |||
| 5.4. Token Exhaustion Attacks | 5.4. Token Exhaustion Attacks | |||
| When a Client holds cross-Origin tokens with empty contexts, it is | When a Client holds cross-Origin tokens with empty contexts, it is | |||
| possible for any Origin in the cross-Origin set to deplete that | possible for any Origin in the cross-Origin set to deplete that | |||
| Client's set of tokens. To prevent this from happening, tokens can | Client's set of tokens. To prevent this from happening, tokens can | |||
| be scoped to single Origins (with non-empty origin_info) such that | be scoped to single Origins (with non-empty origin_info) such that | |||
| they can only be redeemed for a single Origin. Alternatively, if | they can only be redeemed for a single Origin. Alternatively, if | |||
| skipping to change at line 772 ¶ | skipping to change at line 772 ¶ | |||
| Context-bound token challenges require Clients to obtain matching | Context-bound token challenges require Clients to obtain matching | |||
| tokens when challenged, rather than presenting a token that was | tokens when challenged, rather than presenting a token that was | |||
| obtained from a different context in the past. This can make it more | obtained from a different context in the past. This can make it more | |||
| likely that issuance and redemption events will occur at | likely that issuance and redemption events will occur at | |||
| approximately the same time. For example, if a Client is challenged | approximately the same time. For example, if a Client is challenged | |||
| for a token with a unique context at time T1 and then subsequently | for a token with a unique context at time T1 and then subsequently | |||
| obtains a token at time T2, a colluding Issuer and Origin can link | obtains a token at time T2, a colluding Issuer and Origin can link | |||
| this to the same Client if T2 is unique to the Client. This | this to the same Client if T2 is unique to the Client. This | |||
| linkability is less feasible as the number of issuance events at time | linkability is less feasible as the number of issuance events at time | |||
| T2 increases. Depending on the "max-age" token challenge parameter, | T2 increases. Depending on the max-age token challenge parameter, | |||
| Clients MAY try to add delay to the time between being challenged and | Clients MAY try to add delay to the time between being challenged and | |||
| redeeming a token to make this sort of linkability more difficult. | redeeming a token to make this sort of linkability more difficult. | |||
| For more discussion on correlation risks between token issuance and | For more discussion on correlation risks between token issuance and | |||
| redemption, see Section 6.3 of [ARCHITECTURE]. | redemption, see Section 6.3 of [ARCHITECTURE]. | |||
| 5.6. Cross-Context Linkability Attacks | 5.6. Cross-Context Linkability Attacks | |||
| As discussed in Section 2.1, Clients SHOULD discard any context-bound | As discussed in Section 2.1, Clients SHOULD discard any context-bound | |||
| tokens upon flushing cookies or changing networks, to prevent an | tokens upon flushing cookies or changing networks, to prevent an | |||
| Origin from using the redemption context state as a cookie to | Origin from using the redemption context state as a cookie to | |||
| skipping to change at line 812 ¶ | skipping to change at line 812 ¶ | |||
| defined for use with the Privacy Pass token authentication scheme. | defined for use with the Privacy Pass token authentication scheme. | |||
| These identifiers are 2-byte values, so the maximum possible value is | These identifiers are 2-byte values, so the maximum possible value is | |||
| 0xFFFF = 65535. | 0xFFFF = 65535. | |||
| New registrations need to list the following attributes: | New registrations need to list the following attributes: | |||
| Value: The 2-byte identifier for the algorithm. | Value: The 2-byte identifier for the algorithm. | |||
| Name: Name of the issuance protocol. | Name: Name of the issuance protocol. | |||
| Token Structure: The contents of the token structure; see | Token Structure: The contents of the token structure; see | |||
| Section 2.2. | Section 2.2. | |||
| Token Key Encoding: The encoding of the "token-key" parameter; see | Token Key Encoding: The encoding of the token-key parameter; see | |||
| Section 2.1.2. | Section 2.1.2. | |||
| TokenChallenge Structure: The contents of the TokenChallenge | TokenChallenge Structure: The contents of the TokenChallenge | |||
| structure; see Section 2.1. | structure; see Section 2.1. | |||
| Publicly Verifiable: A Y/N value indicating if the output tokens | Publicly Verifiable: A Y/N value indicating if the output tokens | |||
| have the public verifiability property; see Section 3.5 of | have the public verifiability property; see Section 3.5 of | |||
| [ARCHITECTURE] for more details about this property. | [ARCHITECTURE] for more details about this property. | |||
| Public Metadata: A Y/N value indicating if the output tokens can | Public Metadata: A Y/N value indicating if the output tokens can | |||
| contain public metadata; see Section 3.5 of [ARCHITECTURE] for | contain public metadata; see Section 3.5 of [ARCHITECTURE] for | |||
| more details about this property. | more details about this property. | |||
| Private Metadata: A Y/N value indicating if the output tokens can | Private Metadata: A Y/N value indicating if the output tokens can | |||
| End of changes. 8 change blocks. | ||||
| 16 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||