►
From YouTube: IETF-PRIVACYPASS-20220131-1700
Description
PRIVACYPASS meeting session at IETF
2022/01/31 1700
https://datatracker.ietf.org/meeting//proceedings/
D
C
Well,
it's
it's
only
one
minute
after
the
hour,
so
I
think
we
can
give
folks
a
little
bit
more
time
to
to
come
in
I'll
we're
going
to
continue
mentioning
that
we
will
need
an
official
minute
taker
before
we
can
start.
The
session
minute
takers
are
are
only
required
to
note
relevant
and
important
points
from
the
discussion.
A
full
transcript
is
not
required
or
expected.
G
C
Of
that
yes,
so
another
reason
you
that
that
being
a
minute
taker
is
not
terribly
difficult,
is
that
the
full
contents
of
the
meeting
are
actually
being
recorded.
So
the
only
thing
we're
asking
for
a
minute
taker
to
write
down
are
the
substantive
conclusions
reached
by
the
working
group
in
the
course
of
discussion.
Anybody
who
wants
the
full
details
can
always
go
directly
to
the
recording.
C
So
I
want
to
remind
everybody
that
this
is
an
ietf
session.
It
is
covered
by
the
ietf
note.
Well
that
covers
both
things
like
patents
and
ipr
related
to
any
discussions
or
activity
in
the
working
group
and
to
the
code
of
conduct,
which
requires
us
all
to
be
professional
and
respectful
in
our
communications
here
I'll
I'll
avoid
trying
to
summarize
the
full
details
of
the
ietf
note
well,
but
if
you're
not
familiar
with
it,
please
do
familiarize
yourself
with
it
before
participating
in
the
working
group.
C
C
C
If
you
do
need
to
go
to
the
microphone
and
don't
want
to
or
are
technically
unable
to
use
the
voice
features
in
meet
echo.
Please
just
type
your
question
into
the
chat,
with
a
request
for
it
to
be
brought
to
the
microphone
and
one
of
the
chairs
will
handle
that
for
you
and
when
you
are
coming
to
the
microphone,
please
help
out
matthew
finkel
by
stating
your
name
so
that
so
that
we
know
who
is
speaking.
E
E
E
The
client
is
specifically
talking
to
the
server
or
interacting
with
the
server
to
get
some
particular
resource
on
the
web,
say
an
image
in
this
particular
case,
but
the
server
upon
you
know
getting
this
request
from
the
client
decides
to
to
challenge
the
client,
because
it
looks
suspicious,
you
know,
comes
from
an
ip
address,
that
it
doesn't
trust
or
has
a
poor
reputation,
as
was
the
case
with
tor.
The
original
motivating
use
case
for
privacy
pass
or
whatever
other
reasons
the
server
might
have
to
challenge
the
client.
E
The
client
upon
getting
this
challenge
will
solve
it
for
some
definition
of
solve
and
generate
a
proof
based
on
the
challenge
and
sort
of
generically,
using
the
word
proof
here
to
just
talk
about.
You
know
something
that
was
done
to
satisfy
the
challenge
that
the
server
just
sent
and
sends
along
to
the
server.
E
E
E
E
Rather
it
could
be
proof
that
the
the
client
had
previously
solved
the
captcha,
like
I
interacted
with
the
server
before
I
got
some
proof
at
that.
That
point
in
time
that
I
solved
a
particular
captcha
and
so
at
some
point
in
the
future.
If
I
get
challenged
again,
I
just
re.
I
represent
that
proof
to
to
the
server
we're
not
representing
present,
that
through
proof
to
the
server
and
if
the
server
trusts
the
particular
proof
everything
checks
out,
but
you
can
generalize
this
a
bit
more.
E
E
Do
you
have
a
valid
device
that
you're
using
to
access
this
particular
resource
and
any
combination
of
properties?
Really
that
makes
sense
for
the
server's
particular
application
and
the
client
upon
getting
asked
to
attest
to
these
particular
properties,
or
this
particular
property
can
present
that
proof
to
the
server
and
the
server
can
check
it
based
on
you
know
whatever
and
then
do
whatever
the
client
wants.
E
So,
let's
now
sort
of
break
down
what
happens
when
a
client
attests
to
some
particular
property
and
then
presents
a
proof
to
the
server.
Let's
imagine
there
was
a
separate
function
for
that.
The
client
interacted
with
for
testing
to
a
particular
property
and
then
kind
of
kind
of
getting
proof
that
it
did
this
attestation,
so
in
the
interaction
before
the
server
would
challenge
the
client
to
attest
to
some
particular
property.
E
And
then
the
issuer
would
present
proof
of
attestation.
The
client
would
then
relay
right
along
happily
to
the
server
and
if
the
server
trusts
this
particular
function
this
this
issuance
function,
then
this
is
indistinguishable
from
the
case
we
had
before,
where
the
server
was
like
the
one
doing
the
attestation
and
generating
the
proof
and
then
checking
the
proof
later
on.
E
The
tester
then
would,
on
behalf
of
the
client,
ask
for
a
proof
and
the
issuer,
assuming
that
it
trusts
this
particular
tester
would
generate
proof.
A
tester
would
forward
that
proof
to
the
client
and
then
the
client
would
present
that
proof
to
the
server
and
so
now
the
trust
relationship
sort
of
looks
like
this.
The
server
trusts
the
issuer
to
present
to
to
generate
proofs
the
issuer
trusts
the
particular
tester
to
do
attestation
of
the
client,
and
then
this
this
arrangement,
we
argue,
is
basically
the
same
as
the
original.
E
You
know,
interaction
where
everything
was
collapsed
together
and
indeed
that's
what
the
privacy
pass.
Architecture
was
written
or
that's
the
way
it
was
written.
It
was
written
such
that
everything
in
red
was
the
same
box.
It
was
referred
to
generically
as
an
issuer,
but
really
we
can.
We
can
split
out
these
functionalities
into
separate,
separate
functions.
E
G
All
right
can
we
get
to
slide
14,
okay,
there.
We
are
okay,
end
of
awkward
transition.
Thank
you,
chris.
We
made
it
as
awkward
as
possible.
Hopefully
that
woke
you
up
from
your
well.
Whatever
time
zone
you
are
in
so
continuing
just
left
off.
Basically
the
idea,
the
important
idea
here-
and
this
speaks
also
the
question
that's
npd
is
asking
punjab.
The
idea
here
is
that
separating
this
separating
these
functions-
and
we
want
you
to
think
about
these
as
functions
that
are
that
are
part
of
the
architecture
anyway.
G
G
But
but
this
allows
us
to
be
allows
us
to
instantiate
multiple
different
variants,
so
to
speak
or
instantiations
of
privacy
paths
bear
in
mind
that
we
don't
need
them
all
to
be
separate
entities
like,
for
example,
in
in
the
existing
privacy
pass
architecture
you
could
think
of
the
issuer,
as
the
architecture
is
the
first
one
which
is
like
a
combined
origin
at
a
certain
issuer
where
everything
is
the
same
same
entity.
The
client
speaks
to
the
origin,
and
the
origin
also
happens
to
be
the
attester
and
the
issuer
at
the
same
time.
G
You
can
also
have
a
second
instantiation
where
you
have
separate
origin
and
a
combined
issuer
slash
a
tester
where
the
client
speaks
to
the
origin
and
then
gets
a
challenge
and
then
goes
off
to
this
other
entity,
which
is
the
attac
surplus
issuer
and
and
and
gets
this
gets
the
gets,
the
proof
that
it
takes
back
to
the
origin
and,
finally,
all
separate
entities
as
well.
This
is
this
is
separate
again
separating
of
the
architecture.
Yes,
it
does
make.
G
It
seem
a
bit
more
complex,
but
it
does
give
us
benefits,
because
we
are
able
to
do
some
things
here,
that
we
can't
otherwise
do
and
we'll
get
to
that
in
the
details.
But
I'm
going
to
talk
about
just
architecture
at
the
moment,
npd
again
we
will.
We
will
get
to
that,
especially
the
rate
limiting
document
speaks
to
the
all
separate
case,
because
that
is
one
instantiation
of
the
architecture
that
you
need
to
be
able
to
do
rate
limiting
anonymously
for
for
clients.
G
The
first
one
is
the
redemption
protocol.
Then
the
redemption
protocol
is
simply
where
the
client
is
able
to
redeem
proof
with
the
origin,
and
this
is
a
consistent
protocol
for,
for
all
of
the
use
cases
that
we
can
do
with
this.
That's
the
goal
is
to
sort
of
have
one
redemption
protocol,
no
matter
what
the
use
case
so
that
the
client
origin
interaction
remains
exactly
the
same.
G
The
extensibility
in
this
architecture
comes
from
being
able
to
have
multiple
issuance
protocols,
because
the
issuance
protocol
effectively
says
hey,
I'm
going
to
issue
you
a
proof
for
a
particular
property
that
that
the
client
has
to
attest
to,
and
that
defines
the
issuance
protocol
to
some
extent
and
the
particular
details
of
that
would
depend
on
the
use
case.
So
for
different
use
cases
we
might
have
different
types
of
issuance
protocols,
and
this
is
this
is
an
exchange
that
we
can
extend.
We
can
replace
it
for
new
deployment
models
so
again.
G
The
issuers
are
the
ones
that
that
look
at
what
the
address
is
attesting
to,
and
then
they
produce
a
proof
or
a
token
that
is
bound
to
that
property
and
the
redeemer
then
consumes
the
stroke
right
or
the
origin
consumes.
This
token,
that
is
generated
by
the
issuer,
so
those
are
the
functionally
those
are
the
those
are
the
pieces
that
we
believe
are
part
of
the
the
architecture
here.
So
to
the
question
of,
why
do
we
want
to
rework
the
architecture?
G
G
G
A
G
So
the
hard
I'm
gonna
understand,
maybe
tommy
you
can
jump
in
the
the
the
the
protocols
are
standards
they're,
all
standardized.
Like
I
mean
all
of
these
three
entities
are
effectively
can
be
separate,
completely
separate
organizations
and
therefore
the
protocols
between
them
will
need
to
be
standardized,
and
that's
that's
in
the
different
protocol
documents
that
we
have
tommy.
Do
you
want
to
add
something.
B
B
On
the
other
side,
I
think
it
gets
a
little
bit
more
flexible
depending
on
the
situation,
so
you
know,
I
would
argue
that
even
in
the
existing
architecture,
the
actual
attestation
step
of
solving
the
captcha,
you
know
that
part
itself
was
not
standardized.
The
thing
that
the
client
does
to
the
attester
to
say
I
am
legitimate,
and
even
if
it
is
standardized,
I
don't
think
that's
something.
B
That's
within
scope
for
privacy
pass
itself,
we're
not
defining
how
you
do
captcha
we're
not
defining
how
you
do
device
association
or
account
login
or
whatever
else
it
is
so
there's
kind
of
like
some
step
in
there.
That
is
unique
to
how
the
client
talks
to
the
thing
that
lets
it
get
tokens,
and
that
is
specifically
not
standardized
in
this
group,
but
you
know,
as
we
will
go
into
in
the
third
presentation
around
issuance
protocols.
B
The
way
you
actually
get
a
token.
You
know
that
needs
to
be
standardized
and
that's
what
already
existed
for
the
issuance
protocol.
Saying:
hey,
here's,
how
you
use
a
pop-rf
or
here's,
how
you
need
to
get
a
publicly
verifiable
token,
and
so
there's
there's
a
bit
of
standardization
on
the
issuance
protocol.
B
B
So
now
we're
going
to
go
into
the
two
halves
of
the
protocol
that
we
talked
about
and
I'm
going
to
start
by
talking
about
this
challenging
redemption
phase.
Oh,
and
could
the
chairs
restart
the
timer?
Actually
because
I'm
getting
the
red
flashing
lights
that
I'm
almost
done
great,
all
right
so
going
back
to
that
diagram?
B
And
as
I
had
in
the
title
here,
there
are
two
halves
of
this
that
we
think
of
and
we're
calling
it
challenge
and
redemption,
and
the
broad
shapes
not
talking
about
any
particular
protocol
here
is
that
in
a
challenge
the
client
is
telling
some
server
hey.
I
want
to
do
or
access
something,
and
the
origin
is
like
prove
that
you're
able
to
access
this
you
know
give
me
a
token
to
prove
that
you're,
not
a
bot
or
to
prove
that
you
have
an
account
or
something,
and
then
the
redemption
phase
is.
B
B
And
not
the
both
of
these
are
not
always
required,
so
the
redemption
half,
no
matter
how
you
slice
things,
I
think,
is
a
fundamental
part
of
any
token
scheme
we
have.
We
actually
need
to
spend
the
token,
and
so
the
token
redemption
is
whenever
the
client
presents
a
token
to
gain
access
and
within
privacy
pass.
B
B
B
B
So
what
we're
proposing
here
is
that
you
know
if
you
look
at
this
interaction
model
of
oh,
I
have
a
challenge
when
a
client
tries
to
access
a
resource,
and
then
I
want
to
be
able
to
provide
a
token
and
authentication.
It
really
really
fits
cleanly
into
an
http
authentication
method
and
defining
that
within
this
group,
we
believe
will
allow
for
a
really
nice
standard
definition
that
could
have
explicit
support
for
different
types
of
tokens.
So
we
can
have
this
be
extensible
and
have
it
evolve,
and
this
would
work
cleanly
with
the
javascript
apis.
B
It
also
can
indicate
the
issuer
name
and
essentially
say.
Oh,
this
is
who
I
trust,
or
I
can
have
multiple
names
of
you-
can
get
tokens
from
any
of
these
people,
and
it
can
also
provide
hints
for
the
keys
to
use
to
make
it
faster
for
clients
to
get
tokens
without
having
to
fetch
some
config
from
the
side
and
then
also
has
allows
for
some
optional
features,
which
we
think
are
very
useful.
B
B
As
an
optional
thing,
you
can
add
in
all
right.
So
what
is
this?
Oh
yeah?
The
other
thing
we
want
to
focus
on
here
is:
we
believe
that
it's
really
important
if
we
want
privacy
pass
to
be
widely
used
and
adopted
throughout
the
web
and
other
servers
that
it
needs
to
be
really
really
easy
for
origins
to
adopt.
B
So
as
part
of
this,
the
origins
don't
need
to
do
any
complex
crypto.
They
just
need
to
verify
tokens
for
publicly
verifiable
types
like
rsa
blind
signatures.
That's
really
really
simple.
To
do
privately,
verifiable
tokens
do
require
the
origin
to
have
an
issue
or
key
or
make
a
request
to
the
issuer.
That's
what
we
have
with
the
poprf,
but
it's
not
too
much
to
do
in
that
case,
but
an
origin
can
always
choose
to
prefer
the
publicly
verifiable
type
as
well
and
interactive.
B
Tokens
can
also
mitigate
some
concerns
that
origins
had
around
farming
and
double
spending
and
tracking
that
state,
if
you're,
using
interactive
tokens,
you're
shifting
the
state
that's
required
on
the
origin
from
maintaining.
Oh
here's
all
of
the
redeemed
tokens
that
I've
had
and
making
sure
that
no
one's
double
spent
to
instead
just
having
a
nonce,
that's
associated
with
a
single
http
session
with
the
client,
and
you
just
need
to
remember
how
many
nonces
did
I
give
out
what
were
they
and
that
can
be
much
much
more
bounded.
B
B
B
If
you
have
an
origin
name
present,
really,
that
just
is
something
that
gets
signed,
and
so,
if,
if
the
origin
name
is
present,
you
need
a
token
that's
specific
to
this
origin,
and
you
can't
do
cross-origin
spending,
but
you
can
still
cache
it.
Otherwise,
if
that's
missing
it's
just
a
generic
token
that
can
be
used
on
any
origin
that
supports
cross-origin
tokens.
B
B
It
contains
the
key
id
of
the
key
that
signs
the
token
and
then
has
an
authenticator,
which
would
be
a
blob,
that's
specific
to
the
particular
issuance
method
that
can
be
the
blind,
rsa
signature.
It
can
be
the
pop
or
pop
rf
output
or
something
else
as
we
come
up
with
better
options
into
the
future.
B
A
Joe,
so,
basically
you
you're
between
the
kind
of
this
redemption
protocol.
You
still
have
a
link.
There
is
a
linkage
between
the
issuer
protocol
and
that
you
need
to
get
a
particular
type
of
token
and
exactly
what
the
client
does
to
prove
that,
in
that
opaque
blob
is
depends
on
on
that
what
happens
during
issuance,
but
the
rest
of
the,
but
that
kind
of
the
protocol
shape
is
the
same
no
matter
what
that's
kind
of
the
idea.
B
That
that's
right
and
you
know
the
idea-
is
you
know
today
we
already
have
you
know
we've
already
defined
p
or
prf.
We
want
to
bring
in
something
like
rsa
plan
signatures
for
public
verifiability,
so
we
need
to
wait
to
tell
between
those
but
even
going
forward.
I
think
there
their
desires
to
have
lighter
weight,
publicly
verifiable
tokens
and
it'd
be
nice
to
be
able
to
use
a
common,
challenging
redemption
method
and
just
have
a
bit
to
indicate
oh
yeah.
I
also
support
this
new.
B
B
H
C
All
right
ben,
that's
what
not
his
chair
so
in
in
previous
in
previous
iterations.
One
of
the
questions
that
has
come
up
is
about
the
privacy
implications
of
timing
based
linkability
for
these
kinds
of
interactive
issuance
situations.
So
my
first
question
is:
what
do
you?
What
do
you
think
of
that?
What
do
you
think
of
the
the
concern
that
a
that,
if
an
origin
can
tell
me
exactly
when
to
request
a
new
token
that
the
the
timing
of
that
identifies
the
user.
B
B
B
It
also
plays
into
a
little
bit
the
the
interactions
that
we
have
on
the
issuance
protocol
and
the
role
of
if
we
do
separate
out
a
tester
that
a
client
who
is
coordinating
within
a
tester.
Let's
say
you
know
my
ios
device
talks
to
a
server
that
can
do
device
attestation.
It
could
say,
hey
you
know.
No
one
else
is
using
this
issue
or
it
seems
like
maybe
you're
being
fingerprinted
here,
as
opposed
to
saying
oh
yeah.
C
Yeah,
I
think
that's
that's
interesting.
I
you
know,
I
would
point
out
that
if
you
have
an
issuer
with
somewhere
in
the
vicinity
of,
let's
say
a
hundred
thousand
active
users,
you
know
if
those
users
all
get
a
fresh
batch
of
tokens
once
a
day,
then
they
have
an
anonymity
set
size
of
a
hundred
thousand.
But
if
they
are
in
this
interactive
mode,
then
they
essentially
are
fully
identifiable
because
issuance
presumably
takes
much
less
than
one
second.
C
B
C
C
C
And
do
we
really
want
to
provide
a
so
it
we've
talked
before
about,
for
example,
public
metadata
as
something
that
can
affect
the
privacy
protection
value
of
a
token,
but
that's
something
that's
very
clear
and
measurable
to
the
client.
So
it
can.
It
can
do
its
own
accounting
for
whether
it
wants
to
support
that
algorithm.
For
example,
yeah.
B
E
F
C
So
so
I
should
be
clear,
you
know
it's.
I
I
have
I'm
concerned
that
these
interactive
variants
don't
effectively
provide
significant
privacy
that
if
we
consider
all
of
the
other
metadata
visible
to
the
other
parties,
that
clients
are
actually
effectively
uniquely
identifiable,
even
at
quite
large
scales.
C
B
E
I
can
okay,
so
my
my
immediate
reaction
to
that
is
that
this
is
somewhat
like.
You
know
the
leaky
goat
problem
that
we
we
kind
of
face
in
ech
like
we
are.
We
are
designing
the
protocol
such
that
it's
like
cryptographically
unlikable
between
issuance
and
redemption,
and
yes,
if
there's
additional
metadata,
that's
leaked
particularly
around
like
the
time
stamps
of
these
events
that
you,
you
could
stitch
things
together
after
the
fact,
but
that
seems
sort
of
separate
or
or
external
to
the
the
protocol.
C
E
I
I
don't
want,
I
don't
know
if
you
can
add
recommendations
here,
though,
that's
kind
of
my
point,
like
the
clients,
are
in
a
position
where
they
don't
know
how
many
other
clients
are
interacting
with
a
particular
issue
or-
and
they
don't
know
like
what
the
value
is.
I
think
noting.
The
considerations
here
is
very
much
appropriate,
but
trying
to
offer
recommendations
for
local
client
policy
seems
like
an
intractable
problem
to
solve.
B
I
I
think
this
is
another
case
where
the
architecture
thinking
about
a
tester
and
issuer
roles
separately
actually
does
help.
So
not
only
does,
is
it
possible
that
you
know
a
tester
could
help
clients
know
about
the
scale,
but
I
think,
more
importantly,
when
you
talk
about
a
timing
attack,
we
need
to
think
about.
You
know
what
is
the
information
that
is
vulnerable
and
could
be
used
to
correlate
information
back
to
the
client
right.
E
E
E
You
can
sort
of
view
like
the
interface
to
the
issuance
protocol,
like
so
input
from
the
origin.
Again
is
just
a
public
key.
That's
used
to
verify
the
particular
token
so
in
the
case
of
the
people
here,
if
it
would
be
the
public
key,
the
case
of
like
blind
rsa
for
the
publicly
verifiable
variant,
it
would
be
the
public
key
for
binder,
say
and
then
the
challenge
which
is
like
this.
E
So
basic
issuance
is
really
quite
simple:
I'm
going
to
walk
through
sort
of
the
cryptographic
steps
that
like
drive
it.
This
is
something
that
was
in
the
existing
protocol
document
or
steps
of
this
were
sort
of
in
the
existing
protocol
document,
but
we
modified
it
to
accommodate
and
integrate
with
the
existing
redemption
protocol
or
with
the
proposed
redemption
protocol
rather
so
anyways.
E
Okay,
so
generates
a
nonce
computes
the
context
and
then
starts
the
blind
signature
protocol
as
per
the
blind
signature
protocol
after
computes.
It's
blind
or
request
in
this
particular
case
sends
that
over
to
the
issuer,
perhaps
going
through
the
tester
if
necessary,
for
this
particular
deployment
doesn't
need
to
be,
though
yeah
sure,
then,
is
an
oracle
for
computing
blind
signatures
over
arbitrary
requests.
E
So
it
gets
in
a
request,
computes,
a
blind
signature
and
then
immediately
sends
the
response
back
to
the
client
and
the
client
simply
finalizes
the
protocol
to
compute
the
authenticator,
pretty
straightforward,
very
simple
and,
as
I
was
saying
earlier,
I've
written
this
in
terms
of
the
blind
signature
scheme.
But
this
is
in
the
basic
issuance
proposal
that
we
have
up.
This
is
also
implementable
as
a
blind
signature
or
as
a
popuf.
Sorry.
E
That
is,
you
know.
Can
you
verify
without
having
an
authenticator
without
having
to
interact
with
a
particular
issuer?
Does
it
have
support
for
public
metadata?
That
is
input
or
data
that
is
revealed
necessarily
to
the
issuer
and
computing
its?
You
know
it's
it's
half
of
the
protocol,
or
does
it
support
private
metadata?
E
None
of
the
proposed
schemes
in
the
registry
right
now
do
support
private
metadata,
but
there
are
some
existing
proposals
from
folks
at
google
for
building
anonymous
issuance
protocols
with
private
metadata
bits,
individual
bits
we
could
we
could.
You
know,
extend
this
registry
to
denote
like
how
many
bits
of
metadata
is
are
supported.
So
you
know,
bike
shedding
here
is
necessary,
but
but
we
feel
like
these.
E
E
An
important
note
point
to
note
here
is
that
these
issuance
protocols
are
only
two
messages.
Are
one
round
trip
between
client
and
issuer.
There
are
constructions
that
are
more
than
one
round
trip
that
require
three
or
four
messages,
depending
on
the
shape.
Those
would
be
compatible
with
the
issuance
protocol,
as
or
with
the
architecture,
as
described
like
the
number
of
round.
Trips
is
not
really
a
constraint
in
terms
of
you
know
the
the
architecture,
because
it's
it's
it's
you
know
implementation
details
specific
to
the
issuance
protocol,
so
I
didn't.
E
I
didn't
list
anyone's
any
of
those
here,
because
there's
there's
concerns
around.
You
know
how
you
would
deploy
that
this
sort
of
thing
this
this
this
type
of
issuance
protocol
with
more
than
one
round
trip
in
a
stateless
way
or
in
a
way
that's
safe.
That
has
to
deal
with
the
state
that
the
the
issuer
maintains
per
per
client,
but
it,
but
it
is
certainly
possible.
E
So
there's
a
couple
considerations
that
I
wanted
to
note
that
the
first
is
that
the
existing
sort
of,
like
I
said,
the
existing
sort
of
issuance
protocols
that
we
specified
assume
that
the
issue
were
stateless.
So
it's
one
round
trip
for
issuance
protocols,
but
we
could
certainly
move
to
protocols
that
support
multiple
round
trips
as
necessary.
E
Nothing.
Nothing
prohibits
that.
Another
thing
to
note
is
that
the
the
way
that
the
issuer
is
interacted
with
and
in
particular
the
apis
that
are
exposed
by
the
issuer
in
order
to
interact
with
it,
are
compatible
with
any
deployment,
specific
key
consistency
mechanism
that
would
be
desired
for
an
application.
E
E
The
point
is
that
the
all
the
keys
that
the
issuer
might
use
are
discoverable
and
via
a
well-known
api,
and
then
you
can
build
things
on
top
of
that
that
api
to
build
consistency
into
the
system,
how
that
is
done
is
out
of
scope.
There
is
a
there's,
an
individual
draft,
that
sort
of
describes
different
ways
to
address
key
consistency
in
the
ecosystem,
but
we
don't
think
that's
like
that
needs
to
be
included
in
the
these
drafts
more
so
that
they
need
to
accommodate
any
of
these
particular
mechanisms
if
needed.
C
E
I
think
for
the
for
these
particular
issuance
protocols
like
the
issuance
protocol,
should
not
address
how
to
deal
with
issuance
or
issuance
key
consistency.
Rather,
it
should
enable
other
work
to
address
that
if
as
as
needed,
so
I
I
don't
recall
what
the
charter
says
in
this
particular
topic.
If
it
says
that
we
need
to
address
key
consistency,
that's
cool
we
could.
We
could
certainly
write
a
separate
draft
that
deals
with
it,
based
on
the
issuance
that's
described
here,
yep.
E
E
So
if
you
recall
from
the
diagram
really,
we
had
this
nonce
and
we
had
this
context.
Both
of
them
are
unconditionally
secret,
even
against
an
all-powerful
attacker
who
has
like
endless
compute
and
endless
memory
whatever,
and
this
is
necessary
for
the
privacy
and
particularly
the
unlinkability
guarantees
that
we
have
between
issuance
redemption.
E
Okay,
so
the
proposal
that
we
have
at
hand
is
to
basically
take
what
was
currently
described
in
the
protocol
document,
which
had
bits
and
pieces
of
this.
So
it
did
have
you
know
the
deep
some
language
around
how
to
integrate
with
the
pop
rf.
It
did
have
some.
You
know
details
about
how
to
do
redemption,
but
nothing
that
was,
you
know,
implementable
and
interoperable.
E
The
proposals
take
is
to
take
the
the
basic
issuance
protocol
details
and
built
upon
the
proposed
redemption
protocol
and
make
that
sort
of
the
the
working
group
document
protocol
document
and
there's
a
number
of
reasons
to
do
so.
A
it
satisfies
a
perhaps
should
sort
of
these
differently,
but
a
it
satisfies
that
the
two
are
two
requirements
in
the
charter
that
we
have
public
and
private
verifiability.
E
It
does
integrate
cleanly
with
the
the
redemption
protocol
that
tommy
presented
and
it
sort
of
addresses
this
this
question
of
extensibility
that
has
been
floating
around,
for
you
know
at
least
a
year
now
I
think
we
were
sort
of
tossing
around
different
ways
to
address
extensibility.
Is
it
in
like
the
the
wire
format,
messages
that
are
sent
between
client
and
issuer?
Is
it
like?
E
E
Okay,
if
not
I'll,
move
forward,
then
so
we
just
to
kind
of
wrap
up.
There's
a
there's,
a
couple
high-level
questions
we
have
for
the
group,
first
of
which
you
know
are
the
we
want
to
know.
If
the
the
document
proposals
have
presented
specifically
for
the
architecture
document,
the
challenge
and
redemption
protocol
document
and
then
the
the
basic
issuance
protocol
document.
Are
they
clear
it's
the
sort
of
scope
and
does
the
scope
make
sense?
C
Hi
ben
schwartz
as
chair,
I
would
really
appreciate
hearing
comments
on
these
questions
from
the
authors
of
the
current
adopted
drafts.
So,
if
you're
an
author
or
if
you're
a
co-author
on
a
current
adopted
draft,
I
would
really
appreciate
it
if
you
would
come
to
the
mic
and
give
us
your
thoughts
thanks.
H
Restructure
of
the
graph
seems
reasonable.
I
think,
there's
a
few
issues
to
work
out
like
what
information
we
put
in
the
architecture.
Dock,
like
the
interactive
timing,
I
think
moving
to
the
http
instead
of
the
current
atp
api
method,
I
think
works
well.
I
think
there's
going
to
be
some
questions
about
like
cases
where
you
need
to
trigger
issuance
redemption
in
ways
that
you
don't
necessarily
have
that
like
first
leg,
but
I
think
that's
all
things
we
can
edit
within
that
specification
overall
seems
reasonable.
F
I
think
the
one
the
one
concern
I
have
is
around
as
people
have
brought
up
previously
these
interactive
challenges
and
and
how
we
parameterize
the
privacy
in
the
client
privacy
in
those
cases,
because
I
think
it
could
radically
alter
the
anonymity
set
sites
for
those
clients
and
that's
something
we
we
tried
to
parametrize
before
and
if,
if
it's
decided
that
we
don't
want
to
do
that,
then
then
then
that
might
be
maybe
reasonable,
but
I
think
the
current
parameterizations
we
have
then
are
kind
of
redundant.
In
that
case,.
D
C
Okay,
it
seems
like
there
isn't
anybody
speaking
against
these
these
things
I
I
haven't
had
a
chance
to
confer
with
my
co-chair,
I
I
would
like
to
propose
the
following.
It
seems
to
me
that
the
updates
to
the
existing
drafts
can
can
move
forward
without
any
further
review
by
the
working
group.
Of
course,
the
contents
of
those
drafts
will
will
be
subject
to
many
rounds
of
further
review
before
it
can
exit
the
working
group
and
the
new
draft.
C
I
think
it's.
It
seems
to
me
that
that
the
that
the
group
needs
some
time
to
to
do
a
formal
review
for
this
before
we
do
a
call
for
adoption.
So
I
I
don't
think
I
don't
think
we're
ready
to
to
trigger
a
call
for
adoption
in
this
meeting,
but
I
think
we
can
do
that
very
quickly.
If,
if
the
draft
is
sent
out
to
the
list
and
people
have
a
chance
to
to
read
it,
then
I
think
a
call
for
adoption
would
be
appropriate
joe.
A
B
All
right,
yeah,
thank
you,
so
I
think
the
order
would
be
because
we
haven't
formally
published
the
auth
scheme
as
an
id,
partly
because
it
was
referring
to
github
prs
that
weren't
merged.
So
I
imagine
if
we
can
merge
those
other
pr's,
then
I
can
once
that's
done
kind
of
get
something
with
the
right
references
published,
send
that
to
the
list
and
then
we
can
discuss,
and
I
think
it
sounds
like
the
main
open
question
that
people
have
around
that
is
interactive
and
how
is
that
safe?
And
when
is
that
safe?
B
D
I
Davis
ganazzi,
google-
I
was
just
had
a
process
question
for
the
chairs,
because
I've
personally
read
the
proposal
and
I
think
it's
definitely
worth
doing
as
a
working
group.
If
you're
saying
that
we're
not
ready
for
adoption,
what
are
we
looking
for?
Obviously,
we
wouldn't
decide
in
the
room,
but
I'm
not
seeing
any
blockers
to
like
start
the
call
that
will
trigger
people
to
actually
read
it.
A
Yeah-
and
I
I
think
also
there's
a
little
bit
of
an
ordering
dependency
that
we
need
to
get
the
architecture
draft
updated
before
you
can
even
update
the
off
scheme
and
before
you
know,
so
that
the
references
work
out
and
all
that.
So
I
think
that's
kind
of
the
the
way
the
flow
needs
to
be.
But
I
I
could
be
wrong.
I
E
Yeah,
I
just
want
to
ask
a
clarifying
question,
so
we
can
certainly
merge
the
architecture.
That's
fine,
but
ben
also
said
that
we
could
also
move
forward
on
the
protocol
document
update.
However,
importantly,
that
depends
on
the
redemption
protocol
document
existing
so
in
in
merging
that
change
into
the
protocol
document.
Sort
of
assumes
that
this
this
authentic,
this
new
redemption
protocol
will
be
a
thing.
A
Does
does
the
protocol
document
rely
on
the
detai
on
the
specific
details
of
the
redemption
document,
or
is
it
or
is
it
just
you
you
we
need
to
have?
We
need
to
say
that
there's
this
thing
that's
going
to
exist
and
where
that
that
it's
you
know,
I
mean
we're
going
to
be
in
a
chicken
and
egg
problem
and
I
think
I'd.
G
C
B
Yeah,
I
I
agree
with
chris
that
we
could
yeah.
I
think,
it'd
be
good
to
merge
the
protocol
bits
and
just
say,
maybe
even
just
reference
like,
for
example,
it
could
be
something
like
the
mechanism
described
here,
but
not
normatively
depend
on
it.
Yet
just
say
you
know
there
is
an
issuance
token
type.
There
is
some
challenge
blob
and
you
need
to
send
this
back
somewhere,
but
then
we
could
always
update
it
later
to
make
it
concrete.
C
G
C
G
I'm
suggesting
that
we
see
if
there
is
pushback
on
that
right
like
if
we
try
to
do
the
architecture
and
the
we
can
always
split
it
off
and
say:
okay.
Well,
we
can
do
this
piece
separately.
If
there
is
push
back
on
it,
but
it
does
not.
Then
we
avoid
the
whole
conversation
around
dependencies
and
issues
like
that.
B
C
A
This
kind
of
protocol
with
the
the
attestation
protocol,
which
is
you
know
it's
not
specifically,
you
know
a
topic
of
this.
You
know
we're
not
going
to
define
the
attestation
protocol
here,
but
it
seems
like
there
are
certain
properties
that
it
has
to
have
be
able
to
carry
certain
sorts
of
information,
and
so
that's
something
that
how
well
have
we
defined
that
yet
in
the
architecture
document.
E
B
B
E
Okay,
sorry,
this
is,
this
is
getting
more
complicated.
There
probably
needs
to
be
so
here's
my
proposal.
We
can.
We
will,
with
the
proposals
of
the
redemption,
the
auth
scheme
document,
we'll
add
some
text
and
considerations
around
the
sort
of
timing,
attacks
or
correlation
that
was
brought
up
earlier.
We
will
publish
that
in
the
data
tracker.
C
A
B
Hey
regarding
another
meeting,
we
could
probably
just
wait
until
113,
particularly
if
we
do
the
adoption
call
in
between
the
reason
I
got
in
queue
is
one.
Other
thing
I
wanted
to
mention
for
people
is
that
the
various
authors
and
people
working
on
the
new
proposal
have
also
been
doing
implementations
and
interop
testing.
So
chris
has
a
implementation.
I
think
that's
open
source
as
well
on
github
that
people
could
try
out
and
test
against
that
uses
the
http
auth
method
and
the
issuance
protocol.
B
So
you
can
see
how
that
looks
as
code.
I've
done
an
implementation
for
ios
and
mac
os
as
well
that
I've
tested-
and
I
believe,
some
of
the
others
are
working
on
that.
So,
if
you're
interested
on
trying
this
stuff
out,
we
can
also
chat
on
the
list
or
in
github
or
whatever
so
just
wanted
to
say.
You
know
we're
committed
to
actually
having
running
code
here.