►
From YouTube: IETF-PRIVACYPASS-20220131-1700
Description
PRIVACYPASS meeting session at IETF
2022/01/31 1700
https://datatracker.ietf.org/meeting//proceedings/
D
C
Well,
okay,
let's
see
it's
is
there
a
clock
in
the
here
somewhere?
C
Well,
it's
it's
only
one
minute
after
the
hour,
so
I
think
we
can
give
folks
a
little
bit
more
time
to
to
come
in
I'll
we're
going
to
continue
mentioning
that
we
will
need
an
official
minute
taker
before
we
can
start.
The
session
minute
takers
are
are
only
required
to
note
relevant
and
important
points
from
the
discussion.
A
full
transcript
is
not
required
or
expected.
G
C
Of
that
yes,
so
another
reason
you
that
that
being
a
minute
taker
is
not
terribly
difficult,
is
that
the
full
contents
of
the
meeting
are
actually
being
recorded.
So
the
only
thing
we're
asking
for
a
minute
taker
to
write
down
are
the
substantive
conclusions
reached
by
the
working
group
in
the
course
of
discussion.
Anybody
who
wants
the
full
details
can
always
go
directly
to
the
recording.
C
Okay,
I
think
that
that
people
have
have
more
or
less
finished
trickling
in.
C
So
I
want
to
remind
everybody
that
this
is
an
ietf
session.
It
is
covered
by
the
ietf
note.
Well
that
covers
both
things
like
patents
and
ipr
related
to
any
discussions
or
activity
in
the
working
group
and
to
the
code
of
conduct,
which
requires
us
all
to
be
professional
and
respectful
in
our
communications
here
I'll
I'll
avoid
trying
to
summarize
the
full
details
of
the
ietf
note
well,
but
if
you're
not
familiar
with
it,
please
do
familiarize
yourself
with
it
before
participating
in
the
working
group.
C
So
if
anybody
would
like
to
volunteer
to
to
record
some
minutes,
please
do
let
us
know
the
note
taking
tool
is:
is
right
up
on
the
top
of
your
meet
echo
screen,
it's
the
fourth
button
from
the
left
at
the
very
top.
I
believe
so
it's
very
easy
to
jump
in
and
make
some
notes.
C
Thank
you
to
matthew
finkel
for
volunteering
to
take
some
notes.
Anybody
else
who
has
a
moment
to
to
help
out
is
welcome
to
do
so
in
the
collaborative
note-taking
tool.
C
If
you
do
need
to
go
to
the
microphone
and
don't
want
to
or
are
technically
unable
to
use
the
voice
features
in
meet
echo.
Please
just
type
your
question
into
the
chat,
with
a
request
for
it
to
be
brought
to
the
microphone
and
one
of
the
chairs
will
handle
that
for
you
and
when
you
are
coming
to
the
microphone,
please
help
out
matthew
finkel
by
stating
your
name
so
that
so
that
we
know
who
is
speaking.
E
All
right
thanks,
so
I'm
gonna
talk,
I
guess
about
half
of
the
architecture.
I'm
gonna
hand
it
over
to
john
to
do
the
rest,
so
there's
gonna
be
an
awkward
split
in
the
middle.
So
apologies
for
that,
but
you
know
we
can
work
through
it.
E
E
That's
you
know
feasible
to
implement
feasible
to
deploy,
while
still
satisfying
the
the
use
cases
in
the
charter
and
all
the
you
know
the
existing
like
w3c
considerations
and
whatnot,
and
upon
like
revisiting
the
architecture
we
found
that
it
didn't
quite
capture
the
the
intent
of
the
you
know,
the
the
overall
desired
ecosystem
and
we're
going
to
kind
of
lead
you,
through
our
thought
process
that
led
to
this
new
proposal,
the
architecture
document,
and
so
hopefully,
at
the
end
of
this,
it
becomes
clear
why
this
new
reframing
of
the
architecture
is,
I
think,
more
appropriate,
given
the
the
scope
of
this
particular
group
and
what
we're
here
to
to
achieve.
E
So
with
that
said,
let's
jump
in
I'm
going
to
motivate
the
architecture
by
just
reminding
everyone
sort
of
what
the
interaction
for
privacy
pass
is
right.
Now,
so
let's
say
you
have
a
client
and
a
server
who
are
interacting
with
one
another.
E
The
client
is
specifically
talking
to
the
server
or
interacting
with
the
server
to
get
some
particular
resource
on
the
web,
say
an
image
in
this
particular
case,
but
the
server
upon
you
know
getting
this
request
from
the
client
decides
to
to
challenge
the
client,
because
it
looks
suspicious,
you
know,
comes
from
an
ip
address,
that
it
doesn't
trust
or
has
a
poor
reputation,
as
was
the
case
with
tor.
The
original
motivating
use
case
for
privacy
pass
or
whatever
other
reasons
the
server
might
have
to
challenge
the
client.
E
The
client
upon
getting
this
challenge
will
solve
it
for
some
definition
of
solve
and
generate
a
proof
based
on
the
challenge
and
sort
of
generically,
using
the
word
proof
here
to
just
talk
about.
You
know
something
that
was
done
to
satisfy
the
challenge
that
the
server
just
sent
and
sends
along
to
the
server.
E
E
E
E
Rather
it
could
be
proof
that
the
the
client
had
previously
solved
the
captcha,
like
I
interacted
with
the
server
before
I
got
some
proof
at
that.
That
point
in
time
that
I
solved
a
particular
captcha
and
so
at
some
point
in
the
future.
If
I
get
challenged
again,
I
just
re.
I
represent
that
proof
to
to
the
server
we're
not
representing
present,
that
through
proof
to
the
server
and
if
the
server
trusts
the
particular
proof
everything
checks
out,
but
you
can
generalize
this
a
bit
more.
E
E
Do
you
have
a
valid
device
that
you're
using
to
access
this
particular
resource
and
any
combination
of
properties?
Really
that
makes
sense
for
the
server's
particular
application
and
the
client
upon
getting
asked
to
attest
to
these
particular
properties,
or
this
particular
property
can
present
that
proof
to
the
server
and
the
server
can
check
it
based
on
you
know
whatever
and
then
do
whatever
the
client
wants.
E
So,
let's
now
sort
of
break
down
what
happens
when
a
client
attests
to
some
particular
property
and
then
presents
a
proof
to
the
server.
Let's
imagine
there
was
a
separate
function
for
that.
The
client
interacted
with
for
testing
to
a
particular
property
and
then
kind
of
kind
of
getting
proof
that
it
did
this
attestation,
so
in
the
interaction
before
the
server
would
challenge
the
client
to
attest
to
some
particular
property.
E
And
then
the
issuer
would
present
proof
of
attestation.
The
client
would
then
relay
right
along
happily
to
the
server
and
if
the
server
trusts
this
particular
function
this
this
issuance
function,
then
this
is
indistinguishable
from
the
case
we
had
before,
where
the
server
was
like
the
one
doing
the
attestation
and
generating
the
proof
and
then
checking
the
proof
later
on.
E
The
tester
then
would,
on
behalf
of
the
client,
ask
for
a
proof
and
the
issuer,
assuming
that
it
trusts
this
particular
tester
would
generate
proof.
A
tester
would
forward
that
proof
to
the
client
and
then
the
client
would
present
that
proof
to
the
server
and
so
now
the
trust
relationship
sort
of
looks
like
this.
The
server
trusts
the
issuer
to
present
to
to
generate
proofs
the
issuer
trusts
the
particular
tester
to
do
attestation
of
the
client,
and
then
this
this
arrangement,
we
argue,
is
basically
the
same
as
the
original.
E
You
know,
interaction
where
everything
was
collapsed
together
and
indeed
that's
what
the
privacy
pass.
Architecture
was
written
or
that's
the
way
it
was
written.
It
was
written
such
that
everything
in
red
was
the
same
box.
It
was
referred
to
generically
as
an
issuer,
but
really
we
can.
We
can
split
out
these
functionalities
into
separate,
separate
functions.
E
It's
separate
functions
that
exist
on
the
same
box
or
separate
functions
that
are
run
by
separate
members
of
the
ecosystem,
and
that's
that's
the
the
the
new
sort
of
reframing
that
we're
we're
proposing
for
the
architecture
document
and
with
that
said,
I'm
going
to
now
do
the
awkward
transition
over
to
janna
to
to
describe
more
about
the
different
variants
of
this.
E
G
All
right
can
we
get
to
slide
14,
okay,
there.
We
are
okay,
end
of
awkward
transition.
Thank
you,
chris.
We
made
it
as
awkward
as
possible.
Hopefully
that
woke
you
up
from
your
well.
Whatever
time
zone
you
are
in
so
continuing
just
left
off.
Basically
the
idea,
the
important
idea
here-
and
this
speaks
also
the
question
that's
npd
is
asking
punjab.
The
idea
here
is
that
separating
this
separating
these
functions-
and
we
want
you
to
think
about
these
as
functions
that
are
that
are
part
of
the
architecture
anyway.
G
G
But
but
this
allows
us
to
be
allows
us
to
instantiate
multiple
different
variants,
so
to
speak
or
instantiations
of
privacy
paths
bear
in
mind
that
we
don't
need
them
all
to
be
separate
entities
like,
for
example,
in
in
the
existing
privacy
pass
architecture
you
could
think
of
the
issuer,
as
the
architecture
is
the
first
one
which
is
like
a
combined
origin
at
a
certain
issuer
where
everything
is
the
same
same
entity.
The
client
speaks
to
the
origin,
and
the
origin
also
happens
to
be
the
attester
and
the
issuer
at
the
same
time.
G
You
can
also
have
a
second
instantiation
where
you
have
separate
origin
and
a
combined
issuer
slash
a
tester
where
the
client
speaks
to
the
origin
and
then
gets
a
challenge
and
then
goes
off
to
this
other
entity,
which
is
the
attac
surplus
issuer
and
and
and
gets
this
gets
the
gets,
the
proof
that
it
takes
back
to
the
origin
and,
finally,
all
separate
entities
as
well.
This
is
this
is
separate
again
separating
of
the
architecture.
Yes,
it
does
make.
G
It
seem
a
bit
more
complex,
but
it
does
give
us
benefits,
because
we
are
able
to
do
some
things
here,
that
we
can't
otherwise
do
and
we'll
get
to
that
in
the
details.
But
I'm
going
to
talk
about
just
architecture
at
the
moment,
npd
again
we
will.
We
will
get
to
that,
especially
the
rate
limiting
document
speaks
to
the
all
separate
case,
because
that
is
one
instantiation
of
the
architecture
that
you
need
to
be
able
to
do
rate
limiting
anonymously
for
for
clients.
G
So
you
will
see
that,
in
the
rate
limited
example,
but,
generally
speaking,
we
believe
that
the
that
this,
that
the
separation
allows
us
to
to
to
build
more
use
cases
within
privacy
bus,
so
the
protocol
structure
for
this
architecture
is
split
into
two,
and
these
are
described
in
the
architecture
document.
G
The
first
one
is
the
redemption
protocol.
Then
the
redemption
protocol
is
simply
where
the
client
is
able
to
redeem
proof
with
the
origin,
and
this
is
a
consistent
protocol
for,
for
all
of
the
use
cases
that
we
can
do
with
this.
That's
the
goal
is
to
sort
of
have
one
redemption
protocol,
no
matter
what
the
use
case
so
that
the
client
origin
interaction
remains
exactly
the
same.
G
The
extensibility
in
this
architecture
comes
from
being
able
to
have
multiple
issuance
protocols,
because
the
issuance
protocol
effectively
says
hey,
I'm
going
to
issue
you
a
proof
for
a
particular
property
that
that
the
client
has
to
attest
to,
and
that
defines
the
issuance
protocol
to
some
extent
and
the
particular
details
of
that
would
depend
on
the
use
case.
So
for
different
use
cases
we
might
have
different
types
of
issuance
protocols,
and
this
is
this
is
an
exchange
that
we
can
extend.
We
can
replace
it
for
new
deployment
models
so
again.
G
Stepping
back
the
big
picture
here
is
that
the
architecture
now
the
new
proposed
architecture
at
least
argues
that
some
function
attests
to
a
property
that
is
associated
with
a
client
such
as
a
captcha
or
something
else.
G
The
issuers
are
the
ones
that
that
look
at
what
the
address
is
attesting
to,
and
then
they
produce
a
proof
or
a
token
that
is
bound
to
that
property
and
the
redeemer
then
consumes
the
stroke
right
or
the
origin
consumes.
This
token,
that
is
generated
by
the
issuer,
so
those
are
the
functionally
those
are
the
those
are
the
pieces
that
we
believe
are
part
of
the
the
architecture
here.
So
to
the
question
of,
why
do
we
want
to
rework
the
architecture?
G
I've
said
this
in,
in
other
words
already,
but
generally
speaking,
the
high
level
picture
here
is
that
the
current
architecture
tightly
couples
these
two
pieces
that
we're
trying
to
separate
out
and
separating
the
issuance
and
redemption
parts
allows
us
to
have
new
deployment
models
that
are
that
are
that
are
possible
now
and
that
that
we'd
like
to
be
able
to
build
to,
but
are
not
really
possible,
with
the
existing
privacy
plus
architecture.
G
G
This
makes
attestation
explicit
as
an
architectural
piece,
but
it
is
only
you
know.
It
is
explicit
as
a
as
a
instantiation
as
an
entity
only
in
particular
deployments,
not
in
all,
depending
on
your
deployment.
You
might
want
to
instantiate
it
separately
or
combine
it
as
I
showed
earlier.
G
So.
Finally,
our
proposal
here
is
to
define
the
architecture
in
terms
of
these
functional
roles,
the
the
flexibility
that
this
offers
obviously
comes
with
some
complexity
in
understanding
the
different
roles,
but
really
we
believe
that
it
is.
G
It
is
separating
these
roles
if
they
were
hidden
anyway
and
the
degree
of
freedom
that
it
offers
us
allows
us
to
express
some
use
cases
in
privacy
paths
that
we
weren't
able
to,
and
it
defines
the
protocols
in
terms
of
the
redemption
and
the
issuance
protocols-
and
we
have
a
pr
here
that
describes
this
architectural
change
that
we
like
to
merge
into
the
architecture
document.
G
A
C
The
draft
about
sorry
about
this
proposed
change
to
the
draft.
C
So
hi,
not
as
chair
in
this
new
in
these
diagrams,
you,
you
have
four
entities
and
three
communication
links
which
of
these
links
are
standardized
or
standards
relevant
and
which
of
them
are
essentially
by
private
agreement.
G
So
the
hard
I'm
gonna
understand,
maybe
tommy
you
can
jump
in
the
the
the
the
protocols
are
standards
they're,
all
standardized.
Like
I
mean
all
of
these
three
entities
are
effectively
can
be
separate,
completely
separate
organizations
and
therefore
the
protocols
between
them
will
need
to
be
standardized,
and
that's
that's
in
the
different
protocol
documents
that
we
have
tommy.
Do
you
want
to
add
something.
B
Yeah,
I
think
the
answer
is
it's
a
little
nuanced,
so
then
I
would
say
between
the
client
and
the
server.
B
B
On
the
other
side,
I
think
it
gets
a
little
bit
more
flexible
depending
on
the
situation,
so
you
know,
I
would
argue
that
even
in
the
existing
architecture,
the
actual
attestation
step
of
solving
the
captcha,
you
know
that
part
itself
was
not
standardized.
The
thing
that
the
client
does
to
the
attester
to
say
I
am
legitimate,
and
even
if
it
is
standardized,
I
don't
think
that's
something.
B
That's
within
scope
for
privacy
pass
itself,
we're
not
defining
how
you
do
captcha
we're
not
defining
how
you
do
device
association
or
account
login
or
whatever
else
it
is
so
there's
kind
of
like
some
step
in
there.
That
is
unique
to
how
the
client
talks
to
the
thing
that
lets
it
get
tokens,
and
that
is
specifically
not
standardized
in
this
group,
but
you
know,
as
we
will
go
into
in
the
third
presentation
around
issuance
protocols.
B
The
way
you
actually
get
a
token.
You
know
that
needs
to
be
standardized
and
that's
what
already
existed
for
the
issuance
protocol.
Saying:
hey,
here's,
how
you
use
a
pop-rf
or
here's,
how
you
need
to
get
a
publicly
verifiable
token,
and
so
there's
there's
a
bit
of
standardization
on
the
issuance
protocol.
B
B
All
right
was
my
audio
still
choppy.
I
saw
that
in
the
jabber.
B
So
now
we're
going
to
go
into
the
two
halves
of
the
protocol
that
we
talked
about
and
I'm
going
to
start
by
talking
about
this
challenging
redemption
phase.
Oh,
and
could
the
chairs
restart
the
timer?
Actually
because
I'm
getting
the
red
flashing
lights
that
I'm
almost
done
great,
all
right
so
going
back
to
that
diagram?
B
And
as
I
had
in
the
title
here,
there
are
two
halves
of
this
that
we
think
of
and
we're
calling
it
challenge
and
redemption,
and
the
broad
shapes
not
talking
about
any
particular
protocol
here
is
that
in
a
challenge
the
client
is
telling
some
server
hey.
I
want
to
do
or
access
something,
and
the
origin
is
like
prove
that
you're
able
to
access
this
you
know
give
me
a
token
to
prove
that
you're,
not
a
bot
or
to
prove
that
you
have
an
account
or
something,
and
then
the
redemption
phase
is.
B
B
And
not
the
both
of
these
are
not
always
required,
so
the
redemption
half,
no
matter
how
you
slice
things,
I
think,
is
a
fundamental
part
of
any
token
scheme
we
have.
We
actually
need
to
spend
the
token,
and
so
the
token
redemption
is
whenever
the
client
presents
a
token
to
gain
access
and
within
privacy
pass.
B
B
B
All
right,
so
what
what
was
missing
in
the
landscape
we
had
before,
because
you
know
previously,
as
people
have
been
testing
with
privacy
pass,
these
functions
have
been
running,
but
the
previous
design
really
relied
on
the
javascript
apis
as
defined
in
w3c.
B
B
So
what
we're
proposing
here
is
that
you
know
if
you
look
at
this
interaction
model
of
oh,
I
have
a
challenge
when
a
client
tries
to
access
a
resource,
and
then
I
want
to
be
able
to
provide
a
token
and
authentication.
It
really
really
fits
cleanly
into
an
http
authentication
method
and
defining
that
within
this
group,
we
believe
will
allow
for
a
really
nice
standard
definition
that
could
have
explicit
support
for
different
types
of
tokens.
So
we
can
have
this
be
extensible
and
have
it
evolve,
and
this
would
work
cleanly
with
the
javascript
apis.
B
There
would
need
to
be
some
updates
to
actually
what
those
javascript
apis
do,
but
they
could
just
drive
http
authentication
very
easily,
but
it
also
allows
us
to
do
this
in
non-javascript
and
non-web
contexts
and
in
the
discussions
we've
been
having
with
people,
you
know
beyond
just
web
interactions.
B
There
are
a
lot
of
interactions
of
apps
or
other
non-web
scenarios
that
would
really
benefit
from
being
able
to
use
privacy
pass,
and
it
also
has
the
benefit
of
having
something
we
could
define
within
the
working
group
that
can
work
standalone
and
then
also
be
built
on
by
the
w3c.
B
So
the
authors
are
proposing
that
this
work
that
we're
defining
here
can
essentially
replace
the
ht
http
api
document
that
we
have
and
broaden
it
into
this
authentication
method
scheme.
B
B
B
It
also
can
indicate
the
issuer
name
and
essentially
say.
Oh,
this
is
who
I
trust,
or
I
can
have
multiple
names
of
you-
can
get
tokens
from
any
of
these
people,
and
it
can
also
provide
hints
for
the
keys
to
use
to
make
it
faster
for
clients
to
get
tokens
without
having
to
fetch
some
config
from
the
side
and
then
also
has
allows
for
some
optional
features,
which
we
think
are
very
useful.
B
One
I
already
mentioned
is
an
interactive
token.
Essentially
the
challenge
can
come
with
a
one-time
nonce,
so
that
an
origin
can
prove
that
the
client
was
able
to
fetch
a
new
token
kind
of
in
line,
and
this
can
avoid
certain
farming
attacks.
B
And
then
you
can
also
just
include
within
the
elements
that
are
assigned
on
the
token,
the
actual
origin
name,
and
this
can
prevent
cross-origin
spending
or
attacks
where
you're
trying
to
fingerprint
what
users
have
been
going
to
or
one
origin
draining
tokens
that
were
meant
to
be
better
used
on
another
origin.
B
As
an
optional
thing,
you
can
add
in
all
right.
So
what
is
this?
Oh
yeah?
The
other
thing
we
want
to
focus
on
here
is:
we
believe
that
it's
really
important
if
we
want
privacy
pass
to
be
widely
used
and
adopted
throughout
the
web
and
other
servers
that
it
needs
to
be
really
really
easy
for
origins
to
adopt.
B
So
as
part
of
this,
the
origins
don't
need
to
do
any
complex
crypto.
They
just
need
to
verify
tokens
for
publicly
verifiable
types
like
rsa
blind
signatures.
That's
really
really
simple.
To
do
privately,
verifiable
tokens
do
require
the
origin
to
have
an
issue
or
key
or
make
a
request
to
the
issuer.
That's
what
we
have
with
the
poprf,
but
it's
not
too
much
to
do
in
that
case,
but
an
origin
can
always
choose
to
prefer
the
publicly
verifiable
type
as
well
and
interactive.
B
Tokens
can
also
mitigate
some
concerns
that
origins
had
around
farming
and
double
spending
and
tracking
that
state,
if
you're,
using
interactive
tokens,
you're
shifting
the
state
that's
required
on
the
origin
from
maintaining.
Oh
here's
all
of
the
redeemed
tokens
that
I've
had
and
making
sure
that
no
one's
double
spent
to
instead
just
having
a
nonce,
that's
associated
with
a
single
http
session
with
the
client,
and
you
just
need
to
remember
how
many
nonces
did
I
give
out
what
were
they
and
that
can
be
much
much
more
bounded.
B
So
the
actual
protocol
details
here
we're
just
proposing
a
private
token
http
authentication
scheme.
That
includes
a
challenge
and
a
key
that
goes
along
with
the
challenge.
B
B
If
you
have
an
origin
name
present,
really,
that
just
is
something
that
gets
signed,
and
so,
if,
if
the
origin
name
is
present,
you
need
a
token
that's
specific
to
this
origin,
and
you
can't
do
cross-origin
spending,
but
you
can
still
cache
it.
Otherwise,
if
that's
missing
it's
just
a
generic
token
that
can
be
used
on
any
origin
that
supports
cross-origin
tokens.
B
B
It
contains
the
key
id
of
the
key
that
signs
the
token
and
then
has
an
authenticator,
which
would
be
a
blob,
that's
specific
to
the
particular
issuance
method
that
can
be
the
blind,
rsa
signature.
It
can
be
the
pop
or
pop
rf
output
or
something
else
as
we
come
up
with
better
options
into
the
future.
B
B
A
Joe,
so,
basically
you
you're
between
the
kind
of
this
redemption
protocol.
You
still
have
a
link.
There
is
a
linkage
between
the
issuer
protocol
and
that
you
need
to
get
a
particular
type
of
token
and
exactly
what
the
client
does
to
prove
that,
in
that
opaque
blob
is
depends
on
on
that
what
happens
during
issuance,
but
the
rest
of
the,
but
that
kind
of
the
protocol
shape
is
the
same
no
matter
what
that's
kind
of
the
idea.
B
That
that's
right
and
you
know
the
idea-
is
you
know
today
we
already
have
you
know
we've
already
defined
p
or
prf.
We
want
to
bring
in
something
like
rsa
plan
signatures
for
public
verifiability,
so
we
need
to
wait
to
tell
between
those
but
even
going
forward.
I
think
there
their
desires
to
have
lighter
weight,
publicly
verifiable
tokens
and
it'd
be
nice
to
be
able
to
use
a
common,
challenging
redemption
method
and
just
have
a
bit
to
indicate
oh
yeah.
I
also
support
this
new.
B
B
H
C
All
right
ben,
that's
what
not
his
chair
so
in
in
previous
in
previous
iterations.
One
of
the
questions
that
has
come
up
is
about
the
privacy
implications
of
timing
based
linkability
for
these
kinds
of
interactive
issuance
situations.
So
my
first
question
is:
what
do
you?
What
do
you
think
of
that?
What
do
you
think
of
the
the
concern
that
a
that,
if
an
origin
can
tell
me
exactly
when
to
request
a
new
token
that
the
the
timing
of
that
identifies
the
user.
B
Yeah
I
mean
I
think
that
certainly
is
that
that
can
be
a
concern
we've.
The
authors
have
discussed
that
as
well.
B
Generally,
you
know
that
that's
the
type
of
thing
that
will
be
more
mitigated
for
higher
volume
sites,
essentially
cases
where,
if
you
have
you
know
millions
of
people
always
getting
tokens,
then
you're
not
going
to
be
able
use
the
timing
attack
there.
B
I
think
it
kind
of
folds.
You
know
if
I
have
very
very
few
people
getting
tokens
with
the
place.
Even
if
I
don't
have
a
timing
attack,
you're,
probably
able
to
guess
pretty
well
who
I
am.
B
It
also
plays
into
a
little
bit
the
the
interactions
that
we
have
on
the
issuance
protocol
and
the
role
of
if
we
do
separate
out
a
tester
that
a
client
who
is
coordinating
within
a
tester.
Let's
say
you
know
my
ios
device
talks
to
a
server
that
can
do
device
attestation.
It
could
say,
hey
you
know.
No
one
else
is
using
this
issue
or
it
seems
like
maybe
you're
being
fingerprinted
here,
as
opposed
to
saying
oh
yeah.
B
I
know
that
millions
of
people
are
actually
going
and
hitting
this
all
the
time
you
have
a
big
enough
anonymity
set,
but
yeah
it's
something
to
definitely
continue
discussing.
C
Yeah,
I
think
that's
that's
interesting.
I
you
know,
I
would
point
out
that
if
you
have
an
issuer
with
somewhere
in
the
vicinity
of,
let's
say
a
hundred
thousand
active
users,
you
know
if
those
users
all
get
a
fresh
batch
of
tokens
once
a
day,
then
they
have
an
anonymity
set
size
of
a
hundred
thousand.
But
if
they
are
in
this
interactive
mode,
then
they
essentially
are
fully
identifiable
because
issuance
presumably
takes
much
less
than
one
second.
C
B
C
C
So
anyway,
I
would.
I
would
like
to
see,
certainly
some
very
clear
analysis
on
that,
and
especially
from
the
client's
perspective,
you
know.
Are
all
these
tokens
do
all
these
tokens
have
the
same
privacy
implications
and
do
we
want
to
you
know,
do
we
really.
C
And
do
we
really
want
to
provide
a
so
it
we've
talked
before
about,
for
example,
public
metadata
as
something
that
can
affect
the
privacy
protection
value
of
a
token,
but
that's
something
that's
very
clear
and
measurable
to
the
client.
So
it
can.
It
can
do
its
own
accounting
for
whether
it
wants
to
support
that
algorithm.
For
example,
yeah.
C
Thanks,
I
also
wanted
to
specifically
ask
about
the
knots:
is
that
not
somehow,
blinded
before
it
reaches
the
issuer,.
B
E
Yeah
I
just
ben
was
asking
for
some
analysis,
but
then
what
I,
what
I
think
I
just
heard
sort
of
come
out
of
that
conversation
was
that
language
around
you
know
what
the
client
doesn't
know
with
respect
to
like
how
many
other
clients
are
happen
to
be
using
this
issue
or
at
what
time
is
something
that
would
be
good
to
add.
E
So
ben.
I'm
not
sure
like
what
analysis
you
had
in
mind
beyond
sort
of
just
noting
these
considerations
of
the
interactive
protocol
variants.
F
C
So
so
I
should
be
clear,
you
know
it's.
I
I
have
I'm
concerned
that
these
interactive
variants
don't
effectively
provide
significant
privacy
that
if
we
consider
all
of
the
other
metadata
visible
to
the
other
parties,
that
clients
are
actually
effectively
uniquely
identifiable,
even
at
quite
large
scales.
C
I
would
so.
I
would
like
to
see
on
the
analysis
side
can
we,
you
know,
make
a
convincing
argument
that
the
clients
are
strongly
protected
and
and
show
the
sort
of
scale
that's
required
there
and.
B
C
And
also,
can
we
talk
about
about
what
we
think
clients
should
do
to
to
keep
themselves
well
protected.
E
I
can
okay,
so
my
my
immediate
reaction
to
that
is
that
this
is
somewhat
like.
You
know
the
leaky
goat
problem
that
we
we
kind
of
face
in
ech
like
we
are.
We
are
designing
the
protocol
such
that
it's
like
cryptographically
unlikable
between
issuance
and
redemption,
and
yes,
if
there's
additional
metadata,
that's
leaked
particularly
around
like
the
time
stamps
of
these
events
that
you,
you
could
stitch
things
together
after
the
fact,
but
that
seems
sort
of
separate
or
or
external
to
the
the
protocol.
E
That's
sort
of
being
defined
here,
one
of
the
nice
things
about
the
redemption
protocol
that
I
don't
recall
you
mentioning
tommy,
is
that
the
the
the
clients
have
some
leeway
in
terms
of
when
they
respond
to
a
particular
challenge.
E
In
fact,
the
hp
header
that
comes
that
carries
the
challenge
has
like
a
max
age
attribute
and
the
client
can
use
that
if
it
wanted
to
to
like
delay
things
to
do
all
sorts
of
you
know,
randomizing
things
I'm
using
air
quotes,
but
you
can't
see
it
to
sort
of
hide
the
the
the
time
stamp
to
some
extent
or
to
make
it
less
correlated
with
what
the
origin
sees.
E
So
I
I
I
don't
consider
this
to
be
a
deal
breaker
any
more
than
I
would
consider
like
leakage
from
ip
addresses
to
be
a
deal
breaker
for
ech.
C
Thanks
that
sounds
like
an
example
of
something
that
should
definitely
be
be
documented
and
again
analyzed
in
terms
of
like
how
much
delay
is.
Is
the
recommended
value?
How
should
the
client
just
make
that
decision
right.
E
I
I
don't
want,
I
don't
know
if
you
can
add
recommendations
here,
though,
that's
kind
of
my
point,
like
the
clients,
are
in
a
position
where
they
don't
know
how
many
other
clients
are
interacting
with
a
particular
issue
or-
and
they
don't
know
like
what
the
value
is.
I
think
noting.
The
considerations
here
is
very
much
appropriate,
but
trying
to
offer
recommendations
for
local
client
policy
seems
like
an
intractable
problem
to
solve.
B
I
I
think
this
is
another
case
where
the
architecture
thinking
about
a
tester
and
issuer
roles
separately
actually
does
help.
So
not
only
does,
is
it
possible
that
you
know
a
tester
could
help
clients
know
about
the
scale,
but
I
think,
more
importantly,
when
you
talk
about
a
timing
attack,
we
need
to
think
about.
You
know
what
is
the
information
that
is
vulnerable
and
could
be
used
to
correlate
information
back
to
the
client
right.
B
B
But
if
we
have
deployments
where
the
actual
issuer
that's
handing
out
the
tokens
is,
you
know
more
distanced
from
the
client
such
that
it
never
sees
the
client
ip
the
client's
going
through
it
another
a
tester
or
something
else,
even
if
they
do
have
some
ability
to
you
know,
guess
with
a
small
enough
set
that
oh,
yes,
this
is
the
same
token
as
that
other
one.
B
They
may
not
actually
learn
much,
because
the
issuer
may
not
know
anything
about
the
client
so
that
that's
another
way
that
clients
could
get
some
protection
here
and
that's
it.
E
E
E
So
this
again
is
the
the
scenario
here.
You
have
the
origin
that
interacts
with
the
client
to
send
a
challenge
and
the
client
then,
on
the
side,
runs.
This
is
protocol
to
produce
a
matching
token.
E
You
can
sort
of
view
like
the
interface
to
the
issuance
protocol,
like
so
input
from
the
origin.
Again
is
just
a
public
key.
That's
used
to
verify
the
particular
token
so
in
the
case
of
the
people
here,
if
it
would
be
the
public
key,
the
case
of
like
blind
rsa
for
the
publicly
verifiable
variant,
it
would
be
the
public
key
for
binder,
say
and
then
the
challenge
which
is
like
this.
E
This
token
challenge
structure
that
tommy
was
had
on
the
slide
earlier
and
then
the
output
from
this
is
a
just
an
encoded
token
that
the
client
then
sends
back
to
the
origin.
E
So
basic
issuance
is
really
quite
simple:
I'm
going
to
walk
through
sort
of
the
cryptographic
steps
that
like
drive
it.
This
is
something
that
was
in
the
existing
protocol
document
or
steps
of
this
were
sort
of
in
the
existing
protocol
document,
but
we
modified
it
to
accommodate
and
integrate
with
the
existing
redemption
protocol
or
with
the
proposed
redemption
protocol
rather
so
anyways.
E
The
first
thing
the
client
does
upon
receiving
this
challenge
is
it
generates
a
fresh
nonce
of
its
own
separately
from
whether
or
not
the
challenge
carried
a
redemption
hunts,
and
then
it
produces
a
context,
string
or
struck
context
value
which
is
effectively
a
hash
of
the
challenge
and
then,
from
that
point
on
all
it
does
is
run
basically
the
pio
prf
or
the
blind
signature
protocol
over
the
pair
of
nods
and
context
values.
E
So
what
I've
written
here
is
sort
of
notation,
that's
specific
to
my
blind
signature
protocol,
specifically
using
the
function
blind
with
the
public
key
of
the
issuer,
and
but
like
you
can
you
can
imagine
it
being
sort
of
any
any
sort
of
suitable
issuance
protocol
that
that
matches
that
shape,
where
the
the
inputs
here
are
nodes
in
context
are
private.
E
They
remain
private
from
the
issuer
during
the
issuance
flow
and
the
output
that
the
the
client
sees
is
a
like
a
valid
signature
or
an
authenticator,
as
was
described
earlier
over
this
private
input.
E
Okay,
so
generates
a
nonce
computes
the
context
and
then
starts
the
blind
signature
protocol
as
per
the
blind
signature
protocol
after
computes.
It's
blind
or
request
in
this
particular
case
sends
that
over
to
the
issuer,
perhaps
going
through
the
tester
if
necessary,
for
this
particular
deployment
doesn't
need
to
be,
though
yeah
sure,
then,
is
an
oracle
for
computing
blind
signatures
over
arbitrary
requests.
E
So
it
gets
in
a
request,
computes,
a
blind
signature
and
then
immediately
sends
the
response
back
to
the
client
and
the
client
simply
finalizes
the
protocol
to
compute
the
authenticator,
pretty
straightforward,
very
simple
and,
as
I
was
saying
earlier,
I've
written
this
in
terms
of
the
blind
signature
scheme.
But
this
is
in
the
basic
issuance
proposal
that
we
have
up.
This
is
also
implementable
as
a
blind
signature
or
as
a
popuf.
Sorry.
E
One
of
the
things
that
we've
introduced
with
the
the
new
issuance
protocol
scheme
is
this:
the
notion
of
a
token
protocol
or
an
issuance
protocol
type
and
a
corresponding
registry
to
match
where
the
registry
sort
of
defines
the
parameters
of
the
the
issuance
protocol
or
a
parameter
might
be
whether
or
not
it's
publicly
verifiable.
E
That
is,
you
know.
Can
you
verify
without
having
an
authenticator
without
having
to
interact
with
a
particular
issuer?
Does
it
have
support
for
public
metadata?
That
is
input
or
data
that
is
revealed
necessarily
to
the
issuer
and
computing
its?
You
know
it's
it's
half
of
the
protocol,
or
does
it
support
private
metadata?
E
None
of
the
proposed
schemes
in
the
registry
right
now
do
support
private
metadata,
but
there
are
some
existing
proposals
from
folks
at
google
for
building
anonymous
issuance
protocols
with
private
metadata
bits,
individual
bits
we
could
we
could.
You
know,
extend
this
registry
to
denote
like
how
many
bits
of
metadata
is
are
supported.
So
you
know,
bike
shedding
here
is
necessary,
but
but
we
feel
like
these.
E
These
are
sort
of
reasonable
dimensions
and
reasonable
parameters
for
issuance
protocols
and,
of
course,
the
size
of
the
authenticator,
because
that
sort
of
defines
the
the
structure
of
the
token
that
comes
out
of
the
other
end.
E
So
right
now
in
the
basic
issuance
pr,
we
have
two
token
or
two
issuance
protocols,
sort
of
just
described
that
are
in
line
with
the
redemption
protocol,
first
of
which
is
based
on
the
popuf
work
from
the
the
corresponding
cfrd
draft
instantiated
with
p384
and
shot
384.
E
The
this
particular
curve
was
chosen
because
we
didn't
want
to
deal
with
the
static
diffie-hellman
problem,
so
we
just
bumped
up
the
the
the
curve
a
little
bit
too
to
address
that,
and
then
we
have
blind
rsa,
which
addresses
the
publicly
verifiable
component
of
the
charter
and
is
a
drop
in
replacement
effectively
for
the
pop
ref,
as
described
on
the
previous
slide,
and
we
can,
you
know,
certainly
consider
adding
new
issuance
protocols
to
this
registry
as
needed.
E
E
An
important
note
point
to
note
here
is
that
these
issuance
protocols
are
only
two
messages.
Are
one
round
trip
between
client
and
issuer.
There
are
constructions
that
are
more
than
one
round
trip
that
require
three
or
four
messages,
depending
on
the
shape.
Those
would
be
compatible
with
the
issuance
protocol,
as
or
with
the
architecture,
as
described
like
the
number
of
round.
Trips
is
not
really
a
constraint
in
terms
of
you
know
the
the
architecture,
because
it's
it's
it's
you
know
implementation
details
specific
to
the
issuance
protocol,
so
I
didn't.
E
I
didn't
list
anyone's
any
of
those
here,
because
there's
there's
concerns
around.
You
know
how
you
would
deploy
that
this
sort
of
thing
this
this
this
type
of
issuance
protocol
with
more
than
one
round
trip
in
a
stateless
way
or
in
a
way
that's
safe.
That
has
to
deal
with
the
state
that
the
the
issuer
maintains
per
per
client,
but
it,
but
it
is
certainly
possible.
E
So
there's
a
couple
considerations
that
I
wanted
to
note
that
the
first
is
that
the
existing
sort
of,
like
I
said,
the
existing
sort
of
issuance
protocols
that
we
specified
assume
that
the
issue
were
stateless.
So
it's
one
round
trip
for
issuance
protocols,
but
we
could
certainly
move
to
protocols
that
support
multiple
round
trips
as
necessary.
E
Nothing.
Nothing
prohibits
that.
Another
thing
to
note
is
that
the
the
way
that
the
issuer
is
interacted
with
and
in
particular
the
apis
that
are
exposed
by
the
issuer
in
order
to
interact
with
it,
are
compatible
with
any
deployment,
specific
key
consistency
mechanism
that
would
be
desired
for
an
application.
E
E
The
point
is
that
the
all
the
keys
that
the
issuer
might
use
are
discoverable
and
via
a
well-known
api,
and
then
you
can
build
things
on
top
of
that
that
api
to
build
consistency
into
the
system,
how
that
is
done
is
out
of
scope.
There
is
a
there's,
an
individual
draft,
that
sort
of
describes
different
ways
to
address
key
consistency
in
the
ecosystem,
but
we
don't
think
that's
like
that
needs
to
be
included
in
the
these
drafts
more
so
that
they
need
to
accommodate
any
of
these
particular
mechanisms
if
needed.
C
Clarify
question:
you
said
that
key
consistency
is
out
of
scope.
Are
you
noting
that,
as
out
of
scope
for
a
particular
draft
or
for
the
working
group.
E
I
think
for
the
for
these
particular
issuance
protocols
like
the
issuance
protocol,
should
not
address
how
to
deal
with
issuance
or
issuance
key
consistency.
Rather,
it
should
enable
other
work
to
address
that
if
as
as
needed,
so
I
I
don't
recall
what
the
charter
says
in
this
particular
topic.
If
it
says
that
we
need
to
address
key
consistency,
that's
cool
we
could.
We
could
certainly
write
a
separate
draft
that
deals
with
it,
based
on
the
issuance
that's
described
here,
yep.
E
Okay,
so
in
the
architecture
document
we
describe
various
ideal
security
properties
that
we'd
like
for
the
insurance
protocol.
The
most
obvious
one
is
this
notion
of
unforgeability.
E
Where
clients,
you
know,
can't
just
forge
tokens
without
having
interacted
with
the
issuer,
and
so
all
the
issuance
protocols,
as
specified
in
the
registry
right
now
support
this
particular
property,
and
indeed
this
is
a
requirement
to
go
in
that
registry.
E
They
also
require
that
the
this
notion
of
what
we
call
issue
and
secrets
see
issuance
secrecy,
and
the
description
here
is
not
the
most
clear
but
issue
and
secrecy
basically
means
that
any
of
the
input
that
is
provided
to
the
to
the
blind
signature
protocol
or
the
the
issuance
protocol
generally
is
not
revealed
in
any
way
to
the
issuer.
E
So
if
you
recall
from
the
diagram
really,
we
had
this
nonce
and
we
had
this
context.
Both
of
them
are
unconditionally
secret,
even
against
an
all-powerful
attacker
who
has
like
endless
compute
and
endless
memory
whatever,
and
this
is
necessary
for
the
privacy
and
particularly
the
unlinkability
guarantees
that
we
have
between
issuance
redemption.
E
Okay,
so
the
proposal
that
we
have
at
hand
is
to
basically
take
what
was
currently
described
in
the
protocol
document,
which
had
bits
and
pieces
of
this.
So
it
did
have
you
know
the
deep
some
language
around
how
to
integrate
with
the
pop
rf.
It
did
have
some.
You
know
details
about
how
to
do
redemption,
but
nothing
that
was,
you
know,
implementable
and
interoperable.
E
The
proposals
take
is
to
take
the
the
basic
issuance
protocol
details
and
built
upon
the
proposed
redemption
protocol
and
make
that
sort
of
the
the
working
group
document
protocol
document
and
there's
a
number
of
reasons
to
do
so.
A
it
satisfies
a
perhaps
should
sort
of
these
differently,
but
a
it
satisfies
that
the
two
are
two
requirements
in
the
charter
that
we
have
public
and
private
verifiability.
E
It
does
integrate
cleanly
with
the
the
redemption
protocol
that
tommy
presented
and
it
sort
of
addresses
this
this
question
of
extensibility
that
has
been
floating
around,
for
you
know
at
least
a
year
now
I
think
we
were
sort
of
tossing
around
different
ways
to
address
extensibility.
Is
it
in
like
the
the
wire
format,
messages
that
are
sent
between
client
and
issuer?
Is
it
like?
E
How
do
you,
how
do
you
change
the
crypto
and
blah
blah
blah,
but
the
the
current
proposal,
where
you
wrap
up
all
of
the
sort
of
issue
and
specific
details
under
a
token
type
and
then
introduce
new
types
as
necessary
to
extend
the
system
with
new
or
extend
issuance
protocol
with
new
features,
like
rate
limiting,
as
kind
of
we'll
describe
later,
if
there's
time
it's
a
very
clean
way
to
sort
of
address
this,
with
minimal
complexity
on
the
on
the
origin
and
on
the
issuer
side.
E
E
Okay,
before
we
go
to
the
questions
the
working
group
slide,
I
wanted
to
pause
here
and
see
if
there's
any
questions.
E
Okay,
if
not
I'll,
move
forward,
then
so
we
just
to
kind
of
wrap
up.
There's
a
there's,
a
couple
high-level
questions
we
have
for
the
group,
first
of
which
you
know
are
the
we
want
to
know.
If
the
the
document
proposals
have
presented
specifically
for
the
architecture
document,
the
challenge
and
redemption
protocol
document
and
then
the
the
basic
issuance
protocol
document.
Are
they
clear
it's
the
sort
of
scope
and
does
the
scope
make
sense?
E
And
then
second,
we
want
to
know,
or
we
want
to
try
to
assess
if
there's
consensus,
to
move
in
this
direction,
which
specifically
means
updating
the
privacy
pass
architecture
document
based
on
the
proposal
at
the
beginning,
as
well
as
the
protocol
document
based
on
the
the
basic
issuance
protocol
that
I
just
walked
through,
as
well
as
considering
adoption
of
the
new
authentication
scheme
that
that
describes
the
challenge
redemption
protocol
that
tommy
went
through,
and
so
I'm
gonna
stop
sharing
and
I'm
gonna
turn
it
over
actually
I'll
keep
sharing,
but
I'll
turn
it
over
to
the
chairs.
C
Hi
ben
schwartz
as
chair,
I
would
really
appreciate
hearing
comments
on
these
questions
from
the
authors
of
the
current
adopted
drafts.
So,
if
you're
an
author
or
if
you're
a
co-author
on
a
current
adopted
draft,
I
would
really
appreciate
it
if
you
would
come
to
the
mic
and
give
us
your
thoughts
thanks.
H
Hopefully
you
can
hear
me
yeah.
I.
H
Restructure
of
the
graph
seems
reasonable.
I
think,
there's
a
few
issues
to
work
out
like
what
information
we
put
in
the
architecture.
Dock,
like
the
interactive
timing,
I
think
moving
to
the
http
instead
of
the
current
atp
api
method,
I
think
works
well.
I
think
there's
going
to
be
some
questions
about
like
cases
where
you
need
to
trigger
issuance
redemption
in
ways
that
you
don't
necessarily
have
that
like
first
leg,
but
I
think
that's
all
things
we
can
edit
within
that
specification
overall
seems
reasonable.
F
Hey
yeah
alex
davidson
brave,
so
personally,
as
an
author
of
the
both
the
architecture
and
political
drafts,
I
think
these
proposals
are
clear
and
and
also
moving
forward
in
this
direction
makes
sense.
F
I
think
the
one
the
one
concern
I
have
is
around
as
people
have
brought
up
previously
these
interactive
challenges
and
and
how
we
parameterize
the
privacy
in
the
client
privacy
in
those
cases,
because
I
think
it
could
radically
alter
the
anonymity
set
sites
for
those
clients
and
that's
something
we
we
tried
to
parametrize
before
and
if,
if
it's
decided
that
we
don't
want
to
do
that,
then
then
then
that
might
be
maybe
reasonable,
but
I
think
the
current
parameterizations
we
have
then
are
kind
of
redundant.
In
that
case,.
D
Sofia
from
cloudflare
yeah,
I
just
wanted
to
say
as
well
that
I
support
the
new
directions
and
it
seemed
to
be
some
really
small
open
questions,
but
I
think
we
can
discuss
that
further
and
yeah.
Thank
you
for
pushing
forward
all
of
this
new
direction.
C
Thank
you,
it
seems
like
we've
all
the
comments
we've
heard
have
generally
been
positive
and
supportive
of
both
updating
these
drafts
and
of
adopting
the
new
authorization
draft.
C
Okay,
it
seems
like
there
isn't
anybody
speaking
against
these
these
things
I
I
haven't
had
a
chance
to
confer
with
my
co-chair,
I
I
would
like
to
propose
the
following.
It
seems
to
me
that
the
updates
to
the
existing
drafts
can
can
move
forward
without
any
further
review
by
the
working
group.
Of
course,
the
contents
of
those
drafts
will
will
be
subject
to
many
rounds
of
further
review
before
it
can
exit
the
working
group
and
the
new
draft.
C
I
think
it's.
It
seems
to
me
that
that
the
that
the
group
needs
some
time
to
to
do
a
formal
review
for
this
before
we
do
a
call
for
adoption.
So
I
I
don't
think
I
don't
think
we're
ready
to
to
trigger
a
call
for
adoption
in
this
meeting,
but
I
think
we
can
do
that
very
quickly.
If,
if
the
draft
is
sent
out
to
the
list
and
people
have
a
chance
to
to
read
it,
then
I
think
a
call
for
adoption
would
be
appropriate
joe.
A
I
think
yeah,
I
agree
the
I
think
it's
a
fair
thing
to
move
forward
with
with
the
changes
and
hold
up
on
the
adoption
of
the
draft
until
we
get
kind
of
those
things
a
little
bit
more
settled
and
and
socialized
in
the
group.
But
I
think
we're
pretty
pretty
good
here.
B
All
right,
yeah,
thank
you,
so
I
think
the
order
would
be
because
we
haven't
formally
published
the
auth
scheme
as
an
id,
partly
because
it
was
referring
to
github
prs
that
weren't
merged.
So
I
imagine
if
we
can
merge
those
other
pr's,
then
I
can
once
that's
done
kind
of
get
something
with
the
right
references
published,
send
that
to
the
list
and
then
we
can
discuss,
and
I
think
it
sounds
like
the
main
open
question
that
people
have
around
that
is
interactive
and
how
is
that
safe?
And
when
is
that
safe?
B
D
I
Davis
ganazzi,
google-
I
was
just
had
a
process
question
for
the
chairs,
because
I've
personally
read
the
proposal
and
I
think
it's
definitely
worth
doing
as
a
working
group.
If
you're
saying
that
we're
not
ready
for
adoption,
what
are
we
looking
for?
Obviously,
we
wouldn't
decide
in
the
room,
but
I'm
not
seeing
any
blockers
to
like
start
the
call
that
will
trigger
people
to
actually
read
it.
A
Yeah-
and
I
I
think
also
there's
a
little
bit
of
an
ordering
dependency
that
we
need
to
get
the
architecture
draft
updated
before
you
can
even
update
the
off
scheme
and
before
you
know,
so
that
the
references
work
out
and
all
that.
So
I
think
that's
kind
of
the
the
way
the
flow
needs
to
be.
But
I
I
could
be
wrong.
I
I
I
would
love,
there's
a
comment,
but
I
it
seems
like
we
can
move
forward
on
architecture
without
having
all
the
drafts
there,
but
I
see
chris
in
the
queue
I'll
leave
my
time.
Thanks
for
clarifying.
E
Yeah,
I
just
want
to
ask
a
clarifying
question,
so
we
can
certainly
merge
the
architecture.
That's
fine,
but
ben
also
said
that
we
could
also
move
forward
on
the
protocol
document
update.
However,
importantly,
that
depends
on
the
redemption
protocol
document
existing
so
in
in
merging
that
change
into
the
protocol
document.
Sort
of
assumes
that
this
this
authentic,
this
new
redemption
protocol
will
be
a
thing.
E
So
should
we
hold
off
on
merging
the
protocol
document
change
until
there
was
there's
been
a
consensus,
call
on
the
authentication
document,
or
I
just
I'm
not
sure
what
to
do.
A
Does
does
the
protocol
document
rely
on
the
detai
on
the
specific
details
of
the
redemption
document,
or
is
it
or
is
it
just
you
you
we
need
to
have?
We
need
to
say
that
there's
this
thing
that's
going
to
exist
and
where
that
that
it's
you
know,
I
mean
we're
going
to
be
in
a
chicken
and
egg
problem
and
I
think
I'd.
G
E
C
B
Yeah,
I
I
agree
with
chris
that
we
could
yeah.
I
think,
it'd
be
good
to
merge
the
protocol
bits
and
just
say,
maybe
even
just
reference
like,
for
example,
it
could
be
something
like
the
mechanism
described
here,
but
not
normatively
depend
on
it.
Yet
just
say
you
know
there
is
an
issuance
token
type.
There
is
some
challenge
blob
and
you
need
to
send
this
back
somewhere,
but
then
we
could
always
update
it
later
to
make
it
concrete.
C
G
C
So,
to
be
clear,
are
you
proposing
that
none
of
these
changes
land
until
until
we've
had
a
chance
to
do
a
formal,
complete,
a
formal
adoption
call
for
the
authorization
scheme?
I
guess.
G
I'm
suggesting
that
we
see
if
there
is
pushback
on
that
right
like
if
we
try
to
do
the
architecture
and
the
we
can
always
split
it
off
and
say:
okay.
Well,
we
can
do
this
piece
separately.
If
there
is
push
back
on
it,
but
it
does
not.
Then
we
avoid
the
whole
conversation
around
dependencies
and
issues
like
that.
B
A
This
kind
of
protocol
with
the
the
attestation
protocol,
which
is
you
know
it's
not
specifically,
you
know
a
topic
of
this.
You
know
we're
not
going
to
define
the
attestation
protocol
here,
but
it
seems
like
there
are
certain
properties
that
it
has
to
have
be
able
to
carry
certain
sorts
of
information,
and
so
that's
something
that
how
well
have
we
defined
that
yet
in
the
architecture
document.
E
No
that's
and
we're
trying
to
keep
that
as
much
as
possible
out
of
scope.
It's
a
as
tommy
was
sort
of
describing
or
john
I
was
describing
earlier.
That's
a
that's
a
deployment,
specific
question
between
client
and
trusted
testers
that
that
will
vary
depending
on
the
use
case.
B
B
What
the
kind
of
minimum
bar
for
what
it
does
is.
They
can
also
vary
depending
on
the
specific
type
of
issuance
or
deployment
you're
doing.
C
So,
in
terms
of
of
direction
moving
forward,
I
want
to
just
double
check
with
with
janna:
do
you
do
you
still
think
a
sort
of
two-phase
movement
here
is
appropriate
or
or
do
you
feel
like
we're,
we're
probably
better
off
trying
to
wait
until
until
we've
done
a
call
for
adoption
before
making
any
of
these
changes.
E
Okay,
sorry,
this
is,
this
is
getting
more
complicated.
There
probably
needs
to
be
so
here's
my
proposal.
We
can.
We
will,
with
the
proposals
of
the
redemption,
the
auth
scheme
document,
we'll
add
some
text
and
considerations
around
the
sort
of
timing,
attacks
or
correlation
that
was
brought
up
earlier.
We
will
publish
that
in
the
data
tracker.
E
C
A
B
Hey
regarding
another
meeting,
we
could
probably
just
wait
until
113,
particularly
if
we
do
the
adoption
call
in
between
the
reason
I
got
in
queue
is
one.
Other
thing
I
wanted
to
mention
for
people
is
that
the
various
authors
and
people
working
on
the
new
proposal
have
also
been
doing
implementations
and
interop
testing.
So
chris
has
a
implementation.
I
think
that's
open
source
as
well
on
github
that
people
could
try
out
and
test
against
that
uses
the
http
auth
method
and
the
issuance
protocol.
B
So
you
can
see
how
that
looks
as
code.
I've
done
an
implementation
for
ios
and
mac
os
as
well
that
I've
tested-
and
I
believe,
some
of
the
others
are
working
on
that.
So,
if
you're
interested
on
trying
this
stuff
out,
we
can
also
chat
on
the
list
or
in
github
or
whatever
so
just
wanted
to
say.
You
know
we're
committed
to
actually
having
running
code
here.