Privacy Pass protocol #261
Comments
|
We're quite excited about finding new ways to address different forms of tracking on the web and this technology shows some promise. At this stage, however, we're going to have to enter a position of "defer", though once this is more fully developed it could be "worth prototyping" and maybe even "important". Once concern we have identified is alxdavids/draft-privacy-pass#5 which would seem to undermine the stated security goal of the protocol. For security and privacy features, we need to be very clear in stating their properties. In this case, more analysis of the protocol is needed before we can be confident in the claims that it makes about the two key aspects of token forgery and privacy. |
Closes mozilla#261. Closes mozilla#262.
|
@martinthomson I just came across this issue, and I thought that it's worth noting that the IETF working group in question has since been established as privacypass (https://datatracker.ietf.org/wg/privacypass/about/) and the draft has since moved to https://github.com/ietf-wg-privacypass/base-drafts. If the protocol isn't being reconsidered at this stage then the icon should at least be updated to match its current status as being worked on by the IETF. |
|
Should this be revisited in light of #852 (comment) ? I can't see why the arguments from that position wouldn't also apply to Privacy Pass (which has the same DRM-style properties, although no holdback or any of the planned "countermeasures" from the Web Environment Integrity proposal). cc @bgrins |
|
It has taken us a long time to reach this point, but we have completed our assessment of this technology. Mozilla recognizes that Privacy Pass protocols are useful tools for enabling authorization in contexts where access to sensitive information needs to be controlled. We are supportive of efforts to improve privacy in this way. Privacy Pass is a positive contribution that can help manage the flow of private information in complex systems. However, the core protocol does not describe critical aspects of how it might be integrated into an environment as complex as the Web. Privacy Pass deployments appear to rely heavily on trust in issuers and attesters, something that requires additional controls for managing risks to privacy, user equity, and service centralization. These controls need to balance the utility that sites might derive from the system. We do not currently see a viable means of Web deployment for this technology that balances the necessary concerns in an satisfactory manner. For more on how this might be deployed to the Web and the challenges inherent, please refer to our position on Apple’s Private Access Tokens (#954) or Google’s Private State Tokens (#262). Because the protocol specifications do not define a complete proposal that might be deployed on the Web, we will remove the “defer” position on the dashboard and instead decline to provide a position for this specific technology. Refer to the positions referenced above for our position on those proposals. |
1. Remove the position on privacy pass as a whole 2. Update the Private State Token (formerly Trust Token; Google) position to reflect conclusions 3. Add a position on Private Access Tokens (Apple) Closes mozilla#261. Closes mozilla#262. Closes mozilla#954.
Request for Mozilla Position on an Emerging Web Specification
Other information
The Privacy Pass protocol provides a privacy-preserving mechanism for clients to prove authorization to a server. In the process of forming an IETF WG; there will likely be a BoF @ IETF107 (mailing list: https://mailarchive.ietf.org/arch/browse/privacy-pass/).
The text was updated successfully, but these errors were encountered: