From d86596412423345a00877b868e88533db139dc03 Mon Sep 17 00:00:00 2001 From: chriswood Date: Wed, 12 Jul 2023 11:54:51 -0400 Subject: [PATCH] Add token key encoding to the registry --- draft-ietf-privacypass-auth-scheme.md | 7 +++++-- draft-ietf-privacypass-protocol.md | 9 ++++----- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/draft-ietf-privacypass-auth-scheme.md b/draft-ietf-privacypass-auth-scheme.md index 9d69593a..a1afddf3 100644 --- a/draft-ietf-privacypass-auth-scheme.md +++ b/draft-ietf-privacypass-auth-scheme.md @@ -221,8 +221,9 @@ following parameters: all challenges. - "token-key", which contains a base64url encoding of the public key for -use with the issuance protocol indicated by the challenge. Since the length of -the key is not fixed, the base64url value MUST include padding. As an +use with the issuance protocol indicated by the challenge. The encoding of +the public key is determined by the token type; see {{token-types}}. Since the +length of the key is not fixed, the base64url value MUST include padding. As an Authentication Parameter (`auth-param` from {{!RFC9110, Section 11.2}}), the value can be either a token or a quoted-string, and might be required to be a quoted-string if the base64url string includes "=" characters. This parameter @@ -572,6 +573,7 @@ Template: * Value: The two-byte identifier for the algorithm * Name: Name of the issuance protocol * Token Structure: The contents of the Token structure in {{redemption}} +* Token Key Encoding: The encoding of the "token-key" parameter in {{redemption}} * TokenChallenge Structure: The contents of the TokenChallenge structure in {{challenge}} * Publicly Verifiable: A Y/N value indicating if the output tokens are publicly verifiable @@ -639,6 +641,7 @@ for Private Use. * Value: 0xFF00-0xFFFF * Name: Private Use * Token Structure: The contents of the Token structure in {{redemption}} +* Token Key Encoding: N/A * TokenChallenge Structure: The contents of the TokenChallenge structure in {{challenge}} * Publicly Verifiable: N/A * Public Metadata: N/A diff --git a/draft-ietf-privacypass-protocol.md b/draft-ietf-privacypass-protocol.md index 73bb136d..fa508349 100644 --- a/draft-ietf-privacypass-protocol.md +++ b/draft-ietf-privacypass-protocol.md @@ -738,6 +738,7 @@ This document updates the "Token Type" Registry from * Value: 0x0001 * Name: VOPRF (P-384, SHA-384) * Token Structure: As defined in {{Section 2.2 of AUTHSCHEME}} +* Token Key Encoding: Serialized using SerializeElement from {{Section 2.1 of OPRF}} * TokenChallenge Structure: As defined in {{Section 2.1 of AUTHSCHEME}} * Publicly Verifiable: N * Public Metadata: N @@ -752,6 +753,7 @@ This document updates the "Token Type" Registry from * Value: 0x0002 * Name: Blind RSA (2048-bit) * Token Structure: As defined in {{Section 2.2 of AUTHSCHEME}} +* Token Key Encoding: Serialized as a DER-encoded SubjectPublicKeyInfo (SPKI) object * TokenChallenge Structure: As defined in {{Section 2.1 of AUTHSCHEME}} * Publicly Verifiable: Y * Public Metadata: N @@ -1012,8 +1014,7 @@ The test vector below lists the following values: - skS: The Issuer private Key, serialized using SerializeScalar from {{Section 2.1 of OPRF}} and represented as a hexadecimal string. -- pkS: The Issuer Public Key, serialized using SerializeElement from - {{Section 2.1 of OPRF}} and represented as a hexadecimal string. +- pkS: The Issuer Public Key, serialized according to the encoding in {{private-token-type}}. - token_challenge: A randomly generated TokenChallenge structure, represented as a hexadecimal string. - nonce: The 32-byte client nonce generated according to {{private-request}}, @@ -1156,9 +1157,7 @@ The test vector below lists the following values: - skS: The PEM-encoded PKCS#8 RSA Issuer Private Key used for signing tokens, represented as a hexadecimal string. -- pkS: The DER-encoded SubjectPublicKeyInfo object carrying the Issuer Public - Key, as described in {{public-issuer-configuration}}, represented as a - hexadecimal string. +- pkS: The Issuer Public Key, serialized according to the encoding in {{public-token-type}}. - token_challenge: A randomly generated TokenChallenge structure, represented as a hexadecimal string. - nonce: The 32-byte client nonce generated according to {{public-request}},