<?xml version='1.0' encoding='utf-8'?> <!DOCTYPE rfc [ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]><?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.11 (Ruby 3.1.2) --><rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-privacypass-architecture-16" number="9576" category="info" tocInclude="true" submissionType="IETF" consensus="true" obsoletes="" updates="" sortRefs="true" symRefs="true"version="3"> <!-- xml2rfc v2v3 conversion 3.12.10 -->version="3" xml:lang="en"> <front> <title abbrev="Privacy Pass Architecture">The Privacy Pass Architecture</title> <seriesInfoname="Internet-Draft" value="draft-ietf-privacypass-architecture-16"/>name="RFC" value="9576"/> <author initials="A." surname="Davidson" fullname="Alex Davidson"><organization>LIP</organization><organization>NOVA LINCS, Universidade NOVA de Lisboa</organization> <address> <postal><city>Lisbon</city><street>Largo da Torre</street> <city>Caparica</city> <country>Portugal</country> </postal> <email>alex.davidson92@gmail.com</email> </address> </author> <author initials="J." surname="Iyengar" fullname="Jana Iyengar"> <organization>Fastly</organization> <address> <email>jri@fastly.com</email> </address> </author> <author initials="C. A." surname="Wood" fullname="Christopher A. Wood"> <organization>Cloudflare</organization> <address> <postal> <street>101 Townsend St</street> <city>San Francisco</city> <region>CA</region> <code>94107</code> <country>United States of America</country> </postal> <email>caw@heapingbits.net</email> </address> </author> <dateyear="2023" month="September" day="25"/> <keyword>Internet-Draft</keyword>year="2024" month="June"/> <area>sec</area> <workgroup>privacypass</workgroup> <abstract> <t>This document specifies the Privacy Pass architecture and requirements for its constituent protocols used for authorization based on privacy-preserving authentication mechanisms. It describes the conceptual model of Privacy Pass and its protocols, its security and privacy goals, practical deployment models, and recommendations for each deploymentmodel that helpsmodel, to help ensure that the desired security and privacy goals are fulfilled.</t> </abstract> </front> <middle> <section anchor="introduction"> <name>Introduction</name> <t>Privacy Pass is an architecture for authorization based on privacy-preserving authentication mechanisms. In other words, relying parties authenticateclientsClients in a privacy-preserving way, i.e., without learning any unique,per-clientper-Client information through the authentication protocol, and then make authorization decisions on the basis of that authentication succeeding or failing. Possible authorization decisions might be to provideclientsClients with read access to a particular resource or write access to a particular resource.</t> <t>Typical approaches for authorizingclients,Clients, such as through the use of long-term state (cookies), are notprivacy-friendlyprivacy friendly, since they allow servers to trackclientsClients across sessions and interactions. Privacy Pass takes a different approach: instead of presenting linkable state-carrying information to servers, e.g., a cookie indicating whether or not theclientClient is an authorized user or has completed some prior challenge,clientsClients present unlinkable proofs that attest to this information. These proofs, or tokens, are private in the sense that a given token cannot be linked to the protocol interaction where that token was initially issued.</t> <t>At a high level, the Privacy Pass architecture consists of two protocols: redemption and issuance. The redemption protocol, described in <xreftarget="AUTHSCHEME"/>,target="RFC9577"/>, runs between Clients and Origins (servers). It allows Origins to challenge Clients to present tokens for consumption. Origins verify the token to authenticate the Client -- without learning any specific information about the Client -- and then make an authorization decision on the basis of the token verifying successfully or not. Depending on the type of token, e.g., whether or not it can be cached, the Client either presents a previously obtained token or invokes an issuance protocol,such ase.g., the protocols described in <xreftarget="ISSUANCE"/>,target="RFC9578"/>, to acquire a token to present as authorization.</t> <t>This document describes requirements for both redemption and issuance protocols and how they interact. It also provides recommendations on how the architecture should be deployed to ensure the privacy ofclientsClients and the security of all participating entities.</t> </section> <section anchor="terminology"> <name>Terminology</name> <t>The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t> <t>The following terms are used throughout this document:</t> <dl> <dt>Client:</dt> <dd> <t>An entity that seeks authorization to an Origin. Using terminology from <xreftarget="RFC9334"/> terminology,target="RFC9334"/>, Clients implement theRATSRemote ATtestation procedureS (RATS) Attester role.</t> </dd> <dt>Token:</dt> <dd> <t>A cryptographic authentication message used for authorization decisions, produced as output from an issuance mechanism or protocol.</t> </dd> <dt>Origin:</dt> <dd> <t>An entity that consumes tokens presented by Clients and uses them to make authorization decisions.</t> </dd> <dt>Token challenge:</dt> <dd> <t>The mechanism by which Origins request tokens from Clients, often denoted TokenChallenge.</t> </dd> <dt>Token request:</dt> <dd> <t>A message used by Clients to request a token from an Issuer, often denoted TokenRequest.</t> </dd> <dt>Token response:</dt> <dd> <t>A message used by Issuers to send tokens to a Client, often denoted TokenResponse.</t> </dd> <dt>Redemption:</dt> <dd> <t>The mechanism by which Clients present tokens to Origins for the purposes of authorization.</t> </dd> <dt>Issuer:</dt> <dd> <t>An entity that issues tokens to Clients for properties attested to by the Attester.</t> </dd> <dt>Issuance:</dt> <dd> <t>The mechanism by which an Issuer produces tokens for Clients.</t> </dd> <dt>Attester:</dt> <dd> <t>An entity that attests to properties of Clients for the purposes of token issuance. Using terminology from <xreftarget="RFC9334"/> terminology,target="RFC9334"/>, Attesters implement the RATS Verifier role.</t> </dd> <dt>Attestation procedure:</dt> <dd> <t>The procedure by which an Attester determines whether or not a Client has the specific set of properties that are necessary for token issuance.</t> </dd> </dl> <t>The trust relationships between each of the entities in this listisare further elaborated upon in <xref target="privacy-and-trust"/>.</t> </section> <section anchor="architecture"> <name>Architecture</name> <t>The Privacy Pass architecture consists of four logical entities -- Client, Origin, Issuer, and Attester -- that work in concert for token redemption and issuance. This section presents an overview of Privacy Pass, a high-level description of the threat model and privacy goals of the architecture, and the goals and requirements of the redemption and issuance protocols. Deployment variations for the Origin, Issuer, and Attester in this architecture, including considerations for implementing these entities, are further discussed in <xref target="deployment"/>.</t> <section anchor="overview"> <name>Overview</name> <t>This section describes the typical interaction flow for PrivacyPass.</t>Pass, as shown in <xref target="fig-overview"/>.</t> <ol spacing="normal" type="1"><li>A Client interacts with an Origin by sending a request or otherwise interacting with the Origin in a way that triggers a response containing a token challenge. The token challenge indicates a specific Issuer to use.</li> <li>If the Client already has a token available that satisfies the token challenge, e.g., because the Client has a cache of previously issued tokens, it can skip to <xref format="none" target="step-redemption">step 6</xref> and redeem its token; see <xref target="hoarding"/> for security considerationsofregarding cached tokens.</li> <li>If the Client does not have a token available and decides it wants to obtain one (or more) bound to the token challenge, it then invokes the issuance protocol. As a prerequisite to the issuance protocol, the Client runs the deployment-specific attestation process that is required for the designated Issuer. Client attestation can be done via proof of solving a CAPTCHA, checking device or hardware attestation validity, etc.; see <xref target="attester"/> for more details.</li> <li>If the attestation process completes successfully, theclientClient creates a token request to send to the designated Issuer (generally via the Attester, though it is not required to be sent through the Attester). The Attester and Issuer might be functions on the same server, depending on the deployment model (see <xref target="deployment"/>). Depending on the attestation process, it is possible for attestation to run alongside the issuance protocol, e.g., where Clients send necessary attestation information to the Attester along with their token request. If the attestation process fails, the Client receives an error and issuance aborts without a token.</li> <li>The Issuer generates a token response based on the token request, which is returned to the Client (generally via the Attester). Upon receiving the token response, the Client computes a token from the token challenge and token response. This token can be validated by anyone with the per-Issuerkey,key but cannot be linked to the content of the token request or token response.</li> <li> <t anchor="step-redemption">If the Client has a token, it includes it in a subsequent request to the Origin, as authorization. This token is sent only once in reaction to a challenge; Clients do not send tokens more than once, even if they receive duplicate or redundant challenges. The Origin validates that the token was generated by the expected Issuer and has not already been redeemed for the corresponding token challenge. If the Client does not have a token, perhaps because issuance failed, theclientClient does not reply to the Origin's challenge with a new request.</t> </li> </ol> <figure anchor="fig-overview"> <name>Privacypass redemptionPass Redemption andissuance protocol interaction</name>Issuance Protocol Interaction</name> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="224" width="520"viewBox="0 0 520 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,64" fill="none" stroke="black"/> <path d="M 40,64 L 40,208" fill="none" stroke="black"/> <path d="M 80,32 L 80,64" fill="none" stroke="black"/> <path d="M 184,32 L 184,64" fill="none" stroke="black"/> <path d="M 216,64 L 216,208" fill="none" stroke="black"/> <path d="M 256,32 L 256,64" fill="none" stroke="black"/> <path d="M 336,32 L 336,64" fill="none" stroke="black"/> <path d="M 376,64 L 376,144" fill="none" stroke="black"/> <path d="M 376,192 L 376,208" fill="none" stroke="black"/> <path d="M 424,32 L 424,64" fill="none" stroke="black"/> <path d="M 440,32 L 440,64" fill="none" stroke="black"/> <path d="M 472,64 L 472,208" fill="none" stroke="black"/> <path d="M 512,32 L 512,64" fill="none" stroke="black"/> <path d="M 8,32 L 80,32" fill="none" stroke="black"/> <path d="M 184,32 L 256,32" fill="none" stroke="black"/> <path d="M 336,32 L 424,32" fill="none" stroke="black"/> <path d="M 440,32 L 512,32" fill="none" stroke="black"/> <path d="M 8,64 L 80,64" fill="none" stroke="black"/> <path d="M 184,64 L 256,64" fill="none" stroke="black"/> <path d="M 336,64 L 424,64" fill="none" stroke="black"/> <path d="M 440,64 L 512,64" fill="none" stroke="black"/> <path d="M 48,96 L 88,96" fill="none" stroke="black"/> <path d="M 168,96 L 216,96" fill="none" stroke="black"/> <path d="M 40,112 L 56,112" fill="none" stroke="black"/> <path d="M 192,112 L 208,112" fill="none" stroke="black"/> <path d="M 224,126 L 240,126" fill="none" stroke="black"/> <path d="M 224,130 L 240,130" fill="none" stroke="black"/> <path d="M 352,126 L 368,126" fill="none" stroke="black"/> <path d="M 352,130 L 368,130" fill="none" stroke="black"/> <path d="M 216,160 L 288,160" fill="none" stroke="black"/> <path d="M 408,160 L 464,160" fill="none" stroke="black"/> <path d="M 224,176 L 288,176" fill="none" stroke="black"/> <path d="M 416,176 L 472,176" fill="none" stroke="black"/> <path d="M 48,192 L 64,192" fill="none" stroke="black"/> <path d="M 192,192 L 216,192" fill="none" stroke="black"/> <polygon class="arrowhead" points="472,160 460,154.4 460,165.6" fill="black" transform="rotate(0,464,160)"/> <polygon class="arrowhead" points="376,128 364,122.4 364,133.6" fill="black" transform="rotate(0,368,128)"/> <polygon class="arrowhead" points="232,176 220,170.4 220,181.6" fill="black" transform="rotate(180,224,176)"/> <polygon class="arrowhead" points="232,128 220,122.4 220,133.6" fill="black" transform="rotate(180,224,128)"/> <polygon class="arrowhead" points="216,112 204,106.4 204,117.6" fill="black" transform="rotate(0,208,112)"/> <polygon class="arrowhead" points="56,192 44,186.4 44,197.6" fill="black" transform="rotate(180,48,192)"/> <polygon class="arrowhead" points="56,96 44,90.4 44,101.6" fill="black" transform="rotate(180,48,96)"/> <g class="text"> <text x="44" y="52">Origin</text> <text x="220" y="52">Client</text> <text x="380" y="52">Attester</text> <text x="476" y="52">Issuer</text> <text x="128" y="100">Request</text> <text x="124" y="116">TokenChallenge</text> <text x="296" y="132">Attestation</text> <text x="348" y="164">TokenRequest</text> <text x="352" y="180">TokenResponse</text> <text x="128" y="196">Request+Token</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +--------+ +--------+ +----------+ +--------+ | Origin | | Client | | Attester | | Issuer | +---+----+ +---+----+ +----+-----+ +---+----+ | | | | |<----- Request ------+ | | +-- TokenChallenge -->| | | | |<== Attestation ==>| | | | | | | +--------- TokenRequest ------->| | |<-------- TokenResponse -------+ |<-- Request+Token ---+ | | | | | | ]]></artwork> </artset> </figure> </section> <section anchor="use-cases"> <name>Use Cases</name> <t>Use cases for Privacy Pass are broad and depend greatly on the deployment model as discussed in <xref target="deployment"/>. The initial motivating use case for Privacy Pass <xref target="PrivacyPassCloudflare"/> was to help rate-limit malicious or otherwise abusive traffic from services such as Tor <xref target="DMS2004"/>. The generalized and evolved architecture described in this document alsoworkworks for this use case. However, for added clarity, some more possible use cases are described below.</t> <ul spacing="normal"> <li>Low-quality, anti-fraud signal for open Internet services. Tokens can attest that the Client behind the user agent is likely not a bot attempting to perform some form of automated attack such as credential stuffing. Example attestation procedures for this use case might be solving some form of CAPTCHA or presenting evidence of a valid, unlocked device in good standing.</li> <li>Privacy-preserving authentication for proprietary services. Tokens can attest that the Client is a valid subscriber for a proprietary service, such as a deployment of Oblivious HTTP <xreftarget="OHTTP"/>.</li>target="RFC9458"/>.</li> </ul> </section> <section anchor="privacy-and-trust"> <name>Privacy Goals and Threat Model</name> <t>The end-to-end flow for Privacy Pass described in <xref target="overview"/> involves three different types of contexts:</t> <dl> <dt>Redemption context:</dt> <dd> <t>The interactions and set of information shared between the Client and Origin, i.e., the information that is provided or otherwise available to the Origin during redemption that might be used to identify a Client and construct a token challenge. This context includes all information associated with redemption, such as the timestamp of the event, Client-visible information (including the IP address), and the Origin name.</t> </dd> <dt>Issuance context:</dt> <dd> <t>The interactions and set of information shared between the Client, Attester, and Issuer, i.e., the information that is provided or otherwise available to the Attester and Issuer during issuance that might be used to identify a Client. This context includes all information associated with issuance, such as the timestamp of the event, any Client-visible information (including the IP address), and the Origin name (if revealed during issuance). This does not include the token challenge in its entirety, as that is kept secret from the Issuer during the issuance protocol.</t> </dd> <dt>Attestation context:</dt> <dd> <t>The interactions and set of information shared between the Client and Attester only, for the purposes of attesting the validity of the Client, that is provided or otherwise available during attestation that might be used to identify the Client. This context includes all information associated with attestation, such as the timestamp of the event and any Client-visible information, including information needed for the attestation procedure to complete.</t> </dd> </dl> <t>The privacy goals of Privacy Pass assume a threat model in which Origins trust specific Issuers to produce tokens, and Issuers in turn trust one or more Attesters to correctly run the attestation procedure with Clients. This arrangement ensures that tokenswhichthat validate for a given Issuer were only issued to a Client that successfully completed attestation with an Attester that the Issuer trusts. Moreover, this arrangement means that if an Origin accepts tokens issued by an Issuer that trusts multiple Attesters, then a Client can use any one of these Attesters to issue and redeem tokens for the Origin. Whether or not these different entities in the architecture collude for learning redemption, issuance, or attestation contexts, as well as the necessary preconditions for context unlinkability, depends on the deployment model; see <xref target="deployment"/> for more details.</t> <t>The mechanisms for establishing trust between each entity in this arrangement aredeployment-specific.deployment specific. For example, in settings where Clients interact with Issuers through an Attester, Attesters and Issuers might use mutually authenticated TLS to authenticate one another. In settings where Clients do not communicate with Issuers through an Attester, the Attesters might convey this trust via a digital signature that Issuers can verify.</t> <t>Clients explicitly trust Attesters to perform attestation correctly and in a way that does not violate their privacy. In particular, this means that Attesterswhichthat may be privy to private information about Clients are trusted to not disclose this information to non-colluding parties. Colluding parties are assumed to have access to the same information; see <xref target="deployment"/> for more about different deployment models and non-collusion assumptions. However, Clients assume that Issuers and Origins are malicious.</t> <t>Given this threat model, the privacy goals of Privacy Pass are oriented around unlinkability based on redemption, issuance, and attestation contexts, as described below.</t> <ol spacing="normal" type="1"><li>Origin-Client unlinkability. This means that given two redemption contexts, the Origin cannot determine if both redemption contexts correspond to the same Client or two different Clients. Informally, this means that a Client in a redemption context is indistinguishable from any other Client that might use the same redemption context. The set of Clients that share the same redemption context is referred to as a redemption anonymity set.</li> <li>Issuer-Client unlinkability. This is similar to Origin-Client unlinkability in that a Client in an issuance context is indistinguishable from any other Client that might use the same issuance context. The set of Clients that share the same issuance context is referred to as an issuance anonymity set.</li> <li>Attester-Origin unlinkability. This is similar to Origin-Client and Issuer-Client unlinkability. It means that given two attestation contexts, the Attester cannot determine if both contexts correspond to the same Origin or two different Origins. The set of Origins that share the same attestation context is referred to as an attestation anonymity set.</li> <li>Redemption context unlinkability. Given two redemption contexts, the Origin cannot determine which issuance and attestation contexts each redemption corresponds to, even with the collaboration of the Issuer and Attester (should these be different parties). This means that any information that may be learned about the Client during the issuance and attestation flows cannot be used by the Origin to compromise Client privacy.</li> </ol> <t>These unlinkability properties ensure that only theClient isClients are able to correlate information that might be used to identify them with activity on the Origin. The Attester, Issuer, and Origin only receive the information necessary to perform their respective functions.</t> <t>The manner in which these unlinkability properties are achieved depends on the deployment model, type of attestation, and issuance protocol details. For example, as discussed in <xref target="deployment"/>, in some cases it is necessary to use an anonymization service that hides Client IP addresses, such as Tor <xreftarget="DMS2004"/> which hides Clients IP addresses.target="DMS2004"/>. In general, anonymization servicesensuresensure that all Clientswhichthat use the service are indistinguishable from one another, though in practice there may be small distinguishing features (TLS fingerprints, HTTP headers,etc).etc.). Moreover, Clients generally trust these services to not disclose private Client information (such as IP addresses) to untrusted parties. Failure to use an anonymization service when interacting with Attesters, Issuers, or Origins can allow the set of possible Clients to be partitioned by the Client's IPaddress,address and can therefore lead to unlinkability violations. Similarly, malicious Origins may attempt to link two redemption contexts together by using Client-specific Issuerpublic keys.Public Keys. See<xref target="deployment-considerations"/>Sections <xref target="deployment-considerations" format="counter"/> and <xreftarget="privacy"/>target="privacy" format="counter"/> for more information.</t><t>The remainder of this section describes<t>Sections <xref target="redemption" format="counter"/> and <xref target="issuance-protocol" format="counter"/> describe the functional properties and security requirements of the redemption and issuance protocols in more detail. <xref target="flow"/> describes how information flows between the Issuer, Origin, Client, and Attester through these protocols.</t> </section> <section anchor="redemption"> <name>Redemption Protocol</name> <t>The Privacy Pass redemption protocol, described in <xreftarget="AUTHSCHEME"/>,target="RFC9577"/>, is an authorization protocol wherein Clients present tokens to Origins for authorization. Normally, redemption is preceded by a challenge, wherein the Origin challenges Clients for a token with a TokenChallenge (<xref section="2.1" sectionFormat="comma"target="AUTHSCHEME"/>)target="RFC9577"/>) and, if possible, Clients present a validTokentoken (<xref section="2.2" sectionFormat="comma"target="AUTHSCHEME"/>)target="RFC9577"/>) in reaction to the challenge. This interaction is shown below.</t> <figure anchor="fig-redemption"> <name>Challenge andredemption protocol interaction</name>Redemption Protocol Interaction</name> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="176" width="432"viewBox="0 0 432 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,32 L 8,64" fill="none" stroke="black"/> <path d="M 40,64 L 40,160" fill="none" stroke="black"/> <path d="M 80,32 L 80,64" fill="none" stroke="black"/> <path d="M 184,32 L 184,64" fill="none" stroke="black"/> <path d="M 216,64 L 216,160" fill="none" stroke="black"/> <path d="M 256,32 L 256,64" fill="none" stroke="black"/> <path d="M 8,32 L 80,32" fill="none" stroke="black"/> <path d="M 184,32 L 256,32" fill="none" stroke="black"/> <path d="M 8,64 L 80,64" fill="none" stroke="black"/> <path d="M 184,64 L 256,64" fill="none" stroke="black"/> <path d="M 48,96 L 88,96" fill="none" stroke="black"/> <path d="M 168,96 L 216,96" fill="none" stroke="black"/> <path d="M 40,112 L 56,112" fill="none" stroke="black"/> <path d="M 192,112 L 208,112" fill="none" stroke="black"/> <path d="M 232,126 L 248,126" fill="none" stroke="black"/> <path d="M 232,130 L 248,130" fill="none" stroke="black"/> <path d="M 408,126 L 424,126" fill="none" stroke="black"/> <path d="M 408,130 L 424,130" fill="none" stroke="black"/> <path d="M 48,144 L 64,144" fill="none" stroke="black"/> <path d="M 192,144 L 216,144" fill="none" stroke="black"/> <polygon class="arrowhead" points="432,128 420,122.4 420,133.6" fill="black" transform="rotate(0,424,128)"/> <polygon class="arrowhead" points="240,128 228,122.4 228,133.6" fill="black" transform="rotate(180,232,128)"/> <polygon class="arrowhead" points="216,112 204,106.4 204,117.6" fill="black" transform="rotate(0,208,112)"/> <polygon class="arrowhead" points="56,144 44,138.4 44,149.6" fill="black" transform="rotate(180,48,144)"/> <polygon class="arrowhead" points="56,96 44,90.4 44,101.6" fill="black" transform="rotate(180,48,96)"/> <g class="text"> <text x="44" y="52">Origin</text> <text x="220" y="52">Client</text> <text x="128" y="100">Request</text> <text x="124" y="116">TokenChallenge</text> <text x="292" y="132">Issuance</text> <text x="364" y="132">protocol</text> <text x="128" y="148">Request+Token</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +--------+ +--------+ | Origin | | Client | +---+----+ +---+----+ | | |<----- Request ------+ +-- TokenChallenge -->| | | <== Issuance protocol ==> |<-- Request+Token ---+ | | ]]></artwork> </artset> </figure> <t>Alternatively, when configured to do so, Clients may opportunistically presentTokentoken values to Origins without a corresponding TokenChallenge.</t> <t>The structure and semantics of the TokenChallenge andTokentoken messages depend on the issuance protocol and token type being used; see <xreftarget="AUTHSCHEME"/>target="RFC9577"/> for more information.</t> <t>The challenge provides theclientClient with the information necessary to obtain tokens that the server might subsequently accept in the redemption context. There are a number of ways in which the token may vary based on this challenge,including:</t>including the following:</t> <ul spacing="normal"> <li>Issuance protocol. The challenge identifies the type of issuance protocol required for producing the token. Different issuance protocols have different security properties, e.g., some issuance protocols may produce tokens that are publicly verifiable, whereas others may not have this property.</li> <li>Issuer identity. Token challenges identify which Issuers are trusted for a given issuance protocol. As described in <xref target="privacy-and-trust"/>, the choice of Issuer determines the type of Attesters and attestation procedures possible for a token from the specified Issuer, but the Origin does not learn exactly which Attester was used for a given token issuance event.</li> <li>Redemption context. Challenges can be bound to a given redemption context, which influences aclient'sClient's ability to pre-fetch and cache tokens. For example, an empty redemption context always allows tokens to be issued and redeemed non-interactively, whereas a fresh and random redemption context means that the redeemed token must be issued only after theclientClient receives the challenge. See <xref section="2.1.1" sectionFormat="of"target="AUTHSCHEME"/>target="RFC9577"/> for more details.</li> <li>Per-Origin or cross-Origin. Challenges can be constrained to the Origin for which the challenge originated (referred to as per-Origintokens),tokens) or can be used across multiple Origins (referred to as cross-Origin tokens). The set of Origins for which a cross-Origin token is applicable is referred to as the cross-Origin set. Opting into this set is done by explicitly agreeing on the contents of the set. Every Origin in a cross-Origin set, by opting in, agrees to admit tokens for any other Origin in the set. See <xref section="2.1.1" sectionFormat="of"target="AUTHSCHEME"/>target="RFC9577"/> for more information on how this set is created.</li> </ul> <t>Origins that admit cross-Origin tokens bear some risk of allowing tokens issued for one Origin to be spent in an interaction with another Origin. In particular, cross-Origin tokens issued based on a challenge for one Origin can be redeemed at another Origin in the cross-Origin set, which can make it difficult to regulate token consumption. Depending on the use case, Origins may need to maintain state to track redeemed tokens. For example, Origins that accept cross-Origin tokens across shared redemption contextsSHOULD<bcp14>SHOULD</bcp14> track which tokens have already been redeemedalreadyin those redemption contexts, since these tokens can be issued and then spent multiple times for any such challenge. Note that Clientswhichthat redeem the same token to multiple Origins do risk those Origins being able to link Client activity together, which can disincentivize this behavior. See <xref section="2.1.1" sectionFormat="of"target="AUTHSCHEME"/>target="RFC9577"/> for discussion.</t> <t>How Clients respond to token challenges can have privacy implications. For example, if an Origin allows the Client to choose an Issuer, then the choice of Issuer can reveal information about the Client used to partition anonymity sets; see <xref target="rotation-and-consistency"/> for more information about these privacy considerations.</t> </section> <section anchor="issuance-protocol"> <name>Issuance Protocol</name> <t>The Privacy Pass issuanceprotocol,protocols, such as those described in <xreftarget="ISSUANCE"/>, is atarget="RFC9578"/>, are two-messageprotocolprotocols thattakestake as input a TokenChallenge from the redemption protocol (<xref section="2.1" sectionFormat="comma"target="AUTHSCHEME"/>)target="RFC9577"/>) andproducesproduce aTokentoken (<xref section="2.2" sectionFormat="comma"target="AUTHSCHEME"/>),target="RFC9577"/>), as shown in <xref target="fig-overview"/>.</t> <t>The structure and semantics of the TokenRequest and TokenResponse messages depend on the issuance protocol and token type being used; see <xreftarget="ISSUANCE"/>target="RFC9578"/> for more information.</t> <t>Clients interact with the Attester and Issuer to produce a token for a challenge. The context in which an Attester vouches for a Client during issuance is referred to as the attestation context. This context includes all information associated with the issuance event, such as the timestamp of the event and Client-visible information, including the IP address or other information specific to the type of attestation done.</t> <t>Each issuance protocol may be different, e.g., in the number and types of participants, underlying cryptographic constructions used when issuing tokens, and even privacy properties.</t> <t>Clients initiate the issuance protocol using the token challenge, a randomly generated nonce, and a public key for the Issuer, all of which are the Client's private input to the protocol and ultimately bound to an outputToken;token; see <xref section="2.2" sectionFormat="of"target="AUTHSCHEME"/>target="RFC9577"/> for details. Future specifications may change or extend the Client's input to the issuance protocol to produceTokenstokens with a different structure.</t> <t>Token properties vary based on the issuance protocol. Important properties supported in this architecture are described below.</t> <ol spacing="normal" type="1"><li>Public verifiability. This means that theTokentoken can be verified using the Issuerpublic key.Public Key. ATokentoken that does not have public verifiability can only be verified using the Issuer secret key.</li> <li>Public metadata. This means that theTokentoken can be cryptographically bound to arbitrary public information. See <xref target="metadata-privacy"/> for privacy considerationsofregarding public metadata.</li> <li>Private metadata. This means that theTokentoken can be cryptographically bound to arbitrary private information, i.e., information that the Client does not observe duringTokentoken issuance or redemption. See <xref target="metadata-privacy"/> for privacy considerationsofregarding private metadata.</li> </ol> <t>The issuance protocol itself can be any interactive protocol between the Client, Issuer, or other parties that produces a valid token bound to the Client's private input, subject to the following security requirements.</t> <ol spacing="normal" type="1"><li>Unconditional input secrecy. The issuance protocolMUST NOT<bcp14>MUST NOT</bcp14> reveal anything about the Client's private input, including the challenge and nonce, to the Attester or Issuer, regardless of the hardness assumptions of the underlying cryptographic protocol(s). This property is sometimes also referred to as blindness.</li> <li>One-more forgery security. The issuance protocolMUST NOT<bcp14>MUST NOT</bcp14> allow malicious Clients or Attesters (acting as Clients) to forge tokens offline or otherwise without interacting with the Issuer directly.</li> <li>Concurrent security. The issuance protocolMUST<bcp14>MUST</bcp14> be safe to run concurrently with arbitrarily many Clients,AttestersAttesters, and Issuers.</li> </ol> <t>See <xref target="extensions"/> for requirements on new issuance protocol variants and related extensions.</t> <t>In the sections below, we describe the Attester and Issuer roles in more detail.</t> <section anchor="attester"> <name>Attester Role</name> <t>In Privacy Pass, attestation is the process by which an Attester bears witness to, confirms, or authenticates a Client so as to verify properties about the Client that are required forIssuance.issuance. Issuers trust Attesters to perform attestation correctly, i.e., to implement attestation procedures in such a way that those procedures are not subverted or bypassed by malicious Clients.</t> <t><xref target="RFC9334"/> describes an architecture for attestation procedures. Using that architecture as a conceptual basis, Clients are RATSattestersAttesters that produce attestation evidence, and Attesters are RATSverifiersVerifiers that appraise the validity of attestation evidence.</t> <t>The type of attestation procedure is a deployment-specific option and outside the scope of the issuance protocol. Example attestation procedures are below.</t> <ul spacing="normal"> <li>Solving a CAPTCHA. Clients that solve CAPTCHA challenges can be attested to have this capability for the purpose of being ruled out as a bot or otherwise automated Client.</li> <li>Presenting evidence of Client device validity. Some Clients run on trusted hardware thatareis capable of producing device-level attestation evidence.</li> <li>Proving properties about Client state. Clients can be associated withstatestate, and the Attester can verify this state. Examples of state include the Client's geographic region and whether the Client has a valid application-layer account.</li> </ul> <t>Attesters may support different types of attestation procedures.</t> <t>Each attestation procedure has different security properties. For example, attesting to having a valid account is different from attesting to running on trusted hardware. Supporting multiple attestation procedures is an important step towards ensuring equitable access for Clients; see <xref target="discrimination"/>.</t> <t>The role of the Attester in the issuance protocol and its impact on privacydependsdepend on the type of attestation procedure, issuance protocol, and deployment model. For instance, increasing the number of required attestation procedures could decrease the overall anonymity set size. As an example, the number of Clients that have solved a CAPTCHA in the past day, that have a valid account, and that are running on a trusted device is less than the number of Clients that have solved a CAPTCHA in the past day. See <xref target="rotation-and-consistency"/> for more discussion of how the variety of attestation procedures can negatively impact Client privacy.</t> <t>Depending on the issuance protocol, the Issuer might learn information about the Origin. To ensure Issuer-Client unlinkability, the Issuer should be unable to link that information to a specific Client. For such issuance protocols where the Attester has access to Client-specific information, such as is the case for attestation procedures that involve Client-specific information (such as application-layer account information) or for deployment models where the Attester learns Client-specific information (such as Client IP addresses), Clients trust the Attester to not share any Client-specific information with the Issuer. In deployments where the Attester does not learn Client-specificinformation,information or where the Attester and Issuer are operated by the same entity (such as in the Joint Attester and Issuer model described in <xref target="deploy-joint-issuer"/>), the Client does not need to explicitly trust the Attester in this regard.</t> <t>Issuers trust Attesters to correctly and reliably perform attestation. However, certain types of attestation procedures can vary in value over time, e.g., if the attestation procedure is compromised. Broken attestation procedures are considered exceptional events and require configuration changes to address the underlying cause. For example, if an attestation procedure is compromised or subverted because of a zero-day exploit on devices that implement the attestation procedure, then the corresponding attestation procedure should be untrusted until the exploit is patched. Addressing changes in attestation quality is therefore a deployment-specific task. In SplitAttesterOrigin, Attester, and Issuer deployments (see <xref target="deploy-split"/>), Issuers can choose to remove compromised Attesters from their trusted set until the compromise is patched.</t> <t>From the perspective of an Origin, tokens produced by an Issuer with at least one compromised Attester cannot betrustedtrusted, assuming that the Origin does not know which attestation procedure was used for issuance. This is because the Origin cannot distinguish between tokens that were issued via compromised Attesters and tokens that were issued via uncompromisedAttestersAttesters, absent some distinguishing information in the tokens themselves or from the Issuer. As a result, until the attestation procedure is fixed, the Issuer cannot be trusted by Origins. Moreover, as a consequence, any tokens issued by an Issuer with a compromisedattesterAttester may no longer be trusted by Origins, even if those tokens were issued to Clients interacting with an uncompromised Attester.</t> </section> <section anchor="issuer-role"> <name>Issuer Role</name> <t>In Privacy Pass, the Issuer is responsible for completing the issuance protocol for Clients that complete attestation through a trusted Attester. As described in <xref target="attester"/>, Issuers explicitly trust Attesters to correctly and reliably perform attestation. Origins explicitly trust Issuers to only issue tokens from trusted Attesters. Clients do not explicitly trust Issuers.</t> <t>Depending on the deployment model case, issuance may require some form of Client anonymization service, similar to an IP-hiding proxy, so that Issuers cannot learn information about Clients. This can be provided by an explicit participant in the issuance protocol, or it can be provided via external means, such as through the use of an IP-hiding proxy service like Tor <xref target="DMS2004"/>. In general, ClientsSHOULD<bcp14>SHOULD</bcp14> minimize or remove identifying information where possible when invoking the issuance protocol.</t> <t>Issuers are uniquely identifiable by all Clients with a consistent identifier. In a web context, this identifier might be the Issuerhost name.hostname. Issuers maintain one or more configurations, including issuance key pairs, for use in the issuance protocol. Each configuration is assumed to have a unique and canonical identifier, sometimes referred to as a key identifier or key ID. Issuers can rotate these configurations as needed to mitigate the risk of compromise; see <xref target="rotation-and-consistency"/> for more considerations around configuration rotation. The Issuerpublic keyPublic Key for each active configuration is made available to Origins and Clients for use in the issuance and redemption protocols.</t> </section> <section anchor="metadata"> <name>Issuance Metadata</name> <t>Certain instantiations of the issuance protocol may permit public or private metadata to be cryptographically bound to a token. As an example, one trivial way to include public metadata is to assign a unique Issuerpublic keyPublic Key for each value of metadata, such that N keysyieldsyield log<sub>2</sub>(N) bits of metadata. Metadata may be public or private.</t> <t>Public metadata is metadata thatwhich clientsClients can observe as part of the token issuance flow. Public metadata caneitherbe either transparent or opaque. For example, transparent public metadata is a value thatthe clienteither the Client generatesitself,itself or the Issuer provides during the issuance flow and that theclientClient can check for correctness. Opaque public metadata is metadata theclientClient can see but cannot check for correctness. As an example, the opaque public metadata might be a "fraud detection signal", computed on behalf of the Issuer, during token issuance. Generally speaking, Clients cannot determine if this value is generated in a way that permits tracking.</t> <t>Private metadata is metadata thatwhichClients cannot observe as part of the token issuance flow. Such instantiations can be built on thePrivate Metadata Bitprivate metadata bit construction from Kreuter etal. <xrefal. <xref target="KLOR20"/> or the attribute-basedVOPRFVerifiable Oblivious Pseudorandom Function (VOPRF) from Huang etal. <xrefal. <xref target="HIJK21"/>.</t> <t>Metadata can be arbitrarily long or bounded in length. The amount of permitted metadata may be determined by an application or by the underlying cryptographic protocol. The total amount of metadata bits included in a token is the sum of public and private metadata bits. Every bit of metadata can be used to partition the Client issuance or redemption anonymity sets; see <xref target="metadata-privacy"/> for more information.</t> </section> <section anchor="extensions"> <name>Future Issuance Protocol Requirements</name> <t>The Privacy Pass architecture and ecosystem are both intended to be receptive to extensions that expand the current set of functionalities through new issuance protocols. Each new issuance protocol and extensionMUST<bcp14>MUST</bcp14> adhere to the following requirements:</t> <ol spacing="normal" type="1"><li>Include a detailed analysis of the privacy impacts of the extension, why these impacts are justified, and guidelines on how to use the protocol to mitigate or minimize negative deployment or privacy consequences discussed in<xref target="deployment-considerations"/>Sections <xref target="deployment-considerations" format="counter"/> and <xreftarget="privacy"/>,target="privacy" format="counter"/>, respectively.</li> <li>Adhere to the guidelines specified in <xref target="issuer-role"/> for managing Issuerpublic keyPublic Key data.</li> <li>Clearly specify how to interpret and validate TokenChallenge andTokentoken messages that are exchanged during the redemption protocol.</li> </ol> </section> </section> <section anchor="flow"> <name>Information Flow</name> <t>The end-to-end process of redemption and issuance protocols involves information flowing between the Issuer, Origin, Client, and Attester. That information can have implications on the privacy goals that Privacy Pass aims to provide as outlined in <xref target="privacy-and-trust"/>. In this section, we describe the flow of information between each party. How this information affects the privacy goals in particular deployment models is further discussed in <xref target="deployment"/>.</t> <section anchor="challenge-flow"> <name>Token Challenge Flow</name> <t>To use Privacy Pass, Origins choose an Issuer from which they are willing to accept tokens. Origins then construct a token challenge using this specified Issuer and information from the redemption context it shares with the Client. This token challenge is then delivered to a Client. The token challenge conveys information about the Issuer and the redemption context, such as whether the Origin desires a per-Origin or cross-Origin token. Any entity that sees the token challenge might learn things about the Client as known to the Origin. This is why input secrecy is a requirement for issuance protocols, as it ensures that the challenge is not directly available to the Issuer.</t> </section> <section anchor="attestation-flow"> <name>Attestation Flow</name> <t>Clients interact with the Attester to prove that they meet some required set of properties. In doing so, Clients contribute information to the attestation context, which might include sensitive information such as application-layer identities, IP addresses, and so on. Clients can choose whether or not to contribute this information based on local policy or preference.</t> </section> <section anchor="issue-flow"> <name>Issuance Flow</name> <t>Clients use the issuance protocol to produce a token bound to a token challenge. In doing so, there are several ways in which the issuance protocol contributes information to the attestation or issuance contexts. For example, a token request may contribute information to the attestation or issuance contexts as described below.</t> <ul spacing="normal"> <li>Issuance protocol. The type of issuance protocol can contribute information about the Issuer's capabilities to the attestation or issuance contexts, as well as the capabilities of a given Client. For example, if a Client is presented with multiple issuance protocol options, then the choice of which issuance protocol to use can contribute information about the Client's capabilities.</li> <li>Issuer configuration. Information about the Issuer configuration, such as its identity or the public key used to validate tokens it creates, can be revealed during issuance and contribute to the attestation or issuance contexts.</li> <li>Attestation information. The issuance protocol can contribute information to the attestation or issuance contexts based on what attestation procedure the Issuer uses to trust a token request. In particular, a token request that is validated by a given Attester means that the Clientwhichthat generated the token request must be capable ofthecompleting the designated attestation procedure.</li> <li>Origin information. The issuance protocol can contribute information about the Origin that challenged theClient inClient; see <xref target="challenge-flow"/>. In particular, a token request designated for a specific Issuer might imply that the resulting token is for an Origin that trusts the specified Issuer. However, this is not always true, as some token requests can correspond to cross-Origin tokens, i.e., they are tokens that would be accepted at any Origin that accepts the cross-Origin token.</li> </ul> <t>Moreover, a token may contribute information to the issuance attestation or contexts as described below.</t> <ul spacing="normal"> <li>Origin information. The issuance protocol can contribute information about the Origin in how it responds to a token request. For example, if an Issuer learns the Origin during issuance and is also configured to respond in some way on the basis of that information, and the Client interacts with the Issuer transitively through the Attester, that response can reveal information to the Attester.</li> <li>Token. The token produced by the issuance protocol can contain information from the issuance context. In particular, depending on the issuance protocol, tokens can contain public or private metadata, and Issuers can choose that metadata on the basis of information in the issuance context.</li> </ul> <t>Exceptional cases in the issuance protocol, such as when either the Attester or Issuer aborts the protocol, can contribute information to the attestation or issuance contexts. The extent to which information in this context harms the Issuer-Client or Attester-Origin unlinkability goals as discussed in <xref target="privacy-and-trust"/> depends on the deployment model; see <xref target="deployment"/>. Clients can choose whether or not to contribute information to these contexts based on local policy or preference.</t> </section> <section anchor="redemption-flow"> <name>Token Redemption Flow</name> <t>Clients send tokens to Origins during the redemption protocol. Any information that is added to the token during issuance can therefore be sent to the Origin. Information caneitherbeexplicitlyeither (1) explicitly passed in atoken,token orit can be implicit(2) implicit in the way the Client responds to a token challenge. For example, if a Client fails to completeissuance,issuance and consequently fails to redeem a token for a token challenge, this can reveal information to the Origin that it might not otherwise have access to. However, an Origin cannot necessarily distinguish between a Client that fails to complete issuance and one that ignores the token challenge altogether.</t> </section> </section> </section> <section anchor="deployment"> <name>Deployment Models</name> <t>The Origin, Attester, and Issuer portrayed in <xref target="fig-overview"/> can be instantiated and deployed in a number of ways. The deployment model directly influences the manner in which attestation, issuance, and redemption contexts are separated to achieve Origin-Client, Issuer-Client, and Attester-Origin unlinkability.</t> <t>This section covers some expected deployment models and their corresponding security and privacy considerations. Each deployment model is described in terms of the trust relationships and communication patterns between the Client, Attester, Issuer, and Origin. Entities drawn within the same bounding box are assumed to be operated by the same party and are therefore able to collude. Collusion can enable linking of attestation, issuance, and redemption contexts. Entities not drawn within the same bounding boxare assumed to not collude, meaning that entities(i.e., operated by separateparties that doparties) are assumed to not collude. Mechanisms for enforcing non-collusion are out of scope for this architecture.</t> <section anchor="deploy-shared"> <name>Shared Origin, Attester, Issuer</name> <t>In this model, the Origin, Attester, and Issuer are all operated by the same entity, as shown in <xref target="fig-deploy-shared"/>.</t> <figure anchor="fig-deploy-shared"> <name>Shared Deployment Model</name> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="256" width="528"viewBox="0 0 528 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,48 L 8,80" fill="none" stroke="black"/> <path d="M 40,80 L 40,240" fill="none" stroke="black"/> <path d="M 80,48 L 80,80" fill="none" stroke="black"/> <path d="M 144,32 L 144,80" fill="none" stroke="black"/> <path d="M 168,48 L 168,80" fill="none" stroke="black"/> <path d="M 216,80 L 216,104" fill="none" stroke="black"/> <path d="M 216,120 L 216,160" fill="none" stroke="black"/> <path d="M 256,48 L 256,80" fill="none" stroke="black"/> <path d="M 304,48 L 304,80" fill="none" stroke="black"/> <path d="M 344,80 L 344,96" fill="none" stroke="black"/> <path d="M 344,128 L 344,192" fill="none" stroke="black"/> <path d="M 376,48 L 376,80" fill="none" stroke="black"/> <path d="M 424,48 L 424,80" fill="none" stroke="black"/> <path d="M 456,80 L 456,208" fill="none" stroke="black"/> <path d="M 496,48 L 496,80" fill="none" stroke="black"/> <path d="M 520,48 L 520,80" fill="none" stroke="black"/> <path d="M 144,32 L 504,32" fill="none" stroke="black"/> <path d="M 8,48 L 80,48" fill="none" stroke="black"/> <path d="M 168,48 L 256,48" fill="none" stroke="black"/> <path d="M 304,48 L 376,48" fill="none" stroke="black"/> <path d="M 424,48 L 496,48" fill="none" stroke="black"/> <path d="M 8,80 L 80,80" fill="none" stroke="black"/> <path d="M 168,80 L 256,80" fill="none" stroke="black"/> <path d="M 304,80 L 376,80" fill="none" stroke="black"/> <path d="M 424,80 L 496,80" fill="none" stroke="black"/> <path d="M 160,96 L 208,96" fill="none" stroke="black"/> <path d="M 224,96 L 336,96" fill="none" stroke="black"/> <path d="M 352,96 L 448,96" fill="none" stroke="black"/> <path d="M 464,96 L 504,96" fill="none" stroke="black"/> <path d="M 48,112 L 304,112" fill="none" stroke="black"/> <path d="M 440,112 L 456,112" fill="none" stroke="black"/> <path d="M 48,142 L 72,142" fill="none" stroke="black"/> <path d="M 48,146 L 72,146" fill="none" stroke="black"/> <path d="M 184,142 L 208,142" fill="none" stroke="black"/> <path d="M 184,146 L 208,146" fill="none" stroke="black"/> <path d="M 40,176 L 128,176" fill="none" stroke="black"/> <path d="M 248,176 L 336,176" fill="none" stroke="black"/> <path d="M 48,192 L 128,192" fill="none" stroke="black"/> <path d="M 256,192 L 344,192" fill="none" stroke="black"/> <path d="M 40,224 L 208,224" fill="none" stroke="black"/> <path d="M 272,224 L 456,224" fill="none" stroke="black"/> <path d="M 504,32 C 512.83064,32 520,39.16936 520,48" fill="none" stroke="black"/> <path d="M 160,96 C 151.16936,96 144,88.83064 144,80" fill="none" stroke="black"/> <path d="M 504,96 C 512.83064,96 520,88.83064 520,80" fill="none" stroke="black"/> <polygon class="arrowhead" points="464,224 452,218.4 452,229.6" fill="black" transform="rotate(0,456,224)"/> <polygon class="arrowhead" points="344,176 332,170.4 332,181.6" fill="black" transform="rotate(0,336,176)"/> <polygon class="arrowhead" points="216,144 204,138.4 204,149.6" fill="black" transform="rotate(0,208,144)"/> <polygon class="arrowhead" points="56,192 44,186.4 44,197.6" fill="black" transform="rotate(180,48,192)"/> <polygon class="arrowhead" points="56,144 44,138.4 44,149.6" fill="black" transform="rotate(180,48,144)"/> <polygon class="arrowhead" points="56,112 44,106.4 44,117.6" fill="black" transform="rotate(180,48,112)"/> <g class="text"> <text x="44" y="68">Client</text> <text x="212" y="68">Attester</text> <text x="340" y="68">Issuer</text> <text x="460" y="68">Origin</text> <text x="372" y="116">TokenChallenge</text> <text x="128" y="148">Attestation</text> <text x="188" y="180">TokenRequest</text> <text x="192" y="196">TokenResponse</text> <text x="240" y="228">Token</text> <text x="456" y="244">|</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +---------------------------------------------. +--------+ | +----------+ +--------+ +--------+ | | Client | | | Attester | | Issuer | | Origin | | +---+----+ | +-----+----+ +----+---+ +---+----+ | | `-------|---------------|-------------|------' |<-------------------------------- TokenChallenge --+ | | | | |<=== Attestation ===>| | | | | | | +----------- TokenRequest ----------->| | |<---------- TokenResponse -----------+ | | | +--------------------- Token -----------------------> | | ]]></artwork> </artset> </figure> <t>This model represents the initial deployment of Privacy Pass, as described in <xref target="PrivacyPassCloudflare"/>. In this model, the Attester, Issuer, and Origin share the attestation, issuance, and redemption contexts. As a result, attestation mechanisms that can uniquely identify a Client, e.g., requiring that Clients authenticate with some type of application-layer account, are not appropriate, as they could lead to unlinkability violations.</t> <t>Origin-Client, Issuer-Client, and Attester-Origin unlinkability requires that issuance and redemption events be separated over time, such as through the use of tokens that correspond to token challenges with an empty redemption context (see <xref target="redemption"/>), or that they be separated over space, such as through the use of an anonymizing service when connecting to the Origin.</t> </section> <section anchor="deploy-joint-issuer"> <name>Joint Attester and Issuer</name> <t>In this model, the Attester and Issuer are operated by the sameentity that isentity, separate from the Origin. The Origin trusts the joint Attester and Issuer to perform attestation and issueTokens.tokens. Clients interact with the joint Attester and Issuer for attestation and issuance. This arrangement is shown in <xref target="fig-deploy-joint-issuer"/>.</t> <figure anchor="fig-deploy-joint-issuer"> <name>Joint Attester and Issuer Deployment Model</name> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="256" width="520"viewBox="0 0 520 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,48 L 8,80" fill="none" stroke="black"/> <path d="M 40,80 L 40,240" fill="none" stroke="black"/> <path d="M 80,48 L 80,80" fill="none" stroke="black"/> <path d="M 160,32 L 160,80" fill="none" stroke="black"/> <path d="M 184,48 L 184,80" fill="none" stroke="black"/> <path d="M 232,80 L 232,104" fill="none" stroke="black"/> <path d="M 232,120 L 232,160" fill="none" stroke="black"/> <path d="M 272,48 L 272,80" fill="none" stroke="black"/> <path d="M 320,48 L 320,80" fill="none" stroke="black"/> <path d="M 360,80 L 360,96" fill="none" stroke="black"/> <path d="M 360,128 L 360,192" fill="none" stroke="black"/> <path d="M 392,48 L 392,80" fill="none" stroke="black"/> <path d="M 416,48 L 416,80" fill="none" stroke="black"/> <path d="M 440,48 L 440,80" fill="none" stroke="black"/> <path d="M 472,80 L 472,208" fill="none" stroke="black"/> <path d="M 512,48 L 512,80" fill="none" stroke="black"/> <path d="M 160,32 L 400,32" fill="none" stroke="black"/> <path d="M 8,48 L 80,48" fill="none" stroke="black"/> <path d="M 184,48 L 272,48" fill="none" stroke="black"/> <path d="M 320,48 L 392,48" fill="none" stroke="black"/> <path d="M 440,48 L 512,48" fill="none" stroke="black"/> <path d="M 8,80 L 80,80" fill="none" stroke="black"/> <path d="M 184,80 L 272,80" fill="none" stroke="black"/> <path d="M 320,80 L 392,80" fill="none" stroke="black"/> <path d="M 440,80 L 512,80" fill="none" stroke="black"/> <path d="M 176,96 L 224,96" fill="none" stroke="black"/> <path d="M 240,96 L 352,96" fill="none" stroke="black"/> <path d="M 368,96 L 400,96" fill="none" stroke="black"/> <path d="M 48,112 L 320,112" fill="none" stroke="black"/> <path d="M 456,112 L 472,112" fill="none" stroke="black"/> <path d="M 48,142 L 80,142" fill="none" stroke="black"/> <path d="M 48,146 L 80,146" fill="none" stroke="black"/> <path d="M 192,142 L 224,142" fill="none" stroke="black"/> <path d="M 192,146 L 224,146" fill="none" stroke="black"/> <path d="M 40,176 L 144,176" fill="none" stroke="black"/> <path d="M 264,176 L 352,176" fill="none" stroke="black"/> <path d="M 48,192 L 136,192" fill="none" stroke="black"/> <path d="M 264,192 L 360,192" fill="none" stroke="black"/> <path d="M 40,224 L 224,224" fill="none" stroke="black"/> <path d="M 288,224 L 472,224" fill="none" stroke="black"/> <path d="M 400,32 C 408.83064,32 416,39.16936 416,48" fill="none" stroke="black"/> <path d="M 176,96 C 167.16936,96 160,88.83064 160,80" fill="none" stroke="black"/> <path d="M 400,96 C 408.83064,96 416,88.83064 416,80" fill="none" stroke="black"/> <polygon class="arrowhead" points="480,224 468,218.4 468,229.6" fill="black" transform="rotate(0,472,224)"/> <polygon class="arrowhead" points="360,176 348,170.4 348,181.6" fill="black" transform="rotate(0,352,176)"/> <polygon class="arrowhead" points="232,144 220,138.4 220,149.6" fill="black" transform="rotate(0,224,144)"/> <polygon class="arrowhead" points="56,192 44,186.4 44,197.6" fill="black" transform="rotate(180,48,192)"/> <polygon class="arrowhead" points="56,144 44,138.4 44,149.6" fill="black" transform="rotate(180,48,144)"/> <polygon class="arrowhead" points="56,112 44,106.4 44,117.6" fill="black" transform="rotate(180,48,112)"/> <g class="text"> <text x="44" y="68">Client</text> <text x="228" y="68">Attester</text> <text x="356" y="68">Issuer</text> <text x="476" y="68">Origin</text> <text x="388" y="116">TokenChallenge</text> <text x="136" y="148">Attestation</text> <text x="204" y="180">TokenRequest</text> <text x="200" y="196">TokenResponse</text> <text x="256" y="228">Token</text> <text x="472" y="244">|</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +------------------------------. +--------+ | +----------+ +--------+ | +--------+ | Client | | | Attester | | Issuer | | | Origin | +---+----+ | +-----+----+ +----+---+ | +---+----+ | `-------|---------------|-----' | |<---------------------------------- TokenChallenge --+ | | | | |<==== Attestation ====>| | | | | | | +------------- TokenRequest ----------->| | |<----------- TokenResponse ------------+ | | | +----------------------- Token -----------------------> | | ]]></artwork> </artset> </figure> <t>This model is useful if an Origin wants to offload attestation and issuance to a trusted entity. In this model, the Attester and Issuer share an attestation and issuance context for the Client,which isseparate from the Origin's redemption context.</t> <t>Similar to theSharedshared Origin, Attester, Issuer model, Issuer-Client and Origin-Client unlinkability in this model requires that issuance and redemption events, respectively, be separated over time or space. Attester-Origin unlinkability requires that the Attester and Issuer do not learn the Origin for a particular token request. For this reason, issuance protocols that require the Issuer to learn information about the Origin, such asthat which isthe issuance protocol described in <xreftarget="RATE-LIMITED"/>,target="I-D.ietf-privacypass-rate-limit-tokens"/>, are notappropriateappropriate, since they could lead to Attester-Origin unlinkability violations through the Origin name.</t> </section> <section anchor="deploy-joint-origin"> <name>Joint Origin and Issuer</name> <t>In this model, the Origin and Issuer are operated by the same entity, separate from the Attester, as shown inthe figure below.<xref target="fig-deploy-joint-origin"/>. The Issuer accepts token requests that come from trusted Attesters. Since the Attester and Issuer are separate entities, this model requires some mechanism by which Issuers establish trust in the Attester (as described in <xref target="privacy-and-trust"/>). For example, in settings where the Attester is a Client-trusted service that directly communicates with the Issuer, one way to establish this trust is viamutually-authenticatedmutually authenticated TLS. However, alternative authentication mechanisms are possible.This arrangement isIn this model, the Origin and Issuer are operated by the same entity, separate from the Attester, as shown in<xref target="fig-deploy-joint-origin"/>.</t>the figure below.</t> <figure anchor="fig-deploy-joint-origin"> <name>Joint Origin and Issuer Deployment Model</name> <artset> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1"height="256" width="528"viewBox="0 0 528 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <path d="M 8,48 L 8,80" fill="none" stroke="black"/> <path d="M 40,80 L 40,240" fill="none" stroke="black"/> <path d="M 80,48 L 80,80" fill="none" stroke="black"/> <path d="M 168,48 L 168,80" fill="none" stroke="black"/> <path d="M 216,80 L 216,104" fill="none" stroke="black"/> <path d="M 216,120 L 216,160" fill="none" stroke="black"/> <path d="M 256,48 L 256,80" fill="none" stroke="black"/> <path d="M 280,32 L 280,80" fill="none" stroke="black"/> <path d="M 304,48 L 304,80" fill="none" stroke="black"/> <path d="M 344,80 L 344,96" fill="none" stroke="black"/> <path d="M 344,128 L 344,192" fill="none" stroke="black"/> <path d="M 376,48 L 376,80" fill="none" stroke="black"/> <path d="M 424,48 L 424,80" fill="none" stroke="black"/> <path d="M 456,80 L 456,208" fill="none" stroke="black"/> <path d="M 496,48 L 496,80" fill="none" stroke="black"/> <path d="M 520,48 L 520,80" fill="none" stroke="black"/> <path d="M 280,32 L 504,32" fill="none" stroke="black"/> <path d="M 8,48 L 80,48" fill="none" stroke="black"/> <path d="M 168,48 L 256,48" fill="none" stroke="black"/> <path d="M 304,48 L 376,48" fill="none" stroke="black"/> <path d="M 424,48 L 496,48" fill="none" stroke="black"/> <path d="M 8,80 L 80,80" fill="none" stroke="black"/> <path d="M 168,80 L 256,80" fill="none" stroke="black"/> <path d="M 304,80 L 376,80" fill="none" stroke="black"/> <path d="M 424,80 L 496,80" fill="none" stroke="black"/> <path d="M 296,96 L 336,96" fill="none" stroke="black"/> <path d="M 352,96 L 448,96" fill="none" stroke="black"/> <path d="M 464,96 L 504,96" fill="none" stroke="black"/> <path d="M 48,112 L 304,112" fill="none" stroke="black"/> <path d="M 440,112 L 456,112" fill="none" stroke="black"/> <path d="M 48,142 L 72,142" fill="none" stroke="black"/> <path d="M 48,146 L 72,146" fill="none" stroke="black"/> <path d="M 184,142 L 208,142" fill="none" stroke="black"/> <path d="M 184,146 L 208,146" fill="none" stroke="black"/> <path d="M 40,176 L 136,176" fill="none" stroke="black"/> <path d="M 256,176 L 336,176" fill="none" stroke="black"/> <path d="M 48,192 L 128,192" fill="none" stroke="black"/> <path d="M 256,192 L 344,192" fill="none" stroke="black"/> <path d="M 40,224 L 208,224" fill="none" stroke="black"/> <path d="M 272,224 L 456,224" fill="none" stroke="black"/> <path d="M 504,32 C 512.83064,32 520,39.16936 520,48" fill="none" stroke="black"/> <path d="M 296,96 C 287.16936,96 280,88.83064 280,80" fill="none" stroke="black"/> <path d="M 504,96 C 512.83064,96 520,88.83064 520,80" fill="none" stroke="black"/> <polygon class="arrowhead" points="464,224 452,218.4 452,229.6" fill="black" transform="rotate(0,456,224)"/> <polygon class="arrowhead" points="344,176 332,170.4 332,181.6" fill="black" transform="rotate(0,336,176)"/> <polygon class="arrowhead" points="216,144 204,138.4 204,149.6" fill="black" transform="rotate(0,208,144)"/> <polygon class="arrowhead" points="56,192 44,186.4 44,197.6" fill="black" transform="rotate(180,48,192)"/> <polygon class="arrowhead" points="56,144 44,138.4 44,149.6" fill="black" transform="rotate(180,48,144)"/> <polygon class="arrowhead" points="56,112 44,106.4 44,117.6" fill="black" transform="rotate(180,48,112)"/> <g class="text"> <text x="44" y="68">Client</text> <text x="212" y="68">Attester</text> <text x="340" y="68">Issuer</text> <text x="460" y="68">Origin</text> <text x="372" y="116">TokenChallenge</text> <text x="128" y="148">Attestation</text> <text x="196" y="180">TokenRequest</text> <text x="192" y="196">TokenResponse</text> <text x="240" y="228">Token</text> <text x="456" y="244">|</text> </g> </svg> </artwork> <artwork type="ascii-art"><![CDATA[ +----------------------------. +--------+ +----------+ | +--------+ +--------+ | | Client | | Attester | | | Issuer | | Origin | | +---+----+ +-----+----+ | +----+---+ +---+----+ | | | `------|-------------|------' |<-------------------------------- TokenChallenge --+ | | | | |<=== Attestation ===>| | | | | | | +------------ TokenRequest ---------->| | |<---------- TokenResponse -----------+ | | | +--------------------- Token -----------------------> | | ]]></artwork> </artset> </figure> <t>This model is useful for Origins that require Client-identifying attestation, e.g., through the use of application-layer account information, but do not otherwise want to learn information about individual Clients beyond what is observed during the token redemption, such as Client IP addresses.</t> <t>In this model, attestation contexts are separate fromissuerIssuer and redemption contexts. As a result, any type of attestation is suitable in this model.</t> <t>Moreover,any type of token challenge is suitableassuming that there is more than one Origin involved, any type of token challenge is suitable, since no single party will have access to the identifying Client information and unique Origin information. Issuers that produce tokens for a single Origin are not suitable in thismodelmodel, since an Attester can infer the Origin from a token request, as described in <xref target="issue-flow"/>. However, since the issuance protocol provides input secrecy, the Attester does not learn details about the corresponding token challenge, such as whether the token challenge isper-Originper Origin orcross-Origin.</t>across Origins.</t> </section> <section anchor="deploy-split"> <name>Split Origin, Attester, Issuer</name> <t>In this model, the Origin, Attester, and Issuer are all operated by different entities. As with thejointJoint Origin and Issuermodel,model (<xref target="deploy-joint-origin"/>), the Issuer accepts token requests that come from trusted Attesters, and the details of that trust establishment depend on the issuance protocol and relationship between the Attester and Issuer; see <xref target="privacy-and-trust"/>. This arrangement is shown in <xref target="fig-overview"/>.</t> <t>This is the most general deploymentmodel,model and is necessary for some types of issuance protocols where the Attester plays a role in token issuance; see <xreftarget="RATE-LIMITED"/>target="I-D.ietf-privacypass-rate-limit-tokens"/> for one such type of issuance protocol.</t> <t>In this model, the Attester, Issuer, and Origin have a separate view of the Client: the Attester sees potentially sensitiveClient identifyingClient-identifying information, such as account identifiers or IPaddresses,addresses; the Issuer sees only the information necessary forissuance,issuance; and the Origin sees token challenges, corresponding tokens, and Client source information, such as their IP address. As a result, attestation, issuance, and redemption contexts are separate, and therefore any type of token challenge is suitable in this model as long as there is more than a single Origin.</t> <t>Asinwith the Joint Origin and Issuer modelin <xref target="deploy-joint-origin"/>,(<xref target="deploy-joint-origin"/>), and as described in <xref target="issue-flow"/>, if the Issuer produces tokens for a single Origin, then per-Origin tokens are notappropriateappropriate, since the Attester can infer the Origin from a token request.</t> </section> </section> <section anchor="deployment-considerations"> <name>Deployment Considerations</name> <t><xref target="deployment"/> discusses deployment models that are possible in practice. Beyond possible implications on security and privacy properties of the resulting system, Privacy Pass deployments can impact the overall ecosystem in two important ways:(1) discriminatory(1) discriminatory treatment of Clients and the gated access to otherwise openservices,services and(2) centralization.(2) centralization. This section describes considerations relevant to these topics.</t> <section anchor="discrimination"> <name>Discriminatory Treatment</name> <t>Origins can use tokens as a signal for distinguishing betweenClients(1) Clients that are capable of completing attestation with one Attester trusted by the Origin's chosenIssuer,Issuer andClients(2) Clients that are not capable of doing the same. A consequence of this is that Privacy Pass could enable discriminatory treatment of Clients based onAttestationattestation support. For example, an Origin could only authorize Clients that successfully authenticate with a token, prohibiting access to all other Clients.</t> <t>Thetypetypes of attestation procedures supported for a particular deploymentdependsdepend greatly on the use case. For example, consider a proprietary deployment of Privacy Pass that authorizesclientsClients to access a resource such as an anonymization service. In this context, it is reasonable to support specific types of attestation procedures that demonstrate that Clients can access the resource, such as with an account or specific type of device. However, in open deployments of Privacy Pass that are used to safeguard access to otherwise open or publicly accessible resources, diversity in attestation procedures is critically important so as to not discriminate against Clients that choose certain software, hardware, or identity providers.</t> <t>In principle, Issuers should strive to mitigate discriminatory behavior by providing equitable access to all Clients. This can be done by working with a set of Attesters that are suitable for all Clients. In practice, this may requiretradeoffstrade-offs in what type of attestation Issuers are willing to trust so as to enable more widespread support. In other words, trusting a variety of Attesters with a diverse set of attestation procedures would presumably increase support among Clients, though most likely at the expense of decreasing the overall value of tokens issued by the Issuer.</t> <t>For example, to disallow discriminatory behavior between Clients with and without device attestation support, an Issuer may wish to support Attesters that support CAPTCHA-based attestation. This means that the overall attestation value of a Privacy Pass token is bound by the difficulty in spoofing or bypassing either one of these attestation procedures.</t> </section> <section anchor="centralization"> <name>Centralization</name> <t>A consequence of limiting the number of participants (Attesters or Issuers) in Privacy Pass deployments for meaningful privacy is that it forces concentrated centralizationamongstamong those participants. <xreftarget="CENTRALIZATION"/>target="RFC9518"/> discusses several ways in which this might be mitigated. For example, a multi-stakeholder governance model could be established to determine what candidate participants are fit to operate as participants in a Privacy Pass deployment. This is precisely the system used to control the Web's trust model.</t> <t>Alternatively, Privacy Pass deployments might mitigate this problem through implementation. For example, rather than centralize the role of attestation in one or a few entities, attestation could be a distributed function performed by a quorum of many parties, provided that neither Issuers nor Origins learn which Attester implementations were chosen. As a result, Clients could have more opportunities to switch between attestation participants.</t> </section> </section> <section anchor="privacy"> <name>Privacy Considerations</name> <t>The previous section discusses the impact of deployment details on Origin-Client, Issuer-Client, and Attester-Origin unlinkability. The value these propertiesaffordsafford to end users depends on the size of anonymity sets in which Clients or Origins are unlinkable. For example, consider two different deployments, one wherein there exists a redemption anonymity set of size two and another wherein there exists a redemption anonymity set of size 2<sup>32</sup>. Although Origin-Client unlinkability guarantees that the Origin cannot link any two requests to the same Client based on these contexts, respectively, the smaller these sets become, the higher the probability of determining the "true"Client is higher the smaller these sets become.</t>Client.</t> <t>In practice, there are a number of ways in which the size of anonymity sets may be reduced or partitioned, though they all center around the concept of consistency. In particular, by definition, all Clients in an anonymity set share a consistent view of information needed to run the issuance and redemption protocols.AnThe Issuer Public Key is an example of the type of information needed to run theseprotocols is the Issuer public key.protocols. When two Clients have inconsistent information, these Clients effectively have different redemption contexts and therefore belong in different anonymity sets.</t> <t>The followingsectionssubsections discuss issues that can influence anonymity set size. For each issue, we discuss mitigations or safeguards to protect against the underlying problem.</t> <section anchor="metadata-privacy"> <name>Partitioning by Issuance Metadata</name> <t>Any public or private metadata bits of information can be used to further segment the size of theClient'sClient anonymity set. Any Issuer that wanted to track a single Client could add a single metadata bit to Client tokens. For the trackedClientClient, it would set the bit to <tt>1</tt>, and <tt>0</tt> otherwise. Adding additional bits provides an exponential increase in tracking granularitysimilarlyin a manner similar to introducing more Issuers (though with more potential targeting).</t> <t>For this reason, deployments should take the amount of metadata used by an Issuer in creatingredemption tokens must into account --tokens, together with the bits of information that Issuers may learn about Clientsotherwise.through other means, into account. Since this metadata may be useful for practical deployments of Privacy Pass, Issuers must balance this against the reduction in Client privacy.</t> <t>The number of permitted metadata values often depends on deployment-specific details. In general, limiting the amount of metadata permitted helps limit the extent to which metadata can uniquely identify individual Clients. Failure to bound the number of possible metadata values can therefore lead to a reduction in Client privacy. Most token types do not admit any metadata, so this bound is implicitly enforced.</t> </section> <section anchor="rotation-and-consistency"> <name>Partitioning by Issuance Consistency</name> <t>Anonymity sets can be partitioned by information used for the issuance protocol,including:including metadata, Issuer configuration (keys), and Issuer selection.</t> <t>Any issuance metadata bits of information can be used to partition the Client anonymity set. For example, any Issuer that wanted to track a single Client could add a single metadata bit to Client tokens. For the trackedClientClient, it would set the bit to <tt>1</tt>, and <tt>0</tt> otherwise. Adding additional bits provides an exponential increase in tracking granularitysimilarlyin a manner similar to introducing more Issuers (though with more potential targeting).</t> <t>The number of active Issuer configurations also contributes to anonymity set partitioning. In particular, when an Issuer updates their configuration and the corresponding key pair, any Client that invokes the issuance protocol with this configuration becomes part of a set of Clientswhichthat also ran the issuance protocol using the same configuration. Issuer configuration updates, e.g., due to key rotation, are an important part of hedging against long-term private key compromise. In general, key rotations represent a trade-off between Client privacy and Issuer security. Therefore, it is important that key rotations occur on a regular cycle to reduce the harm of an Issuer key compromise.</t> <t>Lastly, if Clients are willing to issue and redeem tokens from a large number of Issuers for a specificOrigin,Origin and that Origin accepts tokens from all Issuers, partitioning can occur. As an example, if a Client obtains tokens from many Issuers and an Origin later challenges that Client for a token from each Issuer, the Origin can learn information about the Client. This arrangement might happen if Clients request tokens from different Issuers, each of whichhavehas different Attester preferences. Each per-Issuer token that a Client holds essentially corresponds to a bit of information about the Client that the Origin learns. Therefore, there is an exponential loss in privacy relative to the number of Issuers.</t> <t>The fundamental problem here is that the number of possible issuance configurations, including the keys in use and the Issuer identities themselves, can partition the Client anonymity set. To mitigate this problem, ClientsSHOULD<bcp14>SHOULD</bcp14> bound the number of active issuance configurations per Origin as well as across Origins. Moreover, ClientsSHOULD<bcp14>SHOULD</bcp14> employ some form of consistency mechanism to ensure that they receive the same configuration information and are not being actively partitioned into smaller anonymity sets. See <xreftarget="CONSISTENCY"/>target="I-D.ietf-privacypass-key-consistency"/> for possible consistency mechanisms. Depending on the deployment, the Attester might assist the Client in applying these consistency checks acrossclients.Clients. Failure to apply a consistency check can allow Client-specific keys to violate Origin-Client unlinkability.</t> </section> <section anchor="partitioning-by-side-channels"> <name>Partitioning bySide-Channels</name>Side Channels</name> <t>Side-channel attacks, such as those based on timing correlation, could be used to reduce anonymity set size. In particular, for interactive tokens that are bound to a Client-specific redemption context, the anonymity set of Clients during the issuance protocol consists of those Clients that started issuance between the time of the Origin's challenge and the corresponding token redemption. Depending on the number of Clients using a particular Issuer during that time window, the set can be small. Applications should take such side channels into consideration before choosing a particular deployment model and type of token challenge and redemption context.</t> </section> </section> <section anchor="security"> <name>Security Considerations</name> <t>This document describes security and privacy requirements for the Privacy Pass redemption and issuance protocols. It also describes deployment models built around non-collusion assumptions and privacy considerations for using Privacy Pass within those models. Ensuring Client privacy -- separation of attestation and redemption contexts -- requires active work on behalf of the Client, especially in the presence of malicious Issuers and Origins. Implementing the mitigations discussed in<xref target="deployment"/>Sections <xref target="deployment" format="counter"/> and <xreftarget="privacy"/>target="privacy" format="counter"/> is therefore necessary to ensure that Privacy Pass offers meaningful privacy improvements toend-users.</t>end users.</t> <section anchor="hoarding"> <name>Token Caching</name> <t>Depending on the Origin's token challenge, Clients can request and cache more than one token using an issuance protocol. Cached tokens help improve privacy by separating the time of token issuance from the time of tokenredemption, andredemption; they also allow Clients to reduce the overhead of receiving new tokens via the issuance protocol.</t> <t>As a consequence, Origins that send token challengeswhichthat are compatible with cached tokens need to take precautions to ensure that tokens are not replayed. This is typically done via keeping track of tokens that are redeemed for the period of time in which cached tokens would be accepted for particular challenges.</t> <t>Moreover, since tokens are not intrinsically bound to Clients, it is possible for malicious Clients to collude and share tokens in a so-called "hoardingattack."attack". As an example of this attack, many distributed Clients could obtain cacheable tokens and then share them with a single Client to redeem the tokens in a way that would violate an Origin's attempt to limit tokens to any one particular Client. In general, mechanisms for mitigating hoarding attacks depend on the deployment model and use case. For example, in the Joint Origin and Issuer model, comparing the issuance and redemption contexts can help detect hoarding attacks, i.e., if the distribution of redemption contexts is noticeably different from the distribution of issuance contexts.Rate limitingRate-limiting issuance,eitherat either the Client, Attester, or Issuer, can also help mitigate these attacks.</t> </section> </section> <section anchor="iana"> <name>IANA Considerations</name> <t>This document has no IANA actions.</t> </section> </middle> <back> <displayreference target="RFC9577" to="AUTHSCHEME"/> <displayreference target="RFC9578" to="ISSUANCE"/> <displayreference target="RFC9458" to="OHTTP"/> <displayreference target="I-D.ietf-privacypass-rate-limit-tokens" to="RATE-LIMITED"/> <displayreference target="RFC9518" to="CENTRALIZATION"/> <displayreference target="I-D.ietf-privacypass-key-consistency" to="CONSISTENCY"/> <references> <name>References</name> <references> <name>Normative References</name> <!-- draft-ietf-privacypass-auth-scheme (RFC 9577) --> <referenceanchor="AUTHSCHEME">anchor="RFC9577" target="https://www.rfc-editor.org/info/rfc9577"> <front> <title>The Privacy Pass HTTP Authentication Scheme</title> <authorfullname="Tommy Pauly"initials="T."surname="Pauly">surname="Pauly" fullname="Tommy Pauly"> <organization>Apple Inc.</organization> </author> <authorfullname="Steven Valdez"initials="S."surname="Valdez">surname="Valdez" fullname="Steven Valdez"> <organization>Google LLC</organization> </author> <authorfullname="Christopher A. Wood"initials="C. A."surname="Wood">surname="Wood" fullname="Christopher A. Wood"> <organization>Cloudflare</organization> </author> <dateday="12" month="September" year="2023"/> <abstract> <t> This document defines an HTTP authentication scheme for Privacy Pass, a privacy-preserving authentication mechanism used for authorization. The authentication scheme in this document can be used by clients to redeem Privacy Pass tokens with an origin. It can also be used by origins to challenge clients to present Privacy Pass tokens. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-privacypass-auth-scheme-13"/> </reference> <reference anchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author fullname="S. Bradner" initials="S." surname="Bradner"/> <date month="March" year="1997"/> <abstract> <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author fullname="B. Leiba" initials="B." surname="Leiba"/> <date month="May" year="2017"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract>month="June" year="2024"/> </front> <seriesInfoname="BCP" value="14"/> <seriesInfoname="RFC"value="8174"/>value="9577"/> <seriesInfo name="DOI"value="10.17487/RFC8174"/>value="10.17487/RFC9577"/> </reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references> <references> <name>Informative References</name> <referenceanchor="PrivacyPassExtension" target="https://github.com/privacypass/challenge-bypass-extension"> <front> <title>Privacy Pass Browser Extension</title> <author> <organization/> </author> <date>n.d.</date> </front> </reference> <referenceanchor="PrivacyPassCloudflare" target="https://blog.cloudflare.com/cloudflare-supports-privacy-pass/"> <front> <title>CloudflareSupportssupports Privacy Pass</title> <author initials="N." surname="Sullivan"> <organization>Cloudflare</organization> </author><date>n.d.</date><date month="November" year="2017"/> </front> </reference> <reference anchor="DMS2004" target="https://svn.torproject.org/svn/projects/design-paper/tor-design.html"> <front> <title>Tor: The Second-Generation Onion Router</title> <author initials="R." surname="Dingledine"> <organization/> </author> <author initials="N." surname="Mathewson"> <organization/> </author> <author initials="P." surname="Syverson"> <organization/> </author> <date year="2004"month="August"/>month="May"/> </front> </reference> <reference anchor="HIJK21" target="https://research.fb.com/privatestats"> <front><title>PrivateStats:<title>DIT: De-Identified AuthenticatedLoggingTelemetry at Scale</title> <author initials="S." surname="Huang"> <organization/> </author> <author initials="S." surname="Iyengar"> <organization/> </author> <author initials="S." surname="Jeyaraman"> <organization/> </author> <author initials="S." surname="Kushwah"> <organization/> </author> <authorinitials="C. K."initials="C-K." surname="Lee"> <organization/> </author> <author initials="Z." surname="Luo"> <organization/> </author> <author initials="P." surname="Mohassel"> <organization/> </author> <author initials="A." surname="Raghunathan"> <organization/> </author> <author initials="S." surname="Shaikh"> <organization/> </author> <authorinitials="Y. C."initials="Y-C." surname="Sung"> <organization/> </author> <author initials="A." surname="Zhang"> <organization/> </author> <date year="2021" month="January"/> </front> </reference> <!-- draft-ietf-privacypass-protocol (RFC 9578) --> <referenceanchor="ISSUANCE">anchor="RFC9578" target="https://www.rfc-editor.org/info/rfc9578"> <front> <title>Privacy Pass IssuanceProtocol</title>Protocols</title> <authorfullname="Sofia Celi"initials="S."surname="Celi">surname="Celi" fullname="Sofia Celi"> <organization>Brave Software</organization> </author> <authorfullname="Alex Davidson"initials="A."surname="Davidson">surname="Davidson" fullname="Alex Davidson"> <organization>Brave Software</organization> </author> <authorfullname="Steven Valdez"initials="S."surname="Valdez">surname="Valdez" fullname="Steven Valdez"> <organization>Google LLC</organization> </author> <authorfullname="Christopher A. Wood"initials="C. A."surname="Wood">surname="Wood" fullname="Christopher A. Wood"> <organization>Cloudflare</organization> </author> <dateday="14" month="September" year="2023"/> <abstract> <t> This document specifies two variants of the two-message issuance protocol for Privacy Pass tokens: one that produces tokens that are privately verifiable using the issuance private key, and another that produces tokens that are publicly verifiable using the issuance public key. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-privacypass-protocol-14"/> </reference> <reference anchor="RFC9334"> <front> <title>Remote ATtestation procedureS (RATS) Architecture</title> <author fullname="H. Birkholz" initials="H." surname="Birkholz"/> <author fullname="D. Thaler" initials="D." surname="Thaler"/> <author fullname="M. Richardson" initials="M." surname="Richardson"/> <author fullname="N. Smith" initials="N." surname="Smith"/> <author fullname="W. Pan" initials="W." surname="Pan"/> <date month="January" year="2023"/> <abstract> <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t> </abstract>month="June" year="2024"/> </front> <seriesInfo name="RFC"value="9334"/>value="9578"/> <seriesInfo name="DOI"value="10.17487/RFC9334"/> </reference> <reference anchor="OHTTP"> <front> <title>Oblivious HTTP</title> <author fullname="Martin Thomson" initials="M." surname="Thomson"> <organization>Mozilla</organization> </author> <author fullname="Christopher A. Wood" initials="C. A." surname="Wood"> <organization>Cloudflare</organization> </author> <date day="25" month="August" year="2023"/> <abstract> <t> This document describes Oblivious HTTP, a protocol for forwarding encrypted HTTP messages. Oblivious HTTP allows a client to make multiple requests to an origin server without that server being able to link those requests to the client or to identify the requests as having come from the same client, while placing only limited trust in the nodes used to forward the messages. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-ohai-ohttp-10"/>value="10.17487/RFC9578"/> </reference> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9334.xml"/> <!-- draft-ietf-ohai-ohttp (RFC 9458; published) --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9458.xml"/> <reference anchor="KLOR20" target="https://doi.org/10.1007/978-3-030-56784-2_11"> <front> <title>Anonymous Tokens with Private Metadata Bit</title> <author fullname="Ben Kreuter" surname="Kreuter"/> <author fullname="Tancrède Lepoint" surname="Lepoint"/> <author fullname="Michele Orrù" surname="Orrù"/> <author fullname="Mariana Raykova" surname="Raykova"/> <author> <organization>Springer International Publishing</organization> </author> <date year="2020"/> </front> <refcontent>Advances in Cryptology–- CRYPTO 2020, pp. 308-336</refcontent> <seriesInfo name="DOI" value="10.1007/978-3-030-56784-2_11"/> </reference><reference anchor="RATE-LIMITED"> <front> <title>Rate-Limited Token Issuance Protocol</title> <author fullname="Scott Hendrickson" initials="S." surname="Hendrickson"> <organization>Google LLC</organization> </author> <author fullname="Jana Iyengar" initials="J." surname="Iyengar"> <organization>Fastly</organization> </author> <author fullname="Tommy Pauly" initials="T." surname="Pauly"> <organization>Apple Inc.</organization> </author> <author fullname="Steven Valdez" initials="S." surname="Valdez"> <organization>Google LLC</organization> </author> <author fullname="Christopher A. Wood" initials="C. A." surname="Wood"> <organization>Cloudflare</organization> </author> <date day="6" month="July" year="2022"/> <abstract> <t> This document specifies a variant of the Privacy Pass issuance protocol that allows for tokens to be rate-limited on a per-origin basis. This enables origins to use tokens for use cases that need to restrict access from anonymous clients. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/tfpauly/privacy-proxy. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-privacypass-rate-limit-tokens-03"/> </reference> <reference anchor="CENTRALIZATION"> <front> <title>Centralization, Decentralization, and Internet Standards</title> <author fullname="Mark Nottingham" initials="M." surname="Nottingham"> </author> <date day="14" month="September" year="2023"/> <abstract> <t> This document discusses aspects of centralization that relate to Internet standards efforts. It argues that while standards bodies have limited ability to prevent many forms of centralization, they can still make contributions that assist decentralization of the Internet. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-nottingham-avoiding-internet-centralization-14"/> </reference> <reference anchor="CONSISTENCY"> <front> <title>Key Consistency and Discovery</title> <author fullname="Alex Davidson" initials="A." surname="Davidson"> <organization>Brave Software</organization> </author> <author fullname="Matthew Finkel" initials="M." surname="Finkel"> <organization>The Tor Project</organization> </author> <author fullname="Martin Thomson" initials="M." surname="Thomson"> <organization>Mozilla</organization> </author> <author fullname="Christopher A. Wood" initials="C. A." surname="Wood"> <organization>Cloudflare</organization> </author> <date day="10" month="July" year="2023"/> <abstract> <t> This document describes the consistency requirements of protocols such as Privacy Pass, Oblivious DoH, and Oblivious HTTP for user privacy. It presents definitions for consistency and then surveys mechanisms for providing consistency in varying threat models. In concludes with discussion of open problems in this area. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-privacypass-key-consistency-01"/> </reference><!-- draft-ietf-privacypass-rate-limit-tokens (I-D Exists) --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-ietf-privacypass-rate-limit-tokens.xml"/> <!-- draft-nottingham-avoiding-internet-centralizations (RFC 9518; published) --> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9518.xml"/> <!-- draft-ietf-privacypass-key-consistency (Expired) --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-ietf-privacypass-key-consistency.xml"/> </references> </references> <sectionanchor="acknowledgements">anchor="acknowledgements" numbered="false"> <name>Acknowledgements</name> <t>The authors would like to thankEric Kinnear, Scott Hendrickson, Tommy Pauly, Christopher Patton, Benjamin Schwartz, Martin Thomson, Steven Valdez<contact fullname="Eric Kinnear"/>, <contact fullname="Scott Hendrickson"/>, <contact fullname="Tommy Pauly"/>, <contact fullname="Christopher Patton"/>, <contact fullname="Benjamin Schwartz"/>, <contact fullname="Martin Thomson"/>, <contact fullname="Steven Valdez"/>, and other contributors of the Privacy Pass Working Group for many helpful contributions to this document.</t> </section> </back><!-- ##markdown-source: H4sIAAAAAAAAA+1965bbRnbu/3oKRP5haZmkLXkyF2XsRCPL4x7rdtTtzEqy sjJoEmzCIgEOAHablpRnOc9ynuzsa9WuQoHdGk/+RcnydLOJQl127fv+9nw+ d0M9bKvHxb2LTVW87urrcnksXpd9Xzzplpt6qJbDoavuufLysquuH09/xa3a ZVPuYKhVV66HeV0N6/mev72HL89L8+X5w1+7VTlUj90S/nvVdsfHRd2sW+fq ffe4GLpDPzz64ovfffHIva2ON223elycNUPVNdUw/wbHd64fymb1X+W2beCd x6p3+/px8R9Du5wVfdsNXbXu4afjDn/4T+fKw7Bpu8eumLsC/tVN/7h4sii+ Ka/rVd829CHP/8m2+in+vO2uHhfPz17TL8t6gNk+r/tL+euyPTQDruA1vPZw VW7p02pX1tvHRQmDLVYy2O8e/csVfrxYtrtoIn9aFGfHqrkqOzOPP5VNGX1M 0/i27Ift0b7ix67+lzV9Ohr36QLX+Oe2XZlxn266uh/a/abqor/S8E+37WG1 3pZwoPhZD/tYDY+Lh188LC7am6avmlVxPpiNOC+b4tuubJZ1v2zj/fihgfPG r8MZ90W7Lp7sqq5elnbyy/LmXzZVua+bq8t66BdwwM41bbcrh/oa6MMhWfjf CqU/JL9nPw1V09dt85gGFEKOCPQPXXvTwzL9V/mbZXeFi9oMw75//PnnV/Ww OVzi5n1uCPbz5abcbmH3q/klU3BlRjHzCFsWTSR8XJwf9nugjT6aXHYql9v2 arH0T9Kcwq/zXgbSizWnidJInr4Lf/ovF/Dm7Ra+2cjH4yP+5sU5XLRfRTO/ dwEDFcgQzqtl26zmf6yaqoMjaJviVYP/fdMe4DLeo4foHhc4yPyL30aLuqer 6q+bxdB2+679Ee7/AmaBH30uv/efr6q+vmpgMfuq+xy+OOcPFptht72XWd2c 1/cGri/QzbZa1U0V/wmW/qIcNtWNXmH/l9ewKcfrquM/fHf2p+8fPYxXT4c0 VEi28P1vqvnZqmqGel0DLT+BeeAvyLZWxfP26gomUJRDcb6Em34ve6Zd1VfI /BZrQ2NwI3B8s4Nw3WEXHz3MrVf+V871fFF8dyibq8m/WqaR+/ufqmPZlTtP FuNvfH/oNzflJv934CrfL4rnVZX/87/D3w5t/m+w+y/aDRBttc1/ARjSm/Jq c2jg9E7M73xT1m8npvdvC5zh+WFqg+AV/77B7XPz+bwoL4HHlUvgOhebui9A ih12cMJFv6+WeOZ9MaSS0UqyAoRQ0VV/PdRdhc/1BbArB5wM2GDTA0kdcDCg dBBM7bYvDj3QDXxFTrj+ma/VZYmfww/+YiPVdNdAXSS5hObwq7sKGFNT97se Dnoo4Kosu/pS5gkvXVb74VBui127qrbIdSOmg9PF2fkZzejXvloeOuDntByZ Q3HVlvj3PW4PvH0L79pv2yNtD43ezxwvH8gaPl3RBGkHiqpcbkbfhynCVdlU 231fACfF7cNJ423vqpWbnkSBXHR92K5r4MirBZ/crl6ttpVzn6Bq0LWrwxJf 71x0VnCkcK+iE/v77X5TtANKUVRQYKO6antEdrAvuwEJxzwKJ7OtkTxAnhVl 5j3FTXmEo1hUi1lxA/IIGGyxBbbREH9pjsWhqf96qOA0qm7OYwXRCPMaNl17 uNrQfiZT1qOe0b7in4pd+baK98CtgNx7Oj4arcJNqUlq06ElY/aH5bJCvnsF MqVYgyiHHxegAfV9fQmHEu9vGHtXX22G4hLOvcV5gVrkd4aWDXtYrooSBoez g++UjjZzeQBxBX/r20O3rPCVN0Aolf1ikfkiEMrFcU+kW+7hdUCTVR+dPy5A 3j/DRW2Kso/2Eu4r7gFomVdzEHk7VDvhxfeXbfsWzvjBjEizaQd/pusOhltt j0Vfw13EQYCgt9v2psCjBsGD00WW89bpystlBxsHf+95l+iSorpbEkkDqUU0 PcDpwZeKVb1eVx1Sgq4Oteh+wC2EORNxwZHBEuF03pZwLgXNfr4su44oNaKg Vic4c9XiCuiwLHiV8LUVHTyS6aYikoc9xEUTz6FV6E2TjYX7dOjpew7YPQy0 228rlJl9u6twr2AAr2DNPA3InIHa/ZRhZe26Jyp05YBykzYQmbWZ/gL1lV6/ PcP5De1bYDJ8QCJz4QmaMryjrxwTdnEFqmXD3wZ1tMFlAYHi+2G69KrK3yF7 LLgXxMFgYvz0TYlzqoca1nWEDekPxKye4Fs2QPlwo68ruIenJQoKDlDQ+e7d tIFVP3bAJavdnl5ONAJvAM27osUX5o/hyqt4QIJy797985MfLr47f/rdsxfP vjqbf7MYW2lwfvMe7smu+vABWNoByPGyGm4qWN5TJddm5V51Nag+fXFfaOYB CSOi877QP8Lm+TP2T9PN51PmE3J4IXHRB579wj8PA9frI20XbzBedMtU8S88 bgECQfimi/imyPFlROvlJfLX+OmEOTYT/DHDHnV2PF18MbHHvgeJBXTAVwV0 1WoPjAFligwxHPfEXOjpWcGXLrlg9YA0iQS5RO61mplZu6qmr8p29iRYquu6 PfT42suhBL14JZOD8ermuiXO0XjKCZTilPsBkZydn//w5OXTCRLRR5A+8ECW pPzAy/WMnJ5v2cebuEiVrKC8pCpUcdmSNMjSuwv6FH68Ad5KbFYvp9Bi72VM P9JRYER4zJG4tJevBwrarnC/WXlhFmCUFdVL4NyW5j4wVxH9Bf4GVC8Sqd4z 50SiRbVggRrLBYiSumnB2jvinlTFW5g+qRHFvRc/nF/cm/H/Fi9f0c9vnv2f H87ePPsGfz7/7snz5/4HJ984/+7VD8+/CT+FJ5++evHi2ctv+GH4tIg+cvde PPm3e6wb3Hv1+uLs1csnz+8xo7RHhVwUduKy4l2GI0ZuXvbOcpjiD09f/7// +/BXQET/8Obbp48ePvzdhw/yy28f/uZX8AvQd8NvaxugUv4VTw+FGFxcHAU3 b1nu64H0T6AiOJUbODBgt7B7tF/rFlkN7itKZVYQSbcW4c332yzgsXN8ax47 MAEaPo4jKzd9Vb1NSJUouxFOtCh+6PFVcDVgIb/78ktcyBCOcOaUudUo5mi/ kCDePLk4L56QzIJr2rVb0kjwltAkimV33A/tVVfuN8CgRppm35dX1ZTF4HWq GVg3e1J/6TwKWPkeFr/u2l10073miqxALxDMh5eY2RVmyWhYEJtWNgNvuTxa WYAzJOtjh5s2Vi3DVHX1QSrga/E4w+QukSZqYEUqBJAzsNCnWdC6nqrK1q6H Cl8ArBLmRYM/1bH922QE3vNoW81CYOr6JuVkuoVnKMi77Mve8CPmVf0eFlrl 38UD9axqNStdEqmvPI+Jl/Cg8JY3niGe2LmniTIVXqN7iuQEB4aUc+j2bc/u uZRX83QzlEGaTW/G1TeumbTARkFOB8OzwsZM9JIlud4HeQHS5om1+O1XGvev xXfJe0nH4lEzs+U5iOKhc8P12lmPd4NpIKhYt7AAvy7DBGBEzwb+FZWDOrAB /rq30ODyHjq/Ef6DaCM8J1lV/GaYaKIuKB3BmzcluwS8AtRXA5sFfg94e9B+ qVBdKbsj70W8cma45JNHE5cF6KbeB8WQjH1RhVTMeQmyBV0WjYP1ocOZOhjh su3If3YAssbvvXunxhOwkzm96cMHkpNRhMGNYhSTevMa7D8w2q7I9vNTms+d XjO+CTN/t5GP+f0FbZC2BgTyW5wfeVW6wYXNOaGI1+RNkXNVxQz0r2s09Ksb l3hkZmIbzMk2EI2IR1blcgNGsXpQUNeIXSPyLbsV3tJX70nqo2rXpLBMrCJY HKS0qgvnuuxq4+HBG3NyF5UA4pmBUbw9kBZM57USxzKP6W8OCXYy6PTwZuID IiIC07dfHnpgq47IJziamG4+KV7pdrvoRGJv2SDOAWvUrdFSx7nYQ4IxHy6A oYu1oN8Xn4XXE/C29qzjw6mqOIGxyE10U4PN6V+FtjQ+jPOQp8k1dFMK2xrg wytkJ6WXKkiIqNSTX0otVi/uiHMkH6rpTv4CzwmEowJDPJBUeQQK89qaQ+UW /TBH4iH6ovK6rLdkkbPOBMfWe/8ofcUZg56NmctqWaIHxQzNQ5IxI04KNVjY Xlaz3Ynl07+t9zjT/wCa2he//s/7n+AP80C6D949Ltiy++pe0zbVvQ9C76sK NJJ66Nk4/yfU8oBUNm3Z4QEB+8ZT9jp7Qo2o3pPBJfOBXfoy3aVVC6tHrrsp r6vMPuE0UPdB+wNWc1OynuHYMgP9tyruwxR2bVc9AHvn0Hh3Q3KK6KNl21RN OLx8o+sKFCo2IF32Hj1kMuDY3rN2JFn57InVezT3xFKmgqrvVQtQprLyDIED N8TcmcgWnqTMMGLRrnAHruuSnTa45X27JWdo6Z4+eX3x9LsnM9iEavkWP1sB obDvbwMneIPcwI55XW7rFRwkkN6wXNBpu3fvRP/o5LRxq1F6wgnhif7Kn2hu keqz6iNzfmZ9XkvkzHi33GA1TaPgeQd3tCvF/SsKqaF7ADfA6kUzh16Mqw2e ec305beZDTBW6oyTUh99sCAR6TkwEqC80Dte14dm6U1g0g/KXSWeP3QXiY9C /upGLvz7fI0sx31gfBs6amZDkYqBaIu9OInZqDHfQxX8gNZf21zhXZyiXO8o AZ1AdTja7qDG2GETJ+cQ7RC+yzPiuovP8SR5oNO7t9cIfQxVfc0Olqrr2s5F UhXVHhEZaJ0KvwAy/Edm3XJSTBnMsYfIqAhxisAjZKYz1hId3UkQtE1wXcrk TlAcnN8PqInx/EX0uvjd0ULxZhzsDMlSyjAu1kNINuhAoiJ5dyvSJN3dUizL sjkiX/DCEQMesjVvK7h+l4fBTblpUT7iBCO3nJHD8Zpg63+d8nQj8YjrsrrC DJzkc3+47HHAZjC3HQOMQZDPxo4vu2hSR3CS6P9AzRIHBkay9H4HHM7v4T95 O2XVEjewpiMxNIyU0kBwNdCVXa/ZHSb0iKOtDvstu0xbDI+sQNaUeJD6kp5J kOePD+iRCK8Pu4k+biXRldp01U8gLQx7I69cScwLB1N14rIS1Rl0PC8z4NA6 PhHiHyOtJj4gWkxO7lJkbFOSVcJKh794eFPVc7qMRTcO1wErOyoF8Q582hsa Zh0PmMuN5wv4GKgdMDqc8Vf3Eo3k3gfn/vu//7soy/76yn02l3+fFeZf5lP/ EX4Y/u7eq3743g7wXin2vfnI87X38H9yFu9pBp9lZ/BZZgafmRnwB44Hz/3L fWo/e8/P/p7GLMRbUmT2Y/JZmELi14HHv77je/Nz/v1XXxXW/P7qq6/v/Owv eG8438h3JLsBazo55/RZEQmeSvRbusmfsUPqzvv8t64XCN3BVfhkXV/N1cbl VJqv7qkJhWGDW41Na4XhDQIj7gdY4FOQeb1z+OMSfxzZZmQXXnYtxo1J4UZN pLhCzYz4a6LYshrjgDl5G7IY25DEDSWUB08MGD1E7nSQaYxmAbpmNiUMPd4l +Z4w7aFArjnf1juQJjvgsEs0fSIDEbSEQ49Me+jKNarfJFopSWDJmigFaS7g mXfvJHlL5ysSnoKvuBXVNajTYCJHXpLIXZ+4+DFiQj4PZs1179e7KL5rbypU EckJUq5WMMASFkgaN8V0SRR53e7gz6uMXnpZgX2NCRzF8/Zm/tcDTBdHAGFU z9ddeVgVpCpvaQotHKXP+/SbsOAr0JP2oBFhDMIWVpBfVptanCAUiC6vJEi9 rd9WQBjsLbts2TJBwiThg1IE1UVaE4xIP7NvtN2RyIOvl8u3/iSWSNcN0Uk/ HODIMA/i2U8l2g5jvRF9ej0PG29wUNDVBqJN1deLOcSuex/WrzC2hXcIJ+hE aM8weN4uUSsSkwkO+qptVwVlzOL8YPdfjzNQkviD+nK7Guyl7viR249+H54P aUx0+h1r/LlRQ/JFae9qu4ZRX11ua/IRFN9dXLxGD+wr/CEEJ9tNWcN/hmGv 3h+9mX/07q8LdqK9IBvm3SdjfyN7Fyv8vZ0jB8k6guLr8+6dcjy45miab69J YerA9vTJGRTmZYcCaqc/Df1j68fXT9X1a/M+aObitrVWTA8WMNxrdb9axw08 oEooJxORDRUlCrHpLpHRFWZoGO4TnDxWHwL9sUMSMTycxvFEixEOsBiKmlMl j94RTTOiVLjusAyhlchrVfe6CUHdhj9H+U2w9+2ypgsoeUI6E5u3A9Oud3jj dnvvj75Gf6/YifPrmtmTHfq+d0nSA2evkb3BtaDkHmEhsg2YQG3iFn/72RXj s5sZD0Aw3D/iGIvMMeKZ5NwBcp5eCI9Ps8id5sJNnlZx6rT0PdFZuYmzorSN jzkvd/K84PtrIJfrqtwiS4wX/kDoz9sDsqSsMYsu2qEnjzQY2ccZr4PP4W21 RwkF0mDw1rCLNzvrzUgiQb+YoFzCDPzho7U58zZXFPajr+gM1Y+mMQIlzjsS nC428uugdJgmrvCWE8zALtml5GVedhduQBsDRHaCKZg4RbTZTVWtjOlqXuxC zA7TnsR3KMGzUcQmVmB7jLMjb7SRnrpJAuEkp1zixNewJoZGQ8abv+gchjt0 jcTv0LMiflAfMuU8LTTCl6gxowsu6/OitdF+a9iVjgvUy66E60ECmxNl1GnA egKvQh0KogNw0p1ckBvMo0MCdT4GEAQIRxtsQlVIJrRz1FCMLst5x4WGO3AH ekxA76qWvJ0SngrT31Vlo3d6HeI6DvNM94MPPcssyVnlR+eYDb6i2B22Q436 n9/iGbvvS6ceNHgQVT9kdXQmawl3RYdC77HRDBP6DuG3RfHnUVImjBQUkDgk W6VR0y1eMlLrfeKcla6BdyfuWlVniA/eVHBHha8HN+y+owKSOkT49G5rgmfN +j9bbf3YXHN0GTR4Y220nEM/SiKQRHSYLiiQ/YYYHF2CKGwtmQIhWOmpwbHl MoqILIpvcVxW8ZFRIFdG/tlLRqhPBhLuTaTp/H0Vx70hVZs8YO8u80ygE7c7 YE4/0H4ZFaBcPD8f5UQiOZUNsWZKUY8n5xJnImbFHRp+km7QyWlar3EvLB1O 9Lo68u7x/qJ/GbOTrzCBi+254SCZsn58vAGcMLlwflLVT+imrJEN8VDRdVDT LCZC5VucNA1XzEdQvZ8QrIetpIvWnTJj2pyQNC7cwHCAsFDmYLsSPZj0+JG5 ruYUp4mlPjmqk7wJZmk4FXQ6bFtKPo4TmPkLzZzvoykjWBRP049oYJYaNDD6 QV3IhfdRHTP86RvE0w755KNCD9pdP71edDxJ2O2DdyAsnWWanrZNGcbJe+cH HP4fOf+a6McIQKa2WyQnyg3Mtydh0GEI1UWcJYRM8iyNNIEJnubGXouHmps8 Fz4evUzUF0NCklp+01rLyb/DGU1VIho+swflT5oCqw8aj7k9bpUtKBzgjYH/ e3F9xvQgUcx4qmVIboA7NH5rQeQK5IvM5AD8lLQ9SZE7SiGMFdmBeXl6HI/K jivRan0qHkn8TSkZt8mjzkyoq2CJEhgtOVPCOBnb5rhDGoDhF5TjQMR46ugw NFPvaqwh8dly2e+7uslsm8m2/Ihdc9ldM7c4GfOWPXOTD+Z2zEw52bAvF54D zoVIP3bL8Naf3PSzIX9bslfSRZHbyQtzyy1RlW50S4Q9RbvrVe8MRVrd/+QG 28Uke/yrRTH2BKWb9MeTTMSYu260Jyy4zAnnuR1rQtEV061DgSJhRR+RRRnA OXwmS81E/vwZ3edsescK6aXVSUWSPRjzTLwXI0+HyF5SUNGjndZv5EzsdLVr qk0JoWPNyg2atFpucD3RqJWxVV8g9RI+jgWMSaf0VQKlBHcTf6i41WhzUR9x 42WeMpJ3YuIsh/qaDPTGnH2c+RFn5MniaEoSEx75k4LOHhQtx/oSUgKmz12b 5BHVtWEzOdOPKW04vUGktoDtAeS0SlT+kcox8+UxkXWfDx2pBRBp5rfEeFhz Ryc7xykk3cbuA1toemmlEEg81lOhGNmJDWV9KXcOPsWK60YlVIOePjN2iPNE djS6P3QkHt3LB5kLbuxIzDgSM8YcQF7BmUWNFvXSMKSP0f3qUTkozDh4qdYV qe+9u4/mBgY4sPyjpvx78shvqnJFNm41LB9Y+1onHVJPWKtnMtHFukQ19oq1 l6zG96e7bnf0AZ1Vo5q26s3uW6AJ8cfkTtLv3g1n1iWJmcZ2Fy0WLWCvxVL0 g8o6hyAvfPjLVBWgyYAzwleGjAn+wqd2Iez2xXHpTNaomG+xlpNWZ68U2zOs eZ+z8EWVLkQUZZIOj1XCWzgKjjElSODvV+xFgBkeKNdd3GNq96o7c38Ae3qJ yTj4+sSqmMd5lB84GdMneBujw3I/YScdgoI0K/RkrFlBzeftKhsC69JyF/KP cjqnS9Kd6bFb053xYhiPwgLmjULjwwcX3o/FZpYiWaqoS0HZrsZg1HtqxaIz qXu9Tbam0JXRB14re3v3SZj6h0wa/F0qP//hIys/43LeuJLckSuhDhWhpytN klSol2qDWCuDPMvAe1fiV7PJr/o2ay75xCXvO2C/oiQpccpOkjdy/927sAkz BDehVz9aPPzw4QEe0czV4Q7PRqvTgCZnVkyO9ghGc0lKF6lNSczLZp3XWuOm luZHJBDdmiB0awLQqQSQUwk8pxJ0TiaVYAbO2UiKf/XV16fSWE7O0qah2Cgl J6I8jRISM9clTT55ssWkA0IdQs5KEgI4G4x+EN1+1YLyEGgEOW1L4DyHBsXn ksSdUI4UhwH1cNmUvx0hFzROghsXsqGMoRCqYo70wCvR5ee5W3IGFPSm10oV Wi8al1Yfj7Uon6zJqtdlJRkvK3UeBXpnPu6IWY75eAiZ+fpbk3vn7YhJ/ZMT 5J1yE/Xjc5KyKMkhDxN9f+SfV/92xs2A0+pYTyqL5rC7ZBlzUx77SHuV9eNp XuNkTMZtbXICZ86Hhx5jLsuIltmKNKFDhRDyhSek2o7OwBVxTj1HdtS04YTh 4htvRWVEGOVEBk9eESocgqjUFGrSfjNj4PLjmJJmeBCWAsl/zCOmkraSeCXx aKw+RRWCR/AZmrR38vbjQrYLzYYVO98lo8Qw9WD38Ml4N6JxqBK/hymx1yBf DJFka2SqzCQrdNOCIgiDwZlo0DbU2NkTix31+fweL0Ik0WeUJa3YQiHIfynm rKZbqOeaDF60aJYM+sbb4Q1sTC0L9cERkoXfEAp54q6PPQ2L4mnYcsnF9nUo Otz4Ns38ROAGA0trlpQKvlSVVtVURnqYr8Es2HAeCFX9SEEN2mowkI+jYNI8 vOeYeSEo2nRTBV4iaBmXlcbi0NVUhNxidFV7lu55OFFoCedQ9TyhDv4DZzJ+ I4xlXBLKVKqdh1PYcSBJX0+2dbkeqs5yOi0IkNQoowCw2mw0kMVDoq6EwSbx rXnxOjjjMJiGsDFzjQKOz5LzbhQFwhLYmvY+sL3AqVr6AkWX7ie+rH14OR/B A7KICn0dUaJg2fgQqAcKSQazc9fhMK86433DjZAi2MxjpKnuKb2dgvjBBYfb 3moqQPQgOt+KV5zzB2TSqrFBLgAqSwId1ASjyquuQmmIHKIRHxhVGnjpSyM+ A454jKr50rfOcOBWX4wXiYbmGvAVpoWaEG/wq4ch/bvOCX7tzjRkZS1jX0Rr 5kKmlYcDUM8DTSlzVHDcZcfyo6v7t4J4IYAMjOoiN4PyOBtPeFLBtDcuc4uo wzF8u+iFS8J0udloQF6ltTEfiNTNBIRW/XUmj2Nul0dHJ2FAHIBADmqOmOG8 BoYPuDpwmJGlmUW0SeujnOZ9zjyVk8is+H6gGUw1gow2pYBRCRMSHuo5aHx0 rBLldkvhpjhxaBxZ6QuBEOGXCpfgZ0mgx3UcWt1B+4ahzayb2qNh9V6nkKMI HJyTJJg4lIFwlpi/D+T/MYz0ZTuIxzX2kGnCBGw1ees9ftCIMYEiTyRMc/ef svKrLlt0nGiYxvtf1WEitVe0nFVN62zwKz+L5nNZwabVbcd39i43VryWrFB/ B1dV12bjGanKhK+n09GQKRZTSzIvOsOinAWT3OKlanBWE25T27LPTFUUOhuj LAVVCd/MCXanQZbUqe3dYSEc4uCC9WpmgAZHI5CeJlX9oGQcp/iZf1HvF58U l7NrxWvp6ljJuFIy5YaJEqngSOokQYfaXGwsD0wkegMDtaGJsScrL7HRvEKY sUjdrd6KgIghA08/gi4JA6RD67AFG5Q3fVcbU50A3sL0xShqaTopwvjbLc2w yS535CZlJEqyiRJUbL6rSZLz2jjWZ6bl8yH1MAO7cd0eAoBgHHkKxdjjEGCa TGfCuH9L5nO0o5Ixeyrn0YWcx7vlOw5RErTP84wm5bMQtWB9HKshPQoO6llp Q5CeBCTi4C1VtUlF+oqNToQi+fPO42lR6OGAjmIG3IxxlHy2OSWdEdNhDz/M Iegn7G2nwKYyzGAgR/SFRUDDRDGyeMqD58C4LUsxL8BwCwWTTevzToIf3eeT +qjdlpBbhQQ7C6Dwae9C4hFylRShkBCZQMZhtQqorsGeaxQaii7tP7k+sUEe 5WWRD60dGCBNTp4ZK0UYMN+OLIeCELJXcYAjmuV4A8PNdFJXIs7bECv2TMnD LBmvf+qmyeVYF2c79MyVjMSr6EQCpm0qoWJg32zd0sNF8ZrPTb0fudSfSj0a Ut/M2D8rQy180i7QAMKL8ENx7hqL9MwraXCyO80bXPoGzUnHN5jJ7+BUV+VQ jsPvo8lHl4u8mkpSruwua9ARMdGTh40AOdnG1TfN4wiQ3rlYTqNSsU9mSLMW iv+7T3ucwqcFF6PYvM020MNpL8kn6ST94CL2vHCpdaU2wF32IwXFIYSUZO0s qTP1k0Nfbde6fk6j8B6Q8LUYzXPmPLqZ8HmfZEirNjoGBz+YzUVoJXnGhFLp EvHd9WsBss+7JG2Uji/XD41PGCZ1EnkHkfDyKEWZo3UrTqLqoLDyYUMQOYkC +mlfJDOMhV4MWyCcmifvk+Vxm3THwOAru9WWhCTrR4hM0lSa0r/3Z4h/C/LK xfJKF3LfZ8Oor5TCQmBjswlE5ZmxbuHgqjT0Rromr5pqTqoSUNRVRdV1vNG3 bh1Hsn0A2Us/WG3weN6X8HjpExso8k4vU5uuXa+3NRcZBNAjDXNkwY/U31pz Hi8t5Cns/aFj5n+XJaBLoVyTqYblC0v/OMheFidy5WvgA7tQX9RPZF4DLfJt 9S0fermncVy5IVSA8aQIKkuhQTnZZ1WEsbCETF05oqaQfAFLMsicSV0WAeR8 qNpJqBoNnE/C19/Ad4p3n3j4G3phAjtmIVJ61SEohzgLOocenx53s+E04xkH xLodoy3bHPQ+qMc9q8CtYvka+TuyDz0cXRQCUattEVLT49Rwd1tquK+haw0+ 50RpbozBpdjewMlg/gNXPXE3EI5Th5SLAEUYQQSGxIEsDH12EoI1KPjUkU5C fvaA8U8gxCbpuhOwwdITNcVtvOljXqe1w3FughlDVAodAyHGy1ryjkyRWHZQ xQzMWAWhlKiOi30D4lQbcjSAQlAcck7rst1rpUxOyTtddM0wAb76/FyRprS0 ehFydijZE2t5fdn1cuRaN8CWhLWoYa5luVf9LKm1w5mzodsdsBKR4r691KBH 7LIw1eZad4kV29m6b1VJuNRbDwa0DfTNer/RgXGrOXRGExYILU/mNPGtYLJp 0JFHFWjC/EHjxFraSpuKY8og2IcZtlc3MDFr6Vu4dLEfbKJvAAJHgcjDyWmT eGUvqSndhHG8yL+qvKQFga2EpbiZhv0w9A/tIM5j771n8215RBa8pM5GBmyU nbZiRxSZiu+J+y1Gcf5abCht0ds+4+ht4vU15ZtUCcJUzcqaTJmiGn5Izj43 TyH+W6O+aYmuKoEstHkR/t37TieuGBYDNshjxdgiyL6hhXFWktJI1AvMfWCA PC5ZMUiuvkylRra5w0AU5jypewpFn3KAGGdyystUMygzOohab+m7pNzsJJ+a 5XyCgjQSFalx9ik2YODaEqBHDDiqdhmyDrx4m5BBS4IgX1X0ODNcdNShUyDK Hy/6+ueKQf+a4NuN3yX7yrKE2BRxtlVgfLp/INSAhsujlPoKtlJER1pfXXJt nCGb0hOOYk70xVaQApv8lMJr3G1TUtvpLo7h4DtHY1Kg4Ukhq8byytAuspkG FHoOFyvNjFLAR0B3E8iKEeweRfFd3jeu0dsLjzJ/omLCju0CVP2hsYEK3tik tMygf2qtNVIrOg7HQJJayBhdM2KPvsYszQ2NLGh1R4pa6QFzJrZe5kvwGS4Z OJ/9O8mc7dcfYI0Hu7DSarbM8uiM+nRdUdm5f70cTZSDHLQwn+McBpcMZ64g MZXn2VUmlhHli4cl5CbvknyRE6OTrp5ZvrEvsIYIZY0FeKMYGmfrhFOQW/qn Fuy6POgkQS0l8RNeyvxHfGpOsb+OohM5/4rGQ0Mo3mV2V913bI974PKRoRDX uXMm4Bbzl445+8FAHiH4M0Zjs3Kd9BN0JtWS4UfMmtzw3qfNjvhJNTjUnKwW 2LMQYzkntFj1EZFNiaYAO0vIzx+BPTtNWZSZkp9Wcg3YuR87JgoCzkvrm9cu KWKamntBDEUtJYXhw+0qfq66dg6c3OFJtjUJY5YUev2jxgkTglhDkC7OlszP zbJHFU7wU72lN+g8QGXZlwMC/YIg5U2hjZCtquOVC16VMDbJ0S9dzogZyv4t Xd1zIN389bCX+j7j1crl6PEZuhW2XFpispRqsAMii/Y+UDnqd1K6o+tGZSGs 3ZQ4obNJlu/ctxqOhNvgS35aEyqeqZfH95uIIBAEiwOZUD9QzkVugqYCS6dH 3jLVk9IUuLdNeyOpFxOQFDYJLkFirwMcZBjb18mFOpeAx2NyTgmWQrITsKY9 u93OxzInnjo0+WMqL3t2kOwQLCqquLHSoDZor9xlo68IZgqFmx6YSgpUBRFp FfT0mTnwycu7rn9SYMwQy48Px10eQ2lkKO1RTwTn4LIb4XgKH4OJw9m9UC+F ZItSkzVyNHnCCO+20KatTyFxdrNNH4qRoxHhNrLnII4zmSS6zTKuMrM/tSZh BAhjgSOZhPhxxr4ppLMKA5gkKDkCuOBX7+cYpbIy4n0Atg484jR6Ql7yuazk 0yyY0YgGdIZCT4xQon28iByTyffB8hfIialBc9r1CH6ac6b8HiPliLCLAPN8 sk6u4GtmK5aRQl/PN/VKXBg/EZ5hYbEqlF+wcjUJ96ABffZveJwkvgW6aBvE nrRcSUkLnb/8UMhO0Ivcobin4Fdo25VpWjhemi95QxDEEYikM4WJ/tAkFQzY M+zZzxLUIumjOdqU/mD1V9IufSncjcetPwWCZTO8udUlUpdkzZN1c3mMCyE5 SuytwMH5HHtWmUvgxJc+ZZk1xPAV04kyXG7gLINgvHkIFs3EM8hJRaRW9RFW lC4No/r7ssaiQUw0ITziyfA0eYNiXa3uU4CPopSN0TLBtuHmFX5NMxMsGiEj 4ITM8ltC0y7OvglLpTSudpBchz5dJg4j8FeYRlcP9RV+VdM/A3PVzIK7WOtJ uJMhPOIXOx0nQklPkieogF0inaON3JWrBBLPQ5H4pBj2QuWOaaJiqDeSg773 QuKzxbtPNFT7wbmnYjqwW2jQBipTXmwuvcDCg0GXqMHhoXI6rmTRToe4Pbh8 6hwCKgYLqr5GuFKKcrTebZrE3UnHRdpB/B5Pe+O8hbD9Yvys/RDiCCBW+pLq RYtjXW1Xvdu2V78HS+HrR7//HP/n/ssHBXZ/tw8vwoYq8E66H3ACrzOTJiWM MzKNy1lC9ZTHDiw4gogPHhCs5hwlSdDz0muRlBNgvDBGxVgr7b6EjUmcsvY7 mY0tZbN8YoEUDPBLXGgBwDF9bmdqiF+rqnKwB4Rbqi0JtU8FWQ/V8q0oLKQJ UNi4eEXTz01Sf04HwtuN9SoiFSfGHXslXZt/lefEZXGPIYCx9oazkhgM+N5M Ww5gko/DhNrtOgaemPm9SNp2/dHXnoNJU6IM8rJtjJdRS9kxn05tke7jwCBf 0Z4zpAlS16U5KgktmvCHyRy5EzmeH6jUJmIgWq1zqLeDKks6A39x/gD6hs2G Y4Ph+646oNZdYV0N1jj/8/fPX7159MVX37w6Wzz8Av7/i998/rvf/Hb+5fyL L7+Y/+Ovf/PbX80f/dfDhx8+uIB7CLoojDLnzKt/ffX6zbc8OnWmD2N/d/an 7x89JAf+C3ud8LhNTJ7acFDXT/RG0G5jvG3YMNMvd+Tcw9gUbTzaJbuEPfhT ZJUreAg5ZjtydVjm6YIsprhli8Bl4aX+VcSkhGEKSfgaFHKTHUj5FAr3bcwt VeAQWilyWcfD2zoabKPq86SNbyyfXRQHBnptfzORbJRJp0VRJhl+ozRpqsX1 SQ/vPjFJEbf1ZKMcy2XbH0H07zgEixg9aJ81oklQMQZ5sa5JNofR+fqA5qwx wZATQvsWYABqSVhiFbipbjI+bVGz8gkbNE99MeeUlCvCyxslL9kMkMeUs3Qm ErSUZEkqZii3R9Mg2OTkU98whSPVV2INwVG6iKAOIl/DDfsRTCTK7ePoy9UB OP+W6hK1jqf1eCCmjDRS0vDMVYHXIEeEsx0n5IlN31OzjSkElVuRHmYGOUby ep6s2PPMe2qWEioi6S3sFp5juE9JFnb0CrdfFJCisCqgTxR8ijbaVrs+H3V/ fMtamqOHIp0qmcbRfdW0j5BXP7FXcGXFbkYzlGIDYxF9iyL53SeEJTHCGdek GwoM3g5QISDjNi6xFsr8GBAKZHRJlAi4jyNDwxaOqGyJcfhoT+JbX+8UihZV E8eNaLfEjic7PBZn4rmXNKhx/hMuzSWAxxF8J/LII7nqixGiYrleV8uht/N3 PP/alpRl4kOhXeXJLhHMNjnrM5CRnLbPGZnrufM9jV1LHk4mqbdhYeoLNI9E gTf1disheynv0jqwUPollWcTcOs+A7k2d06BXRhB00CbZMpTfLmCRLP6EK6K IMJH2NkyN7zw15Uapgb3eQy3zcCi/UTc1Mw5P8UQhjS5Hgr0hR3ZKJxii1qT ilpvQjXHtFt074bMhE2wt6AM1H5cAwXTQYe2BwUJ6F3srQYxEGe9srlghE7k 5g6sgVyyoO/FCMxRVqt0k9NMyzHYv7iRbS5hxMCMj1CJ+g5lOMIVgrVzBOZa DVI9KrkQbtSdluOeLbfCCP4oPF3WPdMQdxpi83Qg8K10Omrt9ih3SQxGZS1M MW4cXxasAgJPsHFf5qo9ukPjFCe+0C7pz0t+WL+AEcfydQzbFl07+xZmccQa 6z35cyS1LnI7yNGQxEwPRdWCU1UXnkekvgNnSqOikxg8lEZfUVpKBkZj7AQP yx7B3qYhCkvfWkCaBCXThotUhnKKMqZeEGpeyz5T7jEJ7TGJ4MGHn52KS7nX pyZfsK76u+4FgdMawO14EIq3MnSDzfSIaj+DMeFCV3e6uT7Fa7wwTsvsR5Wg vlJprHSrbjq9JyMO+Sma5WE5Bi4k8ustIgVrJBai73pJ4Mh8E9QR9akYNVIL VL2CqPEs3+lzJjaam2ooUUi/E3/F70Z9uEzLcKNCmovsFT6xp6Af3IWOAru5 CX3S0yjhEPpYHHqhUYrahO6U2iszrtNP/i5h/t7FzR6FUr2wSEp6hE6ZsQRn THCVeAYgeBwmjVVD3SY2ZxqxZleLx+BRAH7JCRBBWnxnjvspR7UlcqxXJtri h3Q7XbqdZilcj5p2dxZ5t6PmhgHFBGPDlFyufguurI/mKW0MyKORQNUYqO9B VBZsmyIALfBgxXXGra+5lwmLVIwweTPgBDPn+92wzhuF1jWjg7VfRW84RpP3 vRowT2SszjlngthFgHs6LT3C9Y7u1K3S43+GmGo2/OtBAQF6I7fDhcyU/Iv1 LMluNt0iw8ZqqTmKgc/0/BQ9FQ5eIcWoHIGvXmxbhsY8nuajDuomq5E857Vk YeaaHEt+auiJnkcfSOq28GZfsD4fbA2bxpLXk/RUyvgQnTeNUqY6YoNpR+VM tFeBzuzLRsEOE1WxLSJsXhC12VFfYnokmZyS0dyde2byyQQWdzJGbcwrHx4Z sqVy2vrYuqhmpwXYSJvPK4UX6kQj1dqDUsUrrXsP0A0m66435KZZtqbOLQt2 XqjfwGU9GRbMOPUm5DovLNzYVChOmgrj3enDPrgpu6EY2Q3srDBQYGI/BPs5 NSJsu2ETOr3FB0ZWs70x2j+KW0cqbADNJuU9MQSub3geG8xnsefKxOdMfokU agVHfZJZwZ4ubEvOVM7xHdPQe8xdjVU0pVY7ag1emDZQfm0z1Q8DdqH/skDW xPgUI1SBQXNMJnmelYauVlBxCjoN2q+LEwo0m9sI9aAJSKBKgRnr7dHlEubi Pk3TK+dyrkbYFKgubafQemnP8K0i6yDNInSS3qcX7J1794m5S+xPVVdnEBIm zxLLUTqw4lc54BNV6EN8rfKNZOEdSj0xZiQznlFyknpWnMHFwxWmMOkRonlM GhnsJMemNgiVUhrJCIZ63G1hFrO02N0rTC1ujkJFNQZkeYm7Irqb7+idbwUz UHpplIbrfKmSj3uN6vslBjPauDqGanQYyfNBEjY3qIoWx9jU+15ukbYuIs6D m9o1AYpZ69tPYeLDfLQ31qorbzj3XlHWMOWdnCLkW29/osR4k5QD/CObJk8u aYaH7CrDyAL+P3XcAhnge+kQA+MiDjwf0hbWH0kmC+fXQl6+O63HJhmhHi9z m5Edxvy9NA3E7HqVImO8AN9WStb4IunGhdyKSguTZkLYyOdAHkAu81xrg1wb TuTIyjnjlo2vvFx3ZQ9zBjj7IMXWmNEQ+gqdZBi0MQjBkjlex96DHJpS/FoM DwQQ5xFksen2fod/izEK9PukY3wMCj369b0bdYx/n7SM589kD/TXAC2dwZH2 c/gseeln0a+f+TmMIZz/IlN8n6z4fe63Ty0a9Yl/Y0Dqj2liH/+uCNhfjbrG fzVqQ5998m9+52ejFSUt4/Hf1/nZjp+MG8bbU7x9tqf/jWebvr3I/g0m/wve aRG/o5unoN/CJ1L94d4HEXsserpKPKAsqrXne9SEOkVOSKTVZOv3EOA0nOeU PHKhx9BHMn/KtxL3ziwynEw/RHZCUS58nGEbOvxqyRLHZTwKgUcYsJ0GuW6b PD1aQDtVlzcj4Uk91/d7av8NA0gD3Qq1BHTs3NrsQtFJP0LjSQaTcJNgGkzl eEol1aVVu0xR10TKNcaprbcq6T+V4jVqXcIU6LG7L2m0ofXDBwLczcyr35fL 6YlxLrhvNcMIPKb1CbywqZZaQm6NLBS30+V9XtBGtXxZcTtRZ5hXoFjCeovR Kxre6eJrZo2xE1yWP0YTNr20iwmgEM21kIQQU7GgbirnvVQ/Tu5GWuBqMzgy nXLrKfUhLow8rUTcqkZk9IbbNYf3SXeJRG24XXF4bxWHXPeJ2/SG97d2pzit NnwaSabb9YWP1Rg+QmcYKQ2/RGv4eL3hl2gOJ1SHv5vucFp7+J/THyY0CHv5 VI+YZoC3qBY1ReDXh22Mt3tTSmcoxMpqy9Uk16A8H19QVUmvhDtyV601j/oU RqOrT1RxalSKatPAScb7aZ+BeEbIrFBVhV++zU6TBcSO2NAoNguA4Gu9VXkT cT4hyRn7tI8zEWcTgp3Kl1GQjhpfuhNKxOQBiCWs6UC++JSjdSb9LBO1kXL2 srfKn0kDJO1F695M2BsRICaK1KzRG/QETU939ahZxj+/eXLxbP787MXZxbNv qGWU7RaFezffwoEPc9Z5MN9T4LKc0fEC7neq5Z1W1ILWZ9tl6RXiGq2gnSiS 9aRuwl0NTrkCPkIzmXnqCXEg40cwgp1SGCl0JjFBW8IUNZV3PkyqFaJ67cb1 lOe6pZPwDf7mhqSl3K0h3d3bBwH2TeseK+2dLj44WZF/6/3yLi1WHqTg46OG 6dGgdUCPm4f6dVZXie59/prpXT6KI1Kpk5Y4mXWELuVY5lGXvrP6fNRZ3XrF QzsoawIl5hXuvJY9SjHoR2h8QqK3anzJv5MKYFb9S5S/9x/rNipS7e/9x7qN ilT9e//RbqMwE/knCuH/uo1iipjS/v7XbZS/f7HSNxYNd1b5UMxHDTlUXAtr M9XTka/Hsf8lZ8LfBfSIW0mx7uFCvA91zlPaATaPva5XiCmptu9ldWwJKI/T tqRgLSp+UM1F1a2gWWQQkhYj4ZtJ1u0LG+xiCViHTO9Mr5LY88UoFBk4N2S+ CjsX6ZBxQpB5OpPB7kewgCWMpEElVQh2ZnvNSLXGSrufNC3+cLXVGBHm8yeh WHZCmsr6TBNcQnjnctxcfpHHaDD4zR6igVPFeBJK3R7kNLc/MnWLBIuFIvBG QU/UjlKEKhgrsyNXqZb2+CQ3D7Hk1cRMEo4vd40S4xPTJ4bAElhcm4AfYwaN 4uqZYoE0D5rQcqYbcHFwitB+7hCbIoSfv09oKnT7U3WPLkXisxrzMvPOX6aS hvQu3XbNAaOvBj2S+OZdmoPYaK9GdF1G29Xkmmx10aQG5qYaoNQes26HUBAC hjGKV2sbctO1Ei8WQfl4jLCM2ZbRdvdbamzHyJaapOgd07o8a4pJQRyyGS6v n8pEHzPc28IPijPh+S9ujZMwPDOix/H0sRam2LeYgFVzkbWvq1DGlUcJCRfO CzEPTkHYRnGRhUkQpFcS+AzHawJfjE8jjpkYTsX1O4k7fpbjD0LYHsr60C3j XgEGfQXzIcKcU6l0l2COy8pAP33NIrijiMIsisDEYYpUYl32GZGVSgREuE3Q /SaYRwbRT80YnnfZp/B/lv8rMp7BNeBmA7YJXjy3GebBNuNWhF6KZX0PMZqw l13uhOxKc4+exkglNgcprYR1Ls728zWEfSabxpeXesAczP4k8CpM2vsDa2Hh j0ltZjbpxiAxSw8gn/ddcCn2LK7etEh0S4bwxVou3DlFnvVV3JQrd9MamF/M iHpc3H/4oDCwvS228sWiCY2h+hCi3EYsTF65oPgEZRUm77Ga5Aref/SgwLZq MBXfR9zmLpkG7QmkDEiS6rr0+YMEHbavl9IS7Jt4whd+wnC+MQRx6IxIAdTQ xY7QdRinQpu3WSy3OB2pd/68TaWCqVKwOisJcOTzoZQu4KIF8v2Uqkd7U/hr YW0iHHvzTq7nUs8W8CtnKr+ZbFQaprW+7MeTfKWpI3fmyH16qjWEBTY7LewK +Yf0FmT0ThvIV/GqgPki8YC1hcWMo8i0T/mE67CpL2veX3oEq/pJiyJVL0D3 X5jKrgkAztA1aOTINZdb8oHdFW4HzE6UHe36mCxaSRaHI+YFWhTs5XQOglCR bkvvkW4oOZBuFAkfllhe0nqYiBgPzccUVALNCkLGFA+05q0pznmAuDwNcy7e umrHXWiHKqqP1IvPRSk0UaOES2xcdQPyzAvSsJ4Pw4caJx2q5PsqxspN9i3c BsXYwLYhV4eyWxWTnKjtQstr/hJxYp01cKgVljT3GLNO8EIjbHSwFmptDG8w 0rVBhiBS6mUCSX9VYlKqi2hecsUVkbZv1wPCtM88YDtnOGuNm5hOnVjfQFrN siaaUytRYFJ7RIWqItCI5GZrG0tgPo6HzYK5y83KYuJpZ92btnsboBm19Neg FeopeW2G7pod9iwISfVtByhALCJZVe16LVWp5ZC91boFcWm9uIf1XJzwOdKW btAM3WO708C+YCbMRmBVK1RV8XEF4feo4wEv1Lc3Q5rxvY4nqIYrnjBD6bAj oGIBla/0/a7coV7n29lgo52rDZsvCPKHNMuCHDN6m16uToRMryKeUI9MFgup aj4A4ovDI9YF+wV0wu2DJgkmFoF6u1e+L5Bgxpdj6TAziAh4wDfkxA+8KGyr SAT+WHDkBZ0ogrbMNQ7z6PomVOrRzMqEg2jdHNdLy+b4RsAUoQQrol1TEm/n uFsMXRWuUCAgwbXoIpMNIkA3eRrpO4goEX0AGsmTIpHZFJAbNxywjROL++Ge +QKd/gHaC5MqIQGwcEIwujY9mI1iN1MMecm6F08SVbt4ugURKtWBIgOzU1pg y5ynz15evHny/Ozfn1ycvXpJ8UbgiLiYTbmbl9ct8Rtu6t5UoHPHm2GUbDdV lo4Hr1hjyuVWqf7BFdDzHnu3btrtCuHYkD4axhtlEFKtQ/SODc6gDkBiN5Jp t+I6YrtaSudfU6dv9eIoCpg/Iyo5mDgOj2yMpdtLkFJiCQvGktYwU+1Qy/i/ f64uP9Wwlzo9n4SQFobEJ8+ed8wLhUH6kwFL3KmT2nnwbrlj0Y7CAtmfhpVO emhslWk7D3vvAtTmurox8cvYWax1oKRtc4nUyuNBaZIXgxeXxV8PbUfAXNz6 S/LVZwFXlai4kfupUqExDnz2KTIdhUBltOqegZ9ZE0/M/4BdgfOmlhckTlri VofGV//3wBGXprbGcofowoBtqic2MkwVgInVWSCSa2pQpVUewRgl/4n0RlnH 2qt48ZpfmnC5oDko2CE3aA5dgtZrFJkUoUWXdo/bHirpuOkTYc6uE3yzcKtN ozoP6gkKgE5iO6lqowkbeuIYipfIMXpJyIdSEfRTjX7QchJxjQoXiKxvWnZ8 cE95J+OI1+XWxx/9HkTY118SLub+ayCjLQv0kzkxqL8CWVQ2IyUu4qK2IOQ5 ummNW7cNmQ0ysG2k2lvEiTiBBo1PZAI6AyIf5n0qfe5hLfi9ADRRbICRiF+9 36HHquOXUOtvRGlvKacjUewUaiStwIrhRvJU4gQZEHadqnzbLrQeZ9hzDbEx tDByJ3KxMxIKxQyo1Rpi+hkA21GNL/rgqzWljlOts4EpJqdZPC9J8rbYxeRo Tat0A9gutu+KfOXcVjCDSVs88ZibwTF8asw+9Cz3vm/1xpnetH8myI+bgLDO QGGNhV+2zl0mH/1yRUBcXNJND4aLl8llV/BSX/9JnkusUfdPxecshnvUX5SZ ofA61mRN/ruvz8s1VGIFV7tWVwxKJgOJHGTvW1d461Gxz7BQSQ03uiUGcVKk Jit3r5UQyUd0PAkjPA8cHatqp0vDPYhuAutmQCUV1wxu3ZVvt6HXJ7j5P+3j neF6Xs0yo7SxspH2d4SBGvy0cuNZ1pWrVfiLnWbh0fo9hhkC6FLUDcfzre9Q u2QrCA8I/y5P/+XhX1gA/eWLvwSTnbp4UPPXle8iS7vig4gMxg4cgEIWwaCi JHJGcy2ugJ/i1UaTXrDitwKWPPjmeCTCVVu4L8yEQXRa8udKVKQYyu6KvHsP xHqK0vussiXGOOqetNQMBOmhTzoroMZE6DQMTumvkxhxO07cYscQjTafF1pg G2KEuEcp0J7FwCfri7MHItB7u/OalwaqaQrOapIihLtHYbWRo8b7JxwDu5Tb Use214tZu1b6j5p1XcRWkELHhs0kxQRfPrDfaFzDHzpc+UboFiU/MrgypxXe uam2+56/T4whRS2IQGDH9TnjBA24MDAfguhp3aUXWWa9GjNIlxvX12s+pt1K l2xl8QL9CWz6stdPslvLFa4HNQsD+t3yOfGcgBi0yn57lPpP6jZzigk+DcIW sQmmgOSRH0ZqoTZMCFIeh7U07RvFWHnqAiiFh/J/bFaUA5Uq7iOg+QMbnAee umXJs2BO7eX1xzDoHOqvS5hx4jKf4MxFljO7v4kzF1nO7P4Gzlyc4MzuYzhz cZIzu4/mzDG3kGYCuaMPsDge0Y4aiVgdb29Ie6QvUtVVcGwd9itKYR2kqN5S mQdyj6LT2l2CD98CMFCjDbXtRqkVuAccFo7fwtp3gCIv1SjxLjvGLaAO5Mw9 MmBvB+9RJJMixWvLXSJZuma9raiZDC1PLz1nlUdtRXWWm2pFkMAqEFBPnKMV 4hvRv6Wsc21MEbNu+5I+lIFS/51yVc3b9dpnnsTsMCqzsO3JmaNq9CRMmE4G 3ufC+9olPMedMztQITF8tDwut5XnxKwAIF6NtnLhF+IwZknOPS977nFtQqyx Q5tr2zTZAP02El7nsPcWL4FQPqoAenESWDFNS9IWoD4nwOYM6aDbrd6/WWGv ArdiwLWPOgRYXML2EqMb0ZhuF/hcLya2TgH7q3e2ttLUrMoyBFMFJ4eqvdNQ aWwrn6yeCFi1cVqRYxfZptzvuUOV77qsyHdmZ4IN4/eHTA2PoZjYRyFRyCP5 KIoG5kD4ug+SzBQ28e2MW+y0gfkzmpsTeIgg2gj+/Knl2qMW2LCI1H02SaJW b9ueYZblynBC17UCIrrAaGUf1IgDnaEkp9rWuxn1Fd65kdFxLKLiRG8efJKa kNQcv9dEBNnDgPCKn0qXtRn2iMiK5NQ+umjzTtLQbUI6KeVUNRE2tjTLihs4 aX/b0M9IyJ+upOzDXHO2pHcTWASgzUb9sQqjRrlQATL4JrQBqxfB+engsnw9 TUx1mmrArc5LNfutSkbWiPqAElMeO/1SOODVy/Oz84tnL5/+G8UC6mpYz20B EpxkpqmQp4fs+mD4Ex3GkoRSvtUYu+nthaAQ737PJr33knltlbqhYFIbnc1y rKrzw9QJL3mKw+IUSUsbuBLZIjApVUUlwD8jUJ+MZn0O1D1/ukEcom2PlXrw 65J/RS8zKFe9LQvDCE1wBdaU6kzcYysyWT3wTrVWkVm5/tQJkCXl5ml/vusY 4JEbRHgc4nQbxrlyfGYjX6rvOJfpjxOw/fgAek5wbPs0uwSUQ2r8og/6FpGo CVO94NqID8StjToJjLW2NF0+Q41BCgcMZ44lmzwTLTDUxeFNxfncgJHY3vCW 4EZgnvaleFtB3O5N5ph1NNCxo1O8EIro+YZGiVSwemT4jvIPRjMaATrRBkxk KSbOy1A/+glcfslmGwU1VM/ScotVuzxIrEITv7KpcLZbh7f7olSaW5suAAUP rPqGd43z+KgTjxPfcQJuhNUCe7EcJrGxpAEZ7q3Mz1EwzkM4IYXyyxC2qufT TzTT+VwTR/HFSWhtAjsEH/IlgXIpMUOjoFO3rZYUUotiAaxT1NoeApVnDkID uYG1jyEnq615MXWmYTP00ll/6olOC0XSWqSIGvD6vF+XyK8oqNmiStVn49g7 wqffaQYVNuegYBTzUunvgKBrsOHvPtm0ZYd39kOmX6XPyBvVF9jcJ1UMuZHf csPZJY5CpASRRw/LzW8ymd00m8rDMqJvSVfhV3V51DJQX66jTCtqkRWqu+O/ 27IeEux4A6x46hNbBXWPDTqTqJMJKg2E81Xd6DSxfWXWcuSE46SfbFQ8FUAo IwgVtko7xnmGhVK/SbRxl9H+aBtxYncYNS8PTHKpvhOnEoNNiHVWq9CdAVia JHBRKhMu6G1V7WmDydeSQMCUEvOrdsHrhB1X65Z2iTbcB7LiOY+xjtcavyKe G6RNH5UwSc5zvBJ0jsBepl0CfdYQG6yqPDluuKO32Jy2wLpxz4ONgWemhIW+ neMLYKr39I44Vi4W92Jrz+eX8p9nHJi3sfw4ZM72IJ+qpCPy+ljONoXHTdpp 7mccjQjwmrX0cXMGUVrVKm9RfkozQ/Knojl22noIVJwrHr85DLUNrYNhF0Pf KasDWtHdUdUrLolxWWk6kTp6lyz9GTkMyrEqNCUQkEcRT+FGfKP5Kki3ZO/7 cxOZkxuSccLrZUVZbMG+Vebj0kEyYL9v8Iy8xz2UUUjiRgQZb3EffZrTTFRs YGS0PGOwSTIWro40kbMnL5+MtZC6bMqRBrLBxqgtP1Fy4BGxv0GqXsJwONiT JfZ8gYvBDoOeTV1O39WbTh15yTgum7fFsw7U3e9r0MbQX3i+bIeh+A5IBD5+ S1Gji3a3Q8F22B5n7ummg91r97gLr2EV+IU/VM2PJSju8PDmBgj151nxAum1 Aeu93dEY5wP11P7XcruqfmZ8VgoNescmzk5EfyRK/yz5m38EbWev7bmOtKco V/3zDN8g4QDdr4X7/5LUI4939AAA --></rfc>