-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Private Access Tokens #954
Comments
Apple deployed the Privacy Pass protocols on the Web under the name “Private Access Tokens”, but this is largely a proprietary deployment of IETF protocols. We see several serious flaws in this deployment that mean that we have to take a “negative” position:
In order for us to be confident that use of Privacy Pass on the Web does not adversely affect user privacy, a lot of trust is placed in attesters and issuers. For this to be practical, we would need controls on the actions of issuers (and transitively, attesters):
We recognize that there is an intent to do better here, but we see serious challenges without adequate mitigations. Some of these items are readily addressed or are actively being worked on, which is encouraging. However, we remain skeptical that it is possible to develop a comprehensive system of controls with the right incentives for all participants. We understand that Apple intends to improve their deployment along the lines we describe, but we have to judge based on what is documented, implemented, and deployed. Our recent analysis goes into this in more depth. |
1. Remove the position on privacy pass as a whole 2. Update the Private State Token (formerly Trust Token; Google) position to reflect conclusions 3. Add a position on Private Access Tokens (Apple) Closes mozilla#261. Closes mozilla#262. Closes mozilla#954.
Request for Mozilla Position on an Emerging Web Specification
@
-mention GitHub accounts): @tfpaulyOther information
I'm opening this issue so that we can track this feature here and record a public position on it. This is an important change to the Web platform that hasn't really received a whole lot of scrutiny and we're looking to rectify that.
The text was updated successfully, but these errors were encountered: