]> Cloudflare Inc.

ot-ietf@thibault.uk

Security Privacy Pass This document specifies an instantiation of Privacy Pass Reverse Flow where HTTP is used as a transport mechanism. It describes a novel HTTP header field that Clients and Origins can use to carry reverse flow data. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Privacy Pass Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction This document specifies an instantiation of Privacy Pass Reverse Flow where HTTP is used as a transport mechanism. specifies an architecture in which a client can both present a token and initiate a new credential issuance flow. As described in , this requires in-band encoding of information used by the issuance protocol. This document introduces a new HTTP header field as defined in . This allows Clients to convey a CredentialRequest, and Origins to transmit a CredentialResponse.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

PrivacyPass-Reverse Header Field A Client or an Origin following MAY include a PrivacyPass-Reverse header field to communicate Privacy Pass protocol data. This header field contains a base64url (per ) encoded CredentialRequest or CredentialResponse.

Privacy Pass with a Reverse Flow through PrivacyPass-Reverse header field | | | +-- PrivacyPass-Reverse: CredentialResponse -->| | | | ]]>

Example Below is an example request that uses to pass the request Token, as well as PrivacyPass-Reverse for its reverse flow.

IANA Considerations This document has no IANA actions.

References Normative References This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] Cloudflare Inc. This document specifies an instantiation of Privacy Pass Architecture [RFC9576] that allows for a "reverse" flow from the Origin to the Client. It describes a method for an Origin to issue a state update to the Client in response to a request in which a token is redeemed. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. This document defines an HTTP authentication scheme for Privacy Pass, a privacy-preserving authentication mechanism used for authorization. The authentication scheme specified in this document can be used by Clients to redeem Privacy Pass tokens with an Origin. It can also be used by Origins to challenge Clients to present Privacy Pass tokens.

Acknowledgments TODO

Changelog v00

• Initial draft