<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-schinazi-httpbis-ohttp-pfs-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Perfect Forward Secure OHTTP">A Perfect Forward Secure Extension to Oblivious HTTP</title>
    <seriesInfo name="Internet-Draft" value="draft-schinazi-httpbis-ohttp-pfs-00"/>
    <author initials="D." surname="Schinazi" fullname="David Schinazi">
      <organization>Google LLC</organization>
      <address>
        <email>dschinazi.ietf@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Web and Internet Transport</area>
    <workgroup>HTTP</workgroup>
    <keyword>oblivious</keyword>
    <keyword>HTTP</keyword>
    <keyword>configuration</keyword>
    <keyword>extension</keyword>
    <abstract>
      <?line 40?>

<t>Oblivious HTTP (OHTTP) is a protocol for forwarding encrypted HTTP messages.
It does not provide Perfect Forward Secrecy (PFS). Chunked OHTTP expands
OHTTP to be suitable for longer-lived streams, but still does not offer PFS.
Combined, this is leading sensitive traffic to de deployed at scale without
PFS. This document proposes a solution.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://DavidSchinazi.github.io/draft-schinazi-httpbis-ohttp-pfs/draft-schinazi-httpbis-ohttp-pfs.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-schinazi-httpbis-ohttp-pfs/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        HTTP Working Group mailing list (<eref target="mailto:ietf-http-wg@w3.org"/>),
        which is archived at <eref target="https://lists.w3.org/Archives/Public/ietf-http-wg/"/>.
        Working Group information can be found at <eref target="https://httpwg.org/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/DavidSchinazi/draft-schinazi-httpbis-ohttp-pfs"/>.</t>
    </note>
  </front>
  <middle>
    <?line 48?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Oblivious HTTP (<xref target="OHTTP"/>) is a protocol for forwarding encrypted
HTTP messages. It does not provide Perfect Forward Secrecy (PFS). Chunked
OHTTP (<xref target="CHUNKED"/>) expands OHTTP to be
suitable for longer-lived streams, but still does not offer PFS.</t>
      <t>Unfortunately, providing a streaming abstraction over OHTTP makes it an
attractive tool to provide privacy. This is leading application designers
to build Remote Procedure Call (RPC) systems over this bidirectional
stream, without realizing the security cost of losing PFS.</t>
      <t>This document proposes a solution that offers PFS to all data sent over
OHTTP apart from the client's first flight. This provides privacy and
security properties similar to TLS 0-RTT (see <xref section="2.3" sectionFormat="of" target="TLS"/>)
run over HTTP CONNECT (see <xref section="9.3.6" sectionFormat="of" target="HTTP"/>)
without losing the performance nor request-correlation-prevention
properties of OHTTP. This mechanism is designed to be backwards compatible
with unextended OHTTP.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses terminology from <xref target="HPKE"/>.</t>
    </section>
    <section anchor="mechanism">
      <name>Mechanism</name>
      <t>This mechanism relies on the generation of two more ephemeral key pairs per
OHTTP request: one for the client (denoted <tt>skC, pkC</tt>) and one for the
gateway (not denoted since it only exists inside of <tt>SetupBaseS</tt>).</t>
      <t>The client starts by generating a second ephemeral key pair, using the same KEM
it has selected for this request:</t>
      <artwork><![CDATA[
skC, pkC = GenerateKeyPair()
]]></artwork>
      <t>The client then adds the serialized public key
<tt>SerializePublicKey(pkC)</tt> to its Binary HTTP (<xref target="BHTTP"/>)
request headers using the "OHTTP-PFS" header. That header is a
Structured Header Field Item of type Byte Sequence as defined in
<xref section="3.3.5" sectionFormat="of" target="STRUCTURED"/>. For example:</t>
      <artwork><![CDATA[
ohttp-pfs: :dGhpcyBpcyBhIHB1YmxpYyBrZXk=:
]]></artwork>
      <t>The client then encrypts the Binary HTTP request following the procedure in
<xref section="4.3" sectionFormat="of" target="OHTTP"/>. The gateway follows the procedure in that same
section to recover the Binary HTTP request.</t>
      <t>The gateway then checks the request for the presence of the "ohttp-pfs"
header to determine whether this extension is in use. If it is, it uses
the HPKE receiver context (<tt>rctxt</tt>) from the OHTTP request as the HPKE
context (<tt>req_context</tt>) as follows:</t>
      <artwork><![CDATA[
req_secret = req_context.Export("OHTTP PFS Request Derivation",
                                max(Nn, Nk))
info2 = concat(encode_str("OHTTP PFS Response"),
               encode(1, 0),
               encode(1, key_id),
               encode(2, kem_id),
               encode(2, kdf_id),
               encode(2, aead_id),
               req_secret)
enc2, pctxt = SetupBaseS(pkC, info2)
ct2 = pctxt.Seal("", response)
enc_response = concat(enc2, ct2)
]]></artwork>
      <t>The client then reverses this process to extract the response.</t>
      <t>This document's editor ran out of time right before the draft deadline, so
this section is still a work in progress. Please check the
<eref target="https://davidschinazi.github.io/draft-schinazi-httpbis-ohttp-pfs/draft-schinazi-httpbis-ohttp-pfs.html">editor's copy</eref>,
they most likely have made some progress since then.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>TODO</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="ohttp-pfs-http-header-field">
        <name>OHTTP-PFS HTTP Header Field</name>
        <t>TODO</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="OHTTP">
          <front>
            <title>Oblivious HTTP</title>
            <author fullname="M. Thomson" initials="M." surname="Thomson"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="January" year="2024"/>
            <abstract>
              <t>This document describes Oblivious HTTP, a protocol for forwarding encrypted HTTP messages. Oblivious HTTP allows a client to make multiple requests to an origin server without that server being able to link those requests to the client or to identify the requests as having come from the same client, while placing only limited trust in the nodes used to forward the messages.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9458"/>
          <seriesInfo name="DOI" value="10.17487/RFC9458"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="HPKE">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
            <author fullname="B. Lipp" initials="B." surname="Lipp"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
              <t>This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9180"/>
          <seriesInfo name="DOI" value="10.17487/RFC9180"/>
        </reference>
        <reference anchor="BHTTP">
          <front>
            <title>Binary Representation of HTTP Messages</title>
            <author fullname="M. Thomson" initials="M." surname="Thomson"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document defines a binary format for representing HTTP messages.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9292"/>
          <seriesInfo name="DOI" value="10.17487/RFC9292"/>
        </reference>
        <reference anchor="STRUCTURED">
          <front>
            <title>Structured Field Values for HTTP</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="P-H. Kamp" surname="P-H. Kamp"/>
            <date month="September" year="2024"/>
            <abstract>
              <t>This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields.</t>
              <t>This document obsoletes RFC 8941.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9651"/>
          <seriesInfo name="DOI" value="10.17487/RFC9651"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="CHUNKED">
          <front>
            <title>Chunked Oblivious HTTP Messages</title>
            <author fullname="Tommy Pauly" initials="T." surname="Pauly">
              <organization>Apple</organization>
            </author>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <date day="18" month="February" year="2026"/>
            <abstract>
              <t>   This document defines a variant of the Oblivious HTTP message format
   that allows chunks of requests and responses to be encrypted and
   decrypted before the entire request or response is processed.  This
   allows incremental processing of Oblivious HTTP messages, which is
   particularly useful for handling large messages or systems that
   process messages slowly.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-ohai-chunked-ohttp-08"/>
        </reference>
        <reference anchor="TLS">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="HTTP">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
      </references>
    </references>
    <?line 158?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>Thank you to Martin Thomson and Chris Wood for
<eref target="https://mailarchive.ietf.org/arch/msg/ohai/Vrh25BxK4wmIDJxeRYrYj6U1-g0/">asking</eref>
        <eref target="https://mailarchive.ietf.org/arch/msg/ohai/AAWH6Cp3OmxwEuzoxehYFh1O4ck/">me</eref>
to write this draft.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA7VY61IbORb+r6fQOD/G3sIGA8kmrslkwEBgA5jFZrNsairI
3bJb4+5Wj6TGOKnkWfZZ9sn2O1K3sQNZ9lKbCuVuSef2nau63W4zp1wqe7yx
xy+kmcjI8SNt5sLEfCij0kh+eOdkbpXOudN8ME7VrdKl5cej0UWDifHYyFuQ
f4d4EI5FwsmpNosety5msY5ykUFobMTEtW2UqFx8Uu3EuWKsbFvTQ7uY2PbW
FrPlOFOW5LtFAZqTw9ERy8tsLE2PxeDbY5HOLVQsbY87U0oGfXbYTC7m2sQ9
xttc11rTC2lEv6CaqGlphANvWpC1oUwYKWDTeznmIo/5Se6kyaXjIyNyW2jj
Ggy8Z1OjywLngo23Mi+hDOfry5wHvRvvQaHyKX9L27SeaMKAbLW9zU36nU87
2kw3sZcJlYJGSTfxsLTn01/mO7RLlMJECXZr0lRZZzthe3MPe+pW2s2LElZH
m6ssNol4qlxSjkF+IG5VPKzA33zKF0SaAm7rViSvsegEzh2ln2T25IFO4rK0
wZgoXaINORHiOVc5fHzQ4bVIvxhiyauyvgE4evyt1tNU8tPTvl+TAdm4Ft0h
fH6Z0mon0hljuTYZQuIWrmQqn6y8dTodxtrtNhdj64yIHGPr6cCbPtxbXFku
eGG005FOOXjQH6UF+V/mkVkUTsaBJpPWiqm0HXbieKyl5bl2RAxz5GM5aWS0
4M2Lo2Grw/tJmc/AyctFABcIV8vCG7J1LLktlRNjAEBapDqfStOGzqCBDVJk
doOPS4cXlab34vVkIg2HjA7r62yschlvcJfALvxPpfCGUM4pwgZZJyYTFZFI
6BzLItULSBDgGwnIniMwdOkYMeQjYoMSUGYy94YW2koCzOq0pFysUM5UHKeS
sWeUf0bHZeQT9QHmnz//4A1+fXnUf7X7/OWXL/+uA9i6A/h/74AKcujypn98
df7u8OD1SfvAxxZiWqh2FM6FACcNK1/xFV+x/9lX7IoC1pU58jRdbFRGkM2i
YuGfq/Clkq5vQRt0yMQMHJVDyWPChRPkWw0EoV8NSGHUrYgWlR9XwkEUBeqN
r6YIAaumuTSWkWWlSmN+KTPtgKfRkYypNfQFrGheXvRb3C6sk5kN2vgwG0Nt
4EzMRMqC7ht1HHG8peoTCXUJQpxajXILVHRLcAA6S3sBkifDDTxEhaIlGjKW
VENvERTjzqtVeVgUwjg+MTrzoqNU4cCPlk+UgexJqqaJq6CpALM1YtRK2FJX
UkQap7BvVaZSYUju6HTIt9qXoxFvWin558/DgAHf7uyQZW9wgOL85e7uC0QR
M2XlQq9cf3B+fth/QPuqs9N54amXadLtbhF5jWcFGFkEpXzNyyOJ6DKA+vcS
Nb8daWNk6r3bLtDyYTZl44oZEOAxqszPZJSIXNmMYqSKh7gqSmMRzSibLFyW
FWCKoPfK8DL3XTiua1qH8r+v80qe9f34QE5Urvw7+Vdy9HpOzd7yxtnVcNTY
CL/8fOCfLw//fHVyeXhAz8PjvdPT5QOrTgyPB1enB/dP95T9wdnZ4flBIMYq
X1tijbO9a+yQVo3BxehkcL532kCbClG8DDsMFJXpimYJAEj1X1gGYCKjxngB
zX7/4h9/7+7CdT/ASdvd7qsvX6qXl90/7uJlnsg8SNN5uqhe4bYFQ/ZJxBC4
UOxGokApSVEwBOIr0fOcJ9JIoPmHD4TMrz3+0zgqurs/Vwtk8Npijdnaosfs
4coD4gDiI0uPiFmiubb+DdLr+u5dr73XuK8s/vQmRc/i7e7LNz+zb2tASfkP
L6AY6lRPFyGdgfPxxbvDkB4vkR4+9M7qKK6Y3Ec1ssFHfe7TZipR7ULtQx64
ueaZhs9lkcgMG6kP0UKgSlCGVcWkyq0emISaf19SeDOWKO6Iixs766OSz/o3
rcrxy7Nsijo/F2hG1AdqAqQychd13IeIvKPhkAYnKt7Q7WYoXVnsCyuHN61O
yJ9KpnUobqi9i6U5oXNIjMrxI7ZsAMplEcYQxt8dnjEITijoZIryA3WCroCu
tpaxr1+/stoq/pq/DcLkO7m4ANdmyx9YVQwCENcx8jvUe6Oo/oN54WdcUojB
rmo5DL7g1gT/1g0lnoJZ+5j3zOJ+aNhfVsPtV9u+mAYFkSkipl5wb1zD+6uN
5tCodqnIifqoHzfYEHePyKGzYbALy0dKovGdoLX5oMA1gO8v0AOHJIicJKgy
Tmi6goPYfcXeQcV+TjQ/DEeXV/3RFRLRa/rieReBScMIHCuyIpUVnMvBucd7
8dukiBb79JecHO93r7O74nqxb/7219nr3uPYViNRwHcVqBqTiU5TPV82iWUT
X1N7NzQpDxapSVLqEA0M7APy0H0peqg3uuqaidZfzQKPqlOFbc3bmxAlMpoF
/vdKm0qetB5v8gK5c+VSU3nQT66hJkgqqzhWhe3yVkhehr6oHpgUJ5RgCvVV
hXrCiC/VD1JdKtIdSeNAzJs3JnJ3Dum7HBvW0p+ioKZmK0Ty94/VG2W+rRGs
HE7blmZRhwxaOds5vKMLajOErJ9nLis5B5IGEYIYjYs/8S8Td81zNJfzWavl
70HbkAMZGPCawFLH8iOmsnUxuBrjIt5oPeAeCJrdDb71rzaRxh9V/N0T23Qi
e+pEPHnihIDHHz1yD2mL4TiOFuQ42H1fMqmkwOmER4tFjkDxhzpDjKTNBkYB
U8HgeXys39bAA2eQfqfM0WxlfIeqhsgI9xOKTziXZvIqwgPbb+dbTKIyVo7m
NoFOVPpx2CmUZkOTKQaQCbUlYuFv4Ah6EVOr3MA4zLzEOgvp0V80BI1WMwp9
KDOFZNyULjD0wyifc74TfQhif6SJrlj82qw/EMR0K7f/rw8E8CENP+i1CO9U
zXDpQfPBpSVDUsOiTC51rtoiQewb+7AexDFcUmsMzZvmycHBwF869873Hmw+
e8aXrSBUpNVSXxPT7ZVGXGKzF81yPU9lPCX/WPa5F75dyfh1Y4IJTTa+kA9F
PuMLXZKfz9CEAfYo0ZmFH6jn9xMDd7zX2rdT9kFY+pJ0jzJ9vRDhu4+/c/oP
QbSwmdnpJl1AN/9iku3n+3fvdufZycGf7uTltbn+7cVVtz3d2myxD5n8j7jt
7b0/ftEvdgbZ3fyw/KTvZHJ9lHQHu9EM3GDEHNjKaggmT3bYPwH/fHyObBQA
AA==

-->

</rfc>
