- From: Samuel Schlesinger <notifications@github.com>
- Date: Sun, 27 Jul 2025 03:32:20 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Sunday, 27 July 2025 10:32:24 UTC
SamuelSchlesinger left a comment (w3ctag/design-reviews#1071) Hi @toreini. The client's private key `k` is never sent to the server except as a blinded portion of the request for an issuance (by blinded, I mean the server cannot invert this to discover the value of `k`), and it is in fact the key thing which prevents the distribution attacks you mention. In particular, we send a proof that there exist authenticated `k` and `i` within `0..RATE_LIMIT` such that `F_k(i) = RateLimitingToken`, and `RateLimitingToken` is what's actually sent back to the server. Because `F_k` is cryptographically pseudorandom and our proof is zero-knowledge, we are never revealing the client's identity to the server. Further, because `RateLimitingToken` is determistically constructed from `k` and`i`, any given credential issuance can only be used `RATE_LIMIT` times per token. This means that, while we aren't binding the token to the user's device (this was a key design choice to allow all device types to be supported), our token presentations are scarce. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1071#issuecomment-3124294621 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1071/3124294621@github.com>
Received on Sunday, 27 July 2025 10:32:24 UTC