| RFC 9458 | Oblivious HTTP | January 2024 |
| Thomson & Wood | Standards Track | [Page] |
This document describes Oblivious HTTP, a protocol for forwarding encrypted HTTP messages.Oblivious HTTP allows a client to make multiple requests to an origin server without that serverbeing able to link those requests to the client or to identify the requests as having come from thesame client, while placing only limited trust in the nodes used to forward the messages.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9458.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
HTTP requests reveal information about client identities to servers. While theactual content of the request message is under the control of the client, otherinformation that is more difficult to control can still be used to identify theclient.¶
Even where an IP address is not directly associated with an individual, therequests made from it can be correlated over time to assemble a profile ofclient behavior. In particular, connection reuse improves performance butprovides servers with the ability to link requests that share a connection.¶
In particular, the source IP address of the underlying connection revealsidentifying information that the client has only limited control over. Whileclient-configured HTTP proxies can provide a degree of protection against IPaddress tracking, they present an unfortunate trade-off: if they are used withoutTLS, the contents of communication are revealed to the proxy; if they are usedwith TLS, a new connection needs to be used for each request to ensure that theorigin server cannot use the connection as a way to correlate requests,incurring significant performance overheads.¶
To overcome these limitations, this document defines Oblivious HTTP, a protocolfor encrypting and sending HTTP messages from a client to a gateway. This uses atrusted relay service in a manner that mitigates the use of metadata such as IPaddress and connection information for client identification, with reasonableperformance characteristics. This document describes:¶
an algorithm for encapsulating binary HTTP messages[BINARY] using HybridPublic Key Encryption (HPKE)[HPKE] to protect their contents,¶
a method for forwardingEncapsulated Requests betweenClients and anOblivious Gateway Resource through a trustedOblivious Relay Resource usingHTTP, and¶
requirements for how the Oblivious Gateway Resource handles Encapsulated Requests and producesEncapsulated Responses for the Client.¶
The combination of encapsulation and relaying ensures that Oblivious GatewayResource never sees the Client's IP address and that the Oblivious RelayResource never sees plaintext HTTP message content.¶
Oblivious HTTP allows connection reuse between the Client and Oblivious RelayResource, as well as between that relay and the Oblivious Gateway Resource, so thisscheme represents a performance improvement over using just one request in eachconnection. With limited trust placed in the Oblivious Relay Resource (seeSection 6), Clients are assured that requests are not uniquely attributed tothem or linked to other requests.¶
An Oblivious HTTPClient must initially know the following:¶
The identity of anOblivious Gateway Resource. This might include someinformation about whatTarget Resources the Oblivious Gateway Resourcesupports.¶
The details of an HPKE public key for the Oblivious Gateway Resource,including an identifier for that key and the HPKE algorithms that are usedwith that key.¶
The identity of anOblivious Relay Resource that will accept relay requestscarrying anEncapsulated Request as its content and forward the content inthese requests to a particular Oblivious Gateway Resource. Oblivious HTTPuses a one-to-one mapping between Oblivious Relay and Gateway Resources; seeSection 8.2 for more details.¶
This information allows the Client to send HTTP requests to the ObliviousGateway Resource for forwarding to a Target Resource. The Oblivious GatewayResource does not learn the Client's IP address or any other identifyinginformation that might be revealed from the Client at the transport layer, nordoes the Oblivious Gateway Resource learn which of the requests it receives arefrom the same Client.¶
In order to forward a request for aTarget Resource to theOblivious GatewayResource, the following steps occur, as shown inFigure 1:¶
TheClient constructs an HTTP request for a Target Resource.¶
The Client encodes the HTTP request in a binary HTTP message and thenencapsulates that message using HPKE and the process fromSection 4.3.¶
The Client sends a POST request to theOblivious Relay Resource with theEncapsulated Request as the content of that message.¶
The Oblivious Relay Resource forwards this request to the Oblivious GatewayResource.¶
The Oblivious Gateway Resource receives this request and removesthe HPKE protection to obtain an HTTP request.¶
The Oblivious Gateway Resource then handles the HTTP request. This typicallyinvolves making an HTTP request using the content of the Encapsulated Request. Once theOblivious Gateway Resource has an HTTP response for this request, the followingsteps occur to return this response to the Client:¶
The Oblivious Gateway Resource encapsulates the HTTP response following theprocess inSection 4.4 and sends this in response to the request from theOblivious Relay Resource.¶
The Oblivious Relay Resource forwards this response to the Client.¶
The Client removes the encapsulation to obtain the response to the original request.¶
This interaction provides authentication and confidentiality protection betweenthe Client and the Oblivious Gateway, but importantly not between the Client andthe Target Resource. While the Target Resource is a distinct HTTP resource fromthe Oblivious Gateway Resource, they are both logically under the control of theOblivious Gateway, since the Oblivious Gateway Resource can unilaterally dictatethe responses returned from the Target Resource to the Client. This arrangementis shown inFigure 1.¶
Oblivious HTTP has limited applicability. Importantly, it requires explicitsupport from a willingOblivious Relay Resource andOblivious Gateway Resource,thereby limiting the use of Oblivious HTTP for generic applications;seeSection 6.3 for more information.¶
Many uses of HTTP benefit from being able to carry state between requests, suchas with cookies[COOKIES], authentication (Section 11 of [HTTP]), or evenalternative services[RFC7838]. Oblivious HTTP removes linkage at thetransport layer, which is only useful for an application that does not carrystate between requests.¶
Oblivious HTTP is primarily useful where the privacy risks associated withpossible stateful treatment of requests are sufficiently large that the cost ofdeploying this protocol can be justified. Oblivious HTTP is simpler and lesscostly than more robust systems, like Prio[PRIO] or Tor[DMS2004], whichcan provide stronger guarantees at higher operational costs.¶
Oblivious HTTP is more costly than a direct connection to a server. Some costs,like those involved with connection setup, can be amortized, but there areseveral ways in which Oblivious HTTP is more expensive than a direct request:¶
Each request requires at least two regular HTTP requests, which couldincrease latency.¶
Each request is expanded in size with additional HTTP fields,encryption-related metadata, and Authenticated Encryption with Associated Data(AEAD) expansion.¶
Deriving cryptographic keys and applying them for request andresponse protection takes non-negligible computational resources.¶
Examples of where preventing the linking of requests might justify these costsinclude:¶
DNS queries made to a recursive resolver reveal information about therequester, particularly if linked to other queries.¶
Applications that submit reports about their usage to their developers mightuse Oblivious HTTP for some types of moderately sensitive data.¶
These are examples of requests where there is information in a request that --if it were connected to the identity of the user -- might allow a server tolearn something about that user even if the identity of the user werepseudonymous. Other examples include submitting anonymous surveys, makingsearch queries, or requesting location-specific content (such as retrievingtiles of a map display).¶
In addition to these limitations,Section 6 describes operational constraintsthat are necessary to realize the goals of the protocol.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED","MAY", and "OPTIONAL" in this document are to be interpreted asdescribed in BCP 14[RFC2119][RFC8174] when, and only when, theyappear in all capitals, as shown here.¶
This document uses terminology from[HTTP] and defines several terms asfollows:¶
A Client originates Oblivious HTTP requests. A Client is also an HTTP clientin two ways: for theTarget Resource and for theOblivious RelayResource. However, when referring to the HTTP definition of client (Section 3.3 of [HTTP]), the term "HTTP client" is used; seeSection 5.¶
An HTTP request that is encapsulated in an HPKE-encrypted message; seeSection 4.3.¶
An HTTP response that is encapsulated in an HPKE-encrypted message; seeSection 4.4.¶
An intermediary that forwardsEncapsulated Requests andResponses betweenClients and a singleOblivious Gateway Resource. In context, this can bereferred to simply as a "relay".¶
A resource that can receive anEncapsulated Request, extract the contents ofthat request, forward it to aTarget Resource, receive a response, encapsulatethat response, and then return the resultingEncapsulated Response. Incontext, this can be referred to simply as a "gateway".¶
The resource that is the target of anEncapsulated Request. This resourcelogically handles only regular HTTP requests and responses, so it might beignorant of the use of Oblivious HTTP to reach it.¶
This document includes pseudocode that uses the functions and conventionsdefined in[HPKE].¶
Encoding an integer to a sequence of bytes in network byte order is describedusing the functionencode(n, v), wheren is the number of bytes andv isthe integer value. ASCII[ASCII] encoding of a strings isindicated using the functionencode_str(s).¶
Formats are described using notation fromSection 1.3 of [QUIC]. An extensionto that notation expresses the number of bits in a field using a simplemathematical function.¶
AClient needs to acquire information about the key configuration of theOblivious Gateway Resource in order to sendEncapsulated Requests.In order to ensure that Clients do not encapsulate messages that other entitiescan intercept, the key configurationMUST be authenticated and have integrityprotection.¶
This document does not define how that acquisition occurs. However, in order tohelp facilitate interoperability, it does specify a format for the keys. Thisensures that different Client implementations can be configured in the same wayand also enables advertising key configurations in a consistent format. Thisformat might be used, for example, with HTTPS, as part of a system forconfiguring or discovering key configurations. However, note that such a systemneeds to consider the potential for key configuration to be used to compromiseClient privacy; seeSection 7.¶
A Client might have multiple key configurations to select from whenencapsulating a request. Clients are responsible for selecting a preferred keyconfiguration from those it supports. Clients need to consider both the KeyEncapsulation Method (KEM) and the combinations of the Key Derivation Function(KDF) and AEAD in this decision.¶
A singlekey configuration consists of a key identifier, a public key, anidentifier for the KEM that the public key uses, and a set of HPKE symmetricalgorithms. Each symmetric algorithm consists of an identifier for a KDF and anidentifier for an AEAD.¶
Figure 2 shows a single key configuration.¶
HPKE Symmetric Algorithms { HPKE KDF ID (16), HPKE AEAD ID (16),}Key Config { Key Identifier (8), HPKE KEM ID (16), HPKE Public Key (Npk * 8), HPKE Symmetric Algorithms Length (16) = 4..65532, HPKE Symmetric Algorithms (32) ...,}That is, a key configuration consists of the following fields:¶
An 8-bit value that identifies the key used by theOblivious Gateway Resource.¶
A 16-bit value that identifies the KEM used for the identified key as definedinSection 7.1 of [HPKE] or the"HPKE KEM Identifiers" registry.¶
The public key used by the gateway. The length of the public key isNpk, which isdetermined by the choice of HPKE KEM as defined inSection 4 of [HPKE].¶
A 16-bit integer in network byte order that encodes the length, in bytes, ofthe HPKE Symmetric Algorithms field that follows.¶
One or more pairs of identifiers for the different combinations of HPKE KDFand AEAD that the Oblivious Gateway Resource supports:¶
A 16-bit HPKE KDF identifier as defined inSection 7.2 of [HPKE] or the"HPKE KDF Identifiers"registry.¶
A 16-bit HPKE AEAD identifier as defined inSection 7.3 of [HPKE] or the"HPKE AEAD Identifiers" registry.¶
The "application/ohttp-keys" format is a media type that identifies a serializedcollection ofkey configurations. The content of this media type comprises oneor more key configuration encodings (seeSection 3.1). Each encodedconfiguration is prefixed with a 2-byte integer in network byte order thatindicates the length of the key configuration in bytes. The length-prefixedencodings are concatenated to form a list. SeeSection 9.1 for a definitionof the media type.¶
Evolution of the key configuration format is supported through the definition ofnew formats that are identified by new media types.¶
AClient that receives an "application/ohttp-keys" object with encoding errorsmight be able to recover one or more key configurations. Differences in how keyconfigurations are recovered might be exploited to segregate Clients, so ClientsMUST discard incorrectly encoded key configuration collections.¶
This document defines how a binary-encoded HTTP message[BINARY] isencapsulated using HPKE[HPKE]. Separate media types are defined todistinguish request and response messages:¶
AnEncapsulated Request format defined inSection 4.1 is identified by the"message/ohttp-req" media type (Section 9.2).¶
AnEncapsulated Response format defined inSection 4.2 is identified by the"message/ohttp-res" media type (Section 9.3).¶
Alternative encapsulations or message formats are indicated using the mediatype; see Sections4.5 and4.6.¶
A message in "message/ohttp-req" format protects a binary HTTP requestmessage; seeFigure 3.¶
Request { Binary HTTP Message (..),}This plaintext Request structure is encapsulated into a message in"message/ohttp-req" form by generating anEncapsulated Request. AnEncapsulated Request comprises a key identifier; HPKE parameters for the chosenKEM, KDF, and AEAD; the encapsulated KEM shared secret (orenc); and anHPKE-protected binary HTTP request message.¶
An Encapsulated Request is shown inFigure 4.Section 4.3 describesthe process for constructing and processing an Encapsulated Request.¶
Encapsulated Request { Key Identifier (8), HPKE KEM ID (16), HPKE KDF ID (16), HPKE AEAD ID (16), Encapsulated KEM Shared Secret (8 * Nenc), HPKE-Protected Request (..),}That is, anEncapsulated Request comprises a Key Identifier, an HPKE KEM ID, anHPKE KDF ID, an HPKE AEAD ID, an Encapsulated KEM Shared Secret, and anHPKE-Protected Request. The Key Identifier, HPKE KEM ID, HPKE KDF ID, and HPKEAEAD ID fields are defined inSection 3.1. The Encapsulated KEM SharedSecret is the output of theEncap() function for the KEM, which isNencbytes in length, as defined inSection 4 of [HPKE].¶
A message in "message/ohttp-res" format protects a binary HTTP responsemessage; seeFigure 5.¶
Response { Binary HTTP Message (..),}This plaintext Response structure is encapsulated into a message in"message/ohttp-res" form by generating anEncapsulated Response. AnEncapsulated Response comprises a nonce and the AEAD-protected binary HTTPresponse message.¶
An Encapsulated Response is shown inFigure 6.Section 4.4 describesthe process for constructing and processing an Encapsulated Response.¶
Encapsulated Response { Nonce (8 * max(Nn, Nk)), AEAD-Protected Response (..),}That is, anEncapsulated Response contains a Nonce and an AEAD-ProtectedResponse. The Nonce field is eitherNn orNk bytes long, whichever islarger. TheNn andNk values correspond to parameters of the AEAD used inHPKE, which is defined inSection 7.3 of [HPKE] orthe "HPKE AEADIdentifiers" IANAregistry.NnandNk refer to the size of the AEAD nonce and key, respectively, in bytes.¶
Clients encapsulate a request, identified asrequest, using values from akeyconfiguration:¶
the key identifier from the configuration (key_id) with the correspondingKEM identified bykem_id,¶
the public key from the configuration (pkR), and¶
a combination of KDF (identified bykdf_id) and AEAD (identified byaead_id) that the Client selects from those in the key configuration.¶
The Client then constructs anEncapsulated Request,enc_request, from a binary-encoded HTTP request[BINARY] (request) as follows:¶
Construct a message header (hdr) by concatenating the values ofkey_id,kem_id,kdf_id, andaead_id as one 8-bit integer and three 16-bitintegers, respectively, each in network byte order.¶
Build a sequence of bytes (info) by concatenating the ASCII-encoded string"message/bhttp request", a zero byte, and the header. Note:Section 4.6discusses how alternative message formats might use a differentinfo value.¶
Create a sending HPKE context by invokingSetupBaseS() (Section 5.1.1 of [HPKE]) with the public key of the receiverpkR andinfo. This yieldsthe contextsctxt and an encapsulation keyenc.¶
Encryptrequest by invoking theSeal() method onsctxt (Section 5.2 of [HPKE]) with empty associated dataaad, yielding ciphertextct.¶
Concatenate the values ofhdr,enc, andct. This yields an EncapsulatedRequest (enc_request).¶
Note thatenc is of fixed length, so there is no ambiguity in parsing thisstructure.¶
In pseudocode, this procedure is as follows:¶
hdr = concat(encode(1, key_id), encode(2, kem_id), encode(2, kdf_id), encode(2, aead_id))info = concat(encode_str("message/bhttp request"), encode(1, 0), hdr)enc, sctxt = SetupBaseS(pkR, info)ct = sctxt.Seal("", request)enc_request = concat(hdr, enc, ct)¶AnOblivious Gateway Resource decrypts an Encapsulated Request by reversing thisprocess. To decapsulate an Encapsulated Request,enc_request:¶
Parseenc_request intokey_id,kem_id,kdf_id,aead_id,enc, andct (indicated using the functionparse() in pseudocode). The ObliviousGateway Resource is then able to find the HPKE private key,skR,corresponding tokey_id.¶
Build a sequence of bytes (info) by concatenating the ASCII-encoded string"message/bhttp request"; a zero byte;key_id as an 8-bit integer; pluskem_id,kdf_id, andaead_id as three 16-bit integers.¶
Create a receiving HPKE context,rctxt, by invokingSetupBaseR()(Section 5.1.1 of [HPKE]) withskR,enc, andinfo.¶
Decryptct by invoking theOpen() method onrctxt (Section 5.2 of [HPKE]), with an empty associated dataaad, yieldingrequest or an erroron failure. If decryption fails, the Oblivious Gateway Resource returns anerror.¶
In pseudocode, this procedure is as follows:¶
key_id, kem_id, kdf_id, aead_id, enc, ct = parse(enc_request)info = concat(encode_str("message/bhttp request"), encode(1, 0), encode(1, key_id), encode(2, kem_id), encode(2, kdf_id), encode(2, aead_id))rctxt = SetupBaseR(enc, skR, info)request, error = rctxt.Open("", ct)¶The Oblivious Gateway Resource retains the HPKE context,rctxt, so that it canencapsulate a response.¶
Oblivious Gateway Resources generate anEncapsulated Response (enc_response)from a binary-encoded HTTP response[BINARY] (response). The ObliviousGateway Resource uses the HPKE receiver context (rctxt) as the HPKE context(context) as follows:¶
Export a secret (secret) fromcontext, using the string "message/bhttpresponse" as theexporter_context parameter tocontext.Export; seeSection 5.3 of [HPKE]. The length of this secret ismax(Nn, Nk), whereNn andNk are the length of the AEAD key and nonce that are associated withcontext.Note:Section 4.6 discusses how alternative message formats might use adifferentcontext value.¶
Generate a random value of lengthmax(Nn, Nk) bytes, calledresponse_nonce.¶
Extract a pseudorandom key (prk) using theExtract function provided bythe KDF algorithm associated withcontext. Theikm input to thisfunction issecret; thesalt input is the concatenation ofenc (fromenc_request) andresponse_nonce.¶
Use theExpand function provided by the same KDF to create an AEAD key,key, of lengthNk -- the length of the keys used by the AEAD associatedwithcontext. Generatingaead_key uses a label of "key".¶
Use the sameExpand function to create a nonce,nonce, of lengthNn --the length of the nonce used by the AEAD. Generatingaead_nonce uses alabel of "nonce".¶
Encryptresponse, passing the AEAD function Seal the values ofaead_key,aead_nonce, an emptyaad, and apt input ofresponse. This yieldsct.¶
Concatenateresponse_nonce andct, yielding an Encapsulated Response,enc_response. Note thatresponse_nonce is of fixed length, so there is noambiguity in parsing eitherresponse_nonce orct.¶
In pseudocode, this procedure is as follows:¶
secret = context.Export("message/bhttp response", max(Nn, Nk))response_nonce = random(max(Nn, Nk))salt = concat(enc, response_nonce)prk = Extract(salt, secret)aead_key = Expand(prk, "key", Nk)aead_nonce = Expand(prk, "nonce", Nn)ct = Seal(aead_key, aead_nonce, "", response)enc_response = concat(response_nonce, ct)¶Clients decrypt an Encapsulated Response by reversing this process. That is,Clients first parseenc_response intoresponse_nonce andct. Then, theyfollow the same process to derive values foraead_key andaead_nonce, usingtheir sending HPKE context,sctxt, as the HPKE context,context.¶
The Client uses these values to decryptct using the AEAD functionOpen.Decrypting might produce an error, as follows:¶
response, error = Open(aead_key, aead_nonce, "", ct)¶
Media types are used to identify Encapsulated Requests and Responses; seeSections9.2 and9.3 for definitions of these media types.¶
Evolution of the format of Encapsulated Requests and Responses is supportedthrough the definition of new formats that are identified by new media types.New media types might be defined to use a similar encapsulation with a differentHTTP message format than in[BINARY]; seeSection 4.6 for guidance onreusing this encapsulation method. Alternatively, a new encapsulation methodmight be defined.¶
The encrypted payload of an Oblivious HTTP request and response is a binary HTTP message[BINARY]. TheClient andOblivious Gateway Resource agree on this encryptedpayload type by specifying the media type "message/bhttp" in the HPKE infostring and HPKE export context string for request and response encryption,respectively.¶
Future specifications may repurpose the encapsulation mechanism described inthis document. This requires that the specification define a new media type.The encapsulation process for that content type can follow the same process,using new constant strings for the HPKE info and exporter context inputs.¶
For example, a future specification might encapsulate DNS messages, which usethe "application/dns-message" media type[RFC8484]. In creating a new,encrypted media types, specifications might define the use of string"application/dns-message request" (plus a zero byte and the header for the fullvalue) for request encryption and the string "application/dns-message response"for response encryption.¶
AClient interacts with theOblivious Relay Resource by constructing anEncapsulated Request. This Encapsulated Request is included as the content of aPOST request to the Oblivious Relay Resource. This request only needs thosefields necessary to carry the Encapsulated Request: a method of POST, a targetURI of the Oblivious Relay Resource, a header field containing the content type(seeSection 9.2), and the Encapsulated Request as the request content. In therequest to the Oblivious Relay Resource, ClientsMAY include additionalfields. However, additional fieldsMUST be independent of the EncapsulatedRequest andMUST be fields that the Oblivious Relay Resource will remove beforeforwarding the Encapsulated Request towards the target, such as theConnectionorProxy-Authorization header fields[HTTP].¶
The Client role in this protocol acts as an HTTP client both with respect to theOblivious Relay Resource and theTarget Resource. The request, which the Clientmakes to the Target Resource, diverges from typical HTTP assumptions aboutthe use of a connection (seeSection 3.3 of [HTTP]) in that the request andresponse are encrypted rather than sent over a connection. The Oblivious RelayResource and theOblivious Gateway Resource also act as HTTP clients toward theOblivious Gateway Resource and Target Resource, respectively.¶
In order to achieve the privacy and security goals of the protocol, a Clientalso needs to observe the guidance inSection 6.1.¶
The Oblivious Relay Resource interacts with the Oblivious Gateway Resource as anHTTP client by constructing a request using the same restrictions as the Clientrequest, except that the target URI is the Oblivious Gateway Resource. Thecontent of this request is copied from the Client. An Oblivious Relay ResourceMAY rejectrequests that are obviously invalid, such as a request with no content. The Oblivious RelayResourceMUST NOT add information to the request without the Client being aware ofthe type of information that might be added; seeSection 6.2 formore information on relay responsibilities.¶
When a response is received from the Oblivious Gateway Resource, the ObliviousRelay Resource forwards the response according to the rules of an HTTP proxy;seeSection 7.6 of [HTTP]. In case of timeout or error, the Oblivious RelayResource can generate a response with an appropriate status code.¶
In order to achieve the privacy and security goals of the protocol, an ObliviousRelay Resource also needs to observe the guidance inSection 6.2.¶
An Oblivious Gateway Resource acts as a gateway for requests to the TargetResource (seeSection 7.6 of [HTTP]). The one exception is that anyinformation it might forward in a responseMUST be encapsulated, unless it isresponding to errors that do not relate to processing the contents of theEncapsulated Request; seeSection 5.2.¶
An Oblivious Gateway Resource, if it receives any response from the TargetResource, sends a single 200 response containing theEncapsulated Response.Like the request from the Client, this responseMUST only contain those fieldsnecessary to carry the Encapsulated Response: a 200 status code, a header fieldindicating the content type, and the Encapsulated Response as the responsecontent. As with requests, additional fieldsMAY be used to convey informationthat does not reveal information about the Encapsulated Response.¶
An Oblivious Gateway Resource that does not receive a response can itselfgenerate a response with an appropriate error status code (such as 504 (GatewayTimeout); seeSection 15.6.5 of [HTTP]), which is then encapsulated in thesame way as a successful response.¶
In order to achieve the privacy and security goals of the protocol, an ObliviousGateway Resource also needs to observe the guidance inSection 6.3.¶
This encapsulation does not permit progressive processing of responses.Though the binary HTTP response format does support the inclusion ofinformational (1xx) status codes, the AEAD encapsulation cannot be removed untilthe entire message is received.¶
In particular, theExpect header field with 100-continue (seeSection 10.1.1 of [HTTP]) cannot be used.ClientsMUST NOT construct a request that includes a100-continue expectation; theOblivious Gateway ResourceMUST generate an errorif a 100-continue expectation is received.¶
A server that receives an invalid message for any reasonMUST generate an HTTPresponse with a 4xx status code.¶
Errors detected by theOblivious Relay Resource and errors detected by theOblivious Gateway Resource before removing protection (including being unable toremove encapsulation for any reason) result in the status code being sentwithout protection in response to the POST request made to that resource.¶
Errors detected by the Oblivious Gateway Resource after successfully removingencapsulation and errors detected by theTarget ResourceMUST be sent in anEncapsulated Response. This might be because theEncapsulated Request ismalformed or the Target Resource does not produce a response. In either case,the Oblivious Gateway Resource can generate a response with an appropriate errorstatus code (such as 400 (Bad Request) or 504 (Gateway Timeout); see Sections15.5.1 and15.6.5 of[HTTP], respectively). This response is encapsulated inthe same way as a successful response.¶
Errors in the encapsulation of requests mean that responses cannot beencapsulated. This includes cases where thekey configuration is incorrect oroutdated. The Oblivious Gateway Resource can generate and send a response witha 4xx status code to the Oblivious Relay Resource. This responseMAY beforwarded to theClient or treated by the Oblivious Relay Resource as a failure.If a Client receives a response that is not an Encapsulated Response, this couldindicate that the Client configuration used to construct the request isincorrect or out of date.¶
The problem type[PROBLEM] of"https://iana.org/assignments/http-problem-types#ohttp-key" is defined in thissection. AnOblivious Gateway ResourceMAY use this problem type in a responseto indicate that anEncapsulated Request used an outdated or incorrectkeyconfiguration.¶
Figure 7 shows an example response in HTTP/1.1 format.¶
HTTP/1.1 400 Bad RequestDate: Mon, 07 Feb 2022 00:28:05 GMTContent-Type: application/problem+jsonContent-Length: 106{"type":"https://iana.org/assignments/http-problem-types#ohttp-key","title": "key identifier unknown"}As this response cannot be encrypted, it might not reach theClient. A Clientcannot rely on theOblivious Gateway Resource using this problem type. A Clientmight also be configured to disregard responses that are not encapsulated on thebasis that they might be subject to observation or modification by an ObliviousRelay Resource. A Client might manage the risk of an outdated key configurationusing a heuristic approach whereby it periodically refreshes its keyconfiguration if it receives a response with an error status code that has notbeen encapsulated.¶
In this design, aClient wishes to make a request to anOblivious GatewayResource that is forwarded to aTarget Resource. The Client wishes to make thisrequest without linking that request with either of the following:¶
The identity at the network and transport layer of the Client (that is, theClient IP address and TCP or UDP port number the Client uses to create aconnection).¶
Any other request the Client might have made in the past or might make in thefuture.¶
In order to ensure this, the Client selects a relay (that serves theOblivious Relay Resource) that it trusts will protect this informationby forwarding the Encapsulated Request and Response without passing itto the server (that serves the Oblivious Gateway Resource).¶
In this section, a deployment where there are three entities is considered:¶
A Client makes requests and receives responses.¶
A relay operates the Oblivious Relay Resource.¶
A server operates both the Oblivious Gateway Resource and the Target Resource.¶
Section 6.10 discusses the security implications for a case wheredifferent servers operate the Oblivious Gateway Resource and Target Resource.¶
Requests from the Client to Oblivious Relay Resource and from Oblivious RelayResource to Oblivious Gateway ResourceMUST use HTTPS in order to provideunlinkability in the presence of a network observer.¶
To achieve the stated privacy goals, the Oblivious Relay Resource cannot beoperated by the same entity as the Oblivious Gateway Resource. However,colocation of the Oblivious Gateway Resource and Target Resource simplifies theinteractions between those resources without affecting Client privacy.¶
As a consequence of this configuration, Oblivious HTTP prevents linkabilitydescribed above. Informally, this means:¶
Requests and responses are known only to Clients and Oblivious GatewayResources. In particular, the Oblivious Relay Resource knows the origin anddestination of an Encapsulated Request and Response, yet it does not know thedecrypted contents. Likewise, Oblivious Gateway Resources learn only theOblivious Relay Resource and the decrypted request. No entity other than theClient can see the plaintext request and response and can attribute them tothe Client.¶
Oblivious Gateway Resources, and therefore Target Resources, cannot linkrequests from the same Client in the absence of unique per-Client keys.¶
Traffic analysis that might affect these properties is outside the scope of thisdocument; seeSection 6.2.3.¶
A formal analysis of Oblivious HTTP is in[OHTTP-ANALYSIS].¶
BecauseClients do not authenticate theTarget Resource when using ObliviousHTTP, ClientsMUST have some mechanism to authorize anOblivious GatewayResource for use with a Target Resource. One possible means of authorization isan allowlist. This ensures that Oblivious Gateway Resources are not misused toforward traffic to arbitrary Target Resources.Section 6.3describes similar responsibilities that apply to Oblivious Gateway Resources.¶
ClientsMUST ensure that thekey configuration they select for generatingEncapsulated Requests is integrity protected and authenticated so that it canbe attributed to the Oblivious Gateway Resource; seeSection 3.¶
Since Clients connect directly to theOblivious Relay Resource instead of theTarget Resource, application configurations wherein Clients make policydecisions about target connections, e.g., to apply certificate pinning, areincompatible with Oblivious HTTP. In such cases, alternative technologies suchas HTTP CONNECT (Section 9.3.6 of [HTTP]) can be used. Applications couldimplement related policies on key configurations and relay connections, thoughthese might not provide the same properties as policies enforced directly ontarget connections. Instead, when this difference is relevant, applications canconnect directly to the target at the cost of either privacy or performance.¶
Clients cannot carry connection-level state between requests as they onlyestablish direct connections to the relay responsible for the Oblivious RelayResource. However, the content of requests might be used by a server tocorrelate requests. Cookies[COOKIES] are the most obvious feature that mightbe used to correlate requests, but any identity information and authenticationcredentials might have the same effect. Clients also need to treat informationlearned from responses with similar care when constructing subsequent requests,which includes the identity of resources.¶
ClientsMUST generate a new HPKE context for every request, using a good sourceof entropy[RANDOM] for generating keys. Key reuse not only risksrequests being linked but also could expose request and response contents to therelay.¶
The request the Client sends to the Oblivious Relay Resource only requiresminimal information; seeSection 5. The request that carries theEncapsulated Request and that is sent to the Oblivious Relay ResourceMUST NOTinclude identifying information unless the Client can trust that thisinformation is removed by the relay. A ClientMAY include information only forthe Oblivious Relay Resource in header fields identified by theConnectionheader field if it trusts the relay to remove these, as required bySection 7.6.1 of [HTTP]. The Client needs to trust that the relay does not replicate thesource addressing information in the request it forwards.¶
Clients rely on the Oblivious Relay Resource to forward Encapsulated Requestsand Responses. However, the relay can only refuse to forward messages; itcannot inspect or modify the contents of Encapsulated Requests or Responses.¶
The relay that serves theOblivious Relay Resource has a very simple functionto perform. For each request it receives, it makes a request of theObliviousGateway Resource that includes the same content. When it receives a response,it sends a response to theClient that includes the content of the responsefrom the Oblivious Gateway Resource.¶
When forwarding a request, the relayMUST follow the forwarding rules inSection 7.6 of [HTTP]. A generic HTTP intermediary implementation is suitablefor the purposes of serving an Oblivious Relay Resource, but additional care isneeded to ensure that Client privacy is maintained.¶
Firstly, a generic implementation will forward unknown fields. For ObliviousHTTP, an Oblivious Relay ResourceSHOULD NOT forward unknown fields. ThoughClients are not expected to include fields that might contain identifyinginformation, removing unknown fields removes this privacy risk.¶
Secondly, generic implementations are often configured to augment requests withinformation about the Client, such as the Via field or the Forwarded field[FORWARDED]. A relayMUST NOT add information when forwardingrequests that might be used to identify Clients, except for information thata Client is aware of; seeSection 6.2.1.¶
Finally, a relay can also generate responses, though it is assumed to not beable to examine the content of a request (other than to observe the choice ofkey identifier, KDF, and AEAD); therefore, it is also assumed that it cannotgenerate anEncapsulated Response.¶
A relayMAY add information to requests if theClient is aware of the nature ofthe information that could be added. Any additionMUST NOT include informationthat uniquely and permanently identifies the Client, including any pseudonymous identifier.Information added by the relay -- beyond what is already revealed throughEncapsulated Requests from Clients -- can reduce the size of the anonymity set ofClients at a gateway.¶
A Client does not need to be aware of the exact value added for each requestbut needs to know the range of possible values the relay might use. Howa Client might learn about added information is not defined in this document.¶
Moreover, relaysMAY apply differential treatment to Clients that engage inabusive behavior, e.g., by sending too many requests in comparison to otherClients, or as a response to rate limits signaled from the gateway. Any suchdifferential treatment can reveal information to the gateway that would not berevealed otherwise and therefore reduce the size of the anonymity set of Clientsusing a gateway. For example, if a relay chooses to rate limit or block anabusive Client, this means that any Client requests that are not treated thisway are known to be non-abusive by the gateway. Clients need to consider thelikelihood of such differential treatment and the privacy risks when using arelay.¶
Some patterns of abuse cannot be detected without access to the request that ismade to the target. This means that only the gateway or the target is in aposition to identify abuse. A gatewayMAY send signals toward the relay toprovide feedback about specific requests. For example, a gateway could responddifferently to requests it cannot decapsulate, as mentioned inSection 5.2. Arelay that acts on this feedback could -- either inadvertently or by design --lead to Client deanonymization.¶
As there are privacy benefits from having a large rate of requests forwarded bythe same relay (seeSection 6.2.3), servers that operate theOblivious Gateway Resourcemight need an arrangement withOblivious Relay Resources. This arrangement mightbe necessary to prevent having the large volume of requests being classified asan attack by the server.¶
If a server accepts a larger volume of requests from a relay, it needs to trustthat the relay does not allow abusive levels of request volumes fromClients. That is, if a server allows requests from the relay to be exempt fromrate limits, the server might want to ensure that the relay applies arate-limiting policy that is acceptable to the server.¶
Servers that enter into an agreement with a relay that enables a higher requestrate might choose to authenticate the relay to enable the higher rate.¶
Using HTTPS protects information about which resources are the subject ofrequest and prevents a network observer from being able to trivially correlatemessages on either side of a relay. However, using HTTPS does not preventtraffic analysis by such network observers.¶
The time at which Encapsulated Request or Response messages are sent canreveal information to a network observer. Though messages exchanged between theOblivious Relay Resource and theOblivious Gateway Resource might be sent in asingle connection, traffic analysis could be used to match messages that areforwarded by the relay.¶
A relay could, as part of its function, delay requests before forwarding them.Delays might increase the anonymity set into which each request isattributed. Any delay also increases the time that aClient waits for aresponse, so delaysSHOULD only be added with the consent -- or at leastawareness -- of Clients.¶
A relay that forwards large volumes of exchanges can provide better privacy byproviding larger sets of messages that need to be matched.¶
Traffic analysis is not restricted to network observers. A malicious Oblivious Relay Resource coulduse traffic analysis to learn information about otherwise encrypted requestsand responses relayed between Clients and gateways. An Oblivious Relay Resource terminatesTLS connections from Clients, so they see message boundaries. This privilegedposition allows for richer feature extraction from encrypted data, which mightimprove traffic analysis.¶
Clients and Oblivious Gateway Resources can use padding to reduce theeffectiveness of traffic analysis. Padding is a capability provided by binaryHTTP messages; seeSection 3.8 of [BINARY]. If the encapsulation methoddescribed in this document is used to protect a different message type (seeSection 4.6), that message format might need to include padding support.Oblivious Relay Resources can also use padding for the same reason but need tooperate at the HTTP layer since they cannot manipulate binary HTTP messages; forexample, seeSection 10.7 of [HTTP/2] orSection 10.7 of [HTTP/3]).¶
TheOblivious Gateway Resource can be operated by a different entity than theTarget Resource. However, this means that theClient needs to trust theOblivious Gateway Resource not to modify requests or responses. This analysisconcerns itself with a deployment scenario where a single server provides boththe Oblivious Gateway Resource and Target Resource.¶
A server that operates both Oblivious Gateway and Target Resources isresponsible for removing request encryption, generating a response to theEncapsulated Request, and encrypting the response.¶
Servers should account for traffic analysis based on response size or generationtime. Techniques such as padding or timing delays can help protect against suchattacks; seeSection 6.2.3.¶
If separate entities provide the Oblivious Gateway Resource and Target Resource,these entities might need an arrangement similar to that between server andrelay for managing denial of service; seeSection 6.2.2. Moreover, the ObliviousGateway ResourceSHOULD have some mechanism to ensure that the Oblivious GatewayResource is not misused as a relay for HTTP messages to an arbitrary TargetResource, such as an allowlist.¶
Non-secure requests -- such as those with the "http" scheme as opposed to the"https" scheme --SHOULD NOT be used if the Oblivious Gateway and TargetResources are not on the same origin. If messages are forwarded between theseresources without the protections afforded by HTTPS, they could be inspected ormodified by a network attacker. Note that a request could be forwarded withoutprotection if the two resources share an origin.¶
AnOblivious Gateway Resource needs to have a plan for replacing keys. Thismight include regular replacement of keys, which can be assigned new keyidentifiers. If an Oblivious Gateway Resource receives a request that contains akey identifier that it does not understand or that corresponds to a key that hasbeen replaced, the server can respond with an HTTP 422 (Unprocessable Content)status code.¶
A server can also use a 422 status code if the server has a key that correspondsto the key identifier, but theEncapsulated Request cannot be successfullydecrypted using the key.¶
A serverMUST ensure that the HPKE keys it uses are not valid for any otherprotocol that uses HPKE with the "message/bhttp request" label. Designers ofprotocols that reuse this encryption format, especially new versions of thisprotocol, can ensure key diversity by choosing a different label in their use ofHPKE. The "message/bhttp response" label was chosen for symmetry only as itprovides key diversity only within the HPKE context created using the"message/bhttp request" label; seeSection 4.6.¶
A server is responsible for either rejecting replayed requests or ensuring thatthe effect of replays does not adversely affectClients or resources.¶
Encapsulated Requests can be copied and replayed by theOblivious RelayResource. The threat model for Oblivious HTTP allows the possibility that anOblivious Relay Resource might replay requests. Furthermore, if a Client sendsan Encapsulated Request in TLS early data (seeSection 8 of [TLS] and[RFC8470]), a network-based adversary might be able to cause the request tobe replayed. In both cases, the effect of a replay attack and the mitigationsthat might be employed are similar to TLS early data.¶
It is the responsibility of the application that uses Oblivious HTTP to eitherreject replayed requests or ensure that replayed requests have no adverseeffect on their operation. This section describes some approaches that areuniversally applicable and suggestions for more targeted techniques.¶
A Client or Oblivious Relay ResourceMUST NOT automatically attempt to retry afailed request unless it receives a positive signal indicating that the requestwas not processed or forwarded. The HTTP/2 REFUSED_STREAM error code (Section 8.1.4 of [HTTP/2]), the HTTP/3 H3_REQUEST_REJECTED error code (Section 8.1 of [HTTP/3]), or a GOAWAY frame with a low enough identifier (in either protocolversion) are all sufficient signals that no processing occurred. HTTP/1.1[HTTP/1.1] provides no equivalent signal. Connection failures or interruptionsare not sufficient signals that no processing occurred.¶
The anti-replay mechanisms described inSection 8 of [TLS] are generallyapplicable to Oblivious HTTP requests. The encapsulated keying material (orenc) can be used in place of a nonce to uniquely identify a request. Thisvalue is a high-entropy value that is freshly generated for every request, sotwo valid requests will have different values with overwhelming probability.¶
The mechanism used in TLS for managing differences in Client and server clockscannot be used as it depends on being able to observe previous interactions.Oblivious HTTP explicitly prevents such linkability.¶
The considerations in[RFC8470] as they relate to managing the risk ofreplay also apply, though there is no option to delay the processing of arequest.¶
Limiting requests to those with safe methods might not be satisfactory for someapplications, particularly those that involve the submission of data to aserver. The use of idempotent methods might be of some use in managing replayrisk, though it is important to recognize that different idempotent requestscan be combined to be not idempotent.¶
Even without replay prevention, the server-chosenresponse_nonce fieldensures that responses have unique AEAD keys and nonces even when requests arereplayed.¶
ClientsSHOULD include aDate header field inEncapsulated Requests, unlessthe Client has prior knowledge that indicates that theOblivious GatewayResource does not useDate for anti-replay purposes.¶
Though HTTP requests often do not include aDate header field, the value ofthis field might be used by a server to limit the amount of requests it needs totrack if it needs to prevent replay attacks.¶
An Oblivious Gateway Resource can maintain state for requests for a small windowof time over which it wishes to accept requests. The Oblivious Gateway Resourcecan store all requests it processes within this window. Storing just theencfield of a request, which should be unique to each request, is sufficient. TheOblivious Gateway Resource can reject any request that is the same as one thatwas previously answered within that time window or if theDate header fieldfrom the decrypted request is outside of the current time window.¶
Oblivious Gateway Resources might need to allow for the time it takes requeststo arrive from the Client, with a time window that is large enough to allow fordifferences in clocks. Insufficient tolerance of time differences could resultin valid requests being unnecessarily rejected. Beyond allowing for multipleround-trip times -- to account for retransmission -- network delays are unlikelyto be significant in determining the size of the window, unless all potentialClients are known to have excellent timekeeping. A specific window size mightneed to be determined experimentally.¶
Oblivious Gateway ResourcesMUST NOT treat the time window as secretinformation. An attacker can actively probe with different values for theDatefield to determine the time window over which the server will accept responses.¶
AnOblivious Gateway Resource can reject requests that contain aDate valuethat is outside of its active window with a 400 series status code. The problemtype[PROBLEM] of"https://iana.org/assignments/http-problem-types#date" is defined to allow theserver to signal that theDate value in the request was unacceptable.¶
Figure 8 shows an example response in HTTP/1.1 format.¶
HTTP/1.1 400 Bad RequestDate: Mon, 07 Feb 2022 00:28:05 GMTContent-Type: application/problem+jsonContent-Length: 128{"type":"https://iana.org/assignments/http-problem-types#date","title": "date field in request outside of acceptable range"}Disagreements about time are unlikely if bothClient and Oblivious GatewayResource have a good source of time; see[NTP]. However, clockdifferences are known to be commonplace; see Section 7.1 of[CLOCKSKEW].¶
Including aDate header field in the response allows the Client to correctclock errors by retrying the same request using the value of theDate fieldprovided by the Oblivious Gateway Resource. The value of theDate field canbe copied if the response is fresh, with an adjustment based on theAge fieldotherwise; seeSection 4.2 of [HTTP-CACHING]. When retrying a request, theClientMUST create a fresh encryption of the modified request, using a new HPKEcontext.¶
Retrying immediately allows theOblivious Gateway Resource to measure theround-trip time to theClient. The observed delay might reveal something aboutthe location of the Client. Clients could delay retries to add some uncertaintyto any observed delay.¶
Intermediaries can sometimes rewrite theDate field when forwarding responses.This might cause problems if the Oblivious Gateway Resource and intermediaryclocks differ by enough to cause the retry to be rejected. Therefore, ClientsMUST NOT retry a request with an adjusted date more than once.¶
Oblivious Gateway Resources that condition their responses on theDate headerfieldSHOULD either ensure that intermediaries do not cache responses (byincluding aCache-Control directive ofno-store) or designate the responseas conditional on the value of theDate request header field (by including thetoken "date" in aVary header field).¶
ClientsMUST NOT use the date provided by the Oblivious Gateway Resource for anyother purpose, including future requests to any resource. Any request that usesinformation provided by the Oblivious Gateway Resource might be correlated usingthat information.¶
This document does not provide forward secrecy for either requests orresponses during the lifetime of thekey configuration. A measure offorward secrecy can be provided by generating a new key configurationthen deleting the old keys after a suitable period.¶
This design does not provide post-compromise security for responses.¶
AClient only needs to retain keying material that might be used to compromisethe confidentiality and integrity of a response until that response is consumed,so there is negligible risk associated with a Client compromise.¶
A server retains a secret key that might be used to remove protection frommessages over much longer periods. A server compromise that provided access totheOblivious Gateway Resource secret key could allow an attacker to recover theplaintext of all requests sent toward affected keys and all of the responsesthat were generated.¶
Even if server keys are compromised, an adversary cannot access messagesexchanged by the Client with theOblivious Relay Resource as messages areprotected by TLS. Use of a compromised key also requires that the ObliviousRelay Resource cooperate with the attacker or that the attacker is able tocompromise these TLS connections.¶
The total number of messages affected by server key compromise can be limited byregular rotation of server keys.¶
Including aDate field in requests reveals some information about theClientclock. This might be used to fingerprint Clients[UWT] or to identify Clientsthat are vulnerable to attacks that depend on incorrect clocks.¶
Clients can randomize the value that they provide forDate to obscure the truevalue of their clock and reduce the chance of linking requests over time.However, this increases the risk that their request is rejected as outside theacceptable window.¶
Thekey configuration media type defined inSection 3.2 represents keyingmaterial. The content of this media type is not active (seeSection 4.6 of [RFC6838]), but it governs how aClient might interact with anOblivious GatewayResource. The security implications of processing it are described inSection 6.1; privacy implications are described inSection 7.¶
The security implications of handling the message media types defined inSection 4.5 is covered in other parts of this section in more detail.However, these message media types are also encrypted encapsulations of HTTPrequests and responses.¶
HTTP messages contain content, which can use any media type. In particular,requests are processed by an ObliviousTarget Resource, which -- as an HTTPresource -- defines how content is processed; seeSection 3.1 of [HTTP]. HTTPclients can also use resource identity and response content to determine howcontent is processed. Consequently, the security considerations ofSection 17 of [HTTP] also apply to the handling of the content of these media types.¶
This document generally assumes that the same entity operates theObliviousGateway Resource and theTarget Resource. However, as the Oblivious GatewayResource performs generic HTTP processing, the use of forwarding cannot becompletely precluded.¶
The scheme specified in theEncapsulated Request determines the securityrequirements for any protocol that is used between the Oblivious Gateway andTarget Resources. Using HTTPS isRECOMMENDED; seeSection 6.3.¶
A Target Resource that is operated on a different server from the ObliviousGateway Resource is an ordinary HTTP resource. A Target Resource can privilegerequests that are forwarded by a given Oblivious Gateway Resource if it truststhe operator of the Oblivious Gateway Resource to only forward requests thatmeet the expectations of the Target Resource. Otherwise, the Target Resourcetreats requests from an Oblivious Gateway Resource no differently than anyother HTTP client.¶
For instance, an Oblivious Gateway Resource might -- possibly with the help ofOblivious Relay Resources -- be trusted not to forward an excessive volume ofrequests. This might allow the Target Resource to accept a greater volume ofrequests from that Oblivious Gateway Resource relative to other HTTP clients.¶
An Oblivious Gateway Resource could implement policies that improve the abilityof the Target Resource to implement policy exemptions, such as only forwardingrequests toward specific Target Resources according to an allowlist; seeSection 6.3.¶
One goal of this design is that independentClient requests are only linkable bytheir content. However, the choice of Client configuration might be used tocorrelate requests. A Client configuration includes theOblivious RelayResource URI, the Oblivious Gatewaykey configuration, and theOblivious GatewayResource URI. A configuration is active if Clients can successfully use it forinteracting with a target.¶
Oblivious Relay and Gateway Resources can identify when requests use the sameconfiguration by matching the key identifier from the key configuration or theOblivious Gateway Resource URI. The Oblivious Gateway Resource might use thesource address of requests to correlate requests that use an Oblivious RelayResource run by the same operator. If the Oblivious Gateway Resource is willingto use trial decryption, requests can be further separated into smallergroupings based on active configurations that clients use.¶
Each active Client configuration partitions the Client anonymity set. Inpractice, it is infeasible to reduce the number of active configurations toone. Enabling diversity in choice of Oblivious Relay Resource naturallyincreases the number of active configurations. More than one configurationmight need to be active to allow for key rotation and server maintenance.¶
Client privacy depends on having each configuration used by many other Clients.It is critical to prevent the use of unique Client configurations, which mightbe used to track individual Clients, but it is also important to avoidcreating small groupings of Clients that might weaken privacy protections.¶
A specific method for a Client to acquire configurations is not included in thisspecification. Applications using this designMUST provide accommodations tomitigate tracking using Client configurations.[CONSISTENCY] provides optionsfor ensuring that Client configurations are consistent between Clients.¶
The content of requests or responses, if used in forming new requests, can beused to correlate requests. This includes obvious methods of linking requests,like cookies[COOKIES], but it also includes any information in eithermessage that might affect how subsequent requests are formulated. For example,[FIELDING] describes how interactions that are individually stateless can beused to build a stateful system when a Client acts on the content of a response.¶
This section discusses various operational and deployment considerations.¶
Using Oblivious HTTP adds both cryptographic overhead and latency to requestsrelative to a simple HTTP request-response exchange. Deploying relay servicesthat are on path betweenClients and servers avoids adding significantadditional delay due to network topology. A study of a similar system[ODOH-PETS] found that deploying proxies close to servers was most effectivein minimizing additional latency.¶
This protocol assumes a fixed, one-to-one mapping between theOblivious RelayResource and theOblivious Gateway Resource. This means that anyEncapsulatedRequest sent to the Oblivious Relay Resource will always be forwarded to theOblivious Gateway Resource. This constraint was imposed to simplify relayconfiguration and mitigate against the Oblivious Relay Resource being used asa generic relay for unknown Oblivious Gateway Resources. The relay will onlyforward for Oblivious Gateway Resources that it has explicitly configured andallowed.¶
It is possible for a server to be configured with multiple Oblivious RelayResources, each for a different Oblivious Gateway Resource as needed. If thegoal is to support a large number of Oblivious Gateway Resources,Clients mightbe provided with a URI template[TEMPLATE], from which multipleOblivious Relay Resources could be constructed.¶
Oblivious HTTP might be incompatible with network interception regimes, such asthose that rely on configuringClients with trust anchors and intercepting TLSconnections. While TLS might be intercepted successfully, interceptionmiddlebox devices might not receive updates that would allow Oblivious HTTP tobe correctly identified using the media types defined in Sections9.2and9.3.¶
Oblivious HTTP has a simple key management design that is not trivially alteredto enable interception by intermediaries. Clients that are configured to enableinterception might choose to disable Oblivious HTTP in order to ensure thatcontent is accessible to middleboxes.¶
IANA has registered the following media types in the "Media Types" registry at<https://iana.org/assignments/media-types>, following the procedures of[RFC6838]: "application/ohttp-keys" (Section 9.1), "message/ohttp-req"(Section 9.2), and "message/ohttp-res" (Section 9.3).¶
IANA has added the following types to the "HTTP Problem Types" registry at<https://iana.org/assignments/http-problem-types>: "date"(Section 9.4) and "ohttp-key" (Section 9.5).¶
The "application/ohttp-keys" media type identifies akey configuration used byOblivious HTTP.¶
application¶
ohttp-keys¶
N/A¶
N/A¶
"binary"¶
SeeSection 6.9¶
N/A¶
RFC 9458¶
This type identifies a key configuration as used by Oblivious HTTP andapplications that use Oblivious HTTP.¶
N/A¶
See Authors' Addresses section¶
COMMON¶
N/A¶
See Authors' Addresses section¶
IETF¶
The "message/ohttp-req" identifies an encrypted binary HTTP request. Thisis a binary format that is defined inSection 4.3.¶
message¶
ohttp-req¶
N/A¶
N/A¶
"binary"¶
SeeSection 6.9¶
N/A¶
RFC 9458¶
Oblivious HTTP and applications that use Oblivious HTTP use this media type toidentify encapsulated binary HTTP requests.¶
N/A¶
See Authors' Addresses section¶
COMMON¶
N/A¶
See Authors' Addresses section¶
IETF¶
The "message/ohttp-res" identifies an encrypted binary HTTP response. Thisis a binary format that is defined inSection 4.4.¶
message¶
ohttp-res¶
N/A¶
N/A¶
"binary"¶
SeeSection 6.9¶
N/A¶
RFC 9458¶
Oblivious HTTP and applications that use Oblivious HTTP use this media type toidentify encapsulated binary HTTP responses.¶
N/A¶
See Authors' Addresses section¶
COMMON¶
N/A¶
See Authors' Addresses section¶
IETF¶
IANA has added a new entry in the "HTTP Problem Types" registry established by[PROBLEM].¶
https://iana.org/assignments/http-problem-types#date¶
Date Not Acceptable¶
400¶
Section 6.5.2 of RFC 9458¶
IANA has added a new entry in the "HTTP Problem Types" registry established by[PROBLEM].¶
https://iana.org/assignments/http-problem-types#ohttp-key¶
Oblivious HTTP key configuration not acceptable¶
400¶
Section 5.3 of RFC 9458¶
A single request and response exchange is shown here. Binary values (keyconfiguration, secret keys, the content of messages, and intermediate values)are shown in hexadecimal. The request and response here are minimal; the purposeof this example is to show the cryptographic operations. In this example, theClient is configured with theOblivious Relay Resource URI ofhttps://proxy.example.org/request.example.net/proxy, and the proxy isconfigured to map requests to this URI to theOblivious Gateway Resource URIhttps://example.com/oblivious/request. TheTarget Resource URI, i.e., theresource the Client ultimately wishes to query, ishttps://example.com.¶
To begin the process, the Oblivious Gateway Resource generates a key pair.In this example, the server chooses DHKEM(X25519, HKDF-SHA256) and generatesan X25519 key pair[X25519]. The X25519 secret key is:¶
3c168975674b2fa8e465970b79c8dcf09f1c741626480bd4c6162fc5b6a98e1a¶
The Oblivious Gateway Resource constructs a key configuration that includes thecorresponding public key as follows:¶
01002031e1f05a740102115220e9af918f738674aec95f54db6e04eb705aae8e79815500080001000100010003¶
This key configuration is somehow obtained by the Client. Then, when a Clientwishes to send an HTTP GET request to the targethttps://example.com, itconstructs the following binary HTTP message:¶
00034745540568747470730b6578616d706c652e636f6d012f¶
The Client then reads the Oblivious Gateway Resource key configuration andselects a mutually supported KDF and AEAD. In this example, the Client selectsHKDF-SHA256 and AES-128-GCM. The Client then generates an HPKE sending contextthat uses the server public key. This context is constructed from the followingephemeral secret key:¶
bc51d5e930bda26589890ac7032f70ad12e4ecb37abb1b65b1256c9c48999c73¶
The corresponding public key is:¶
4b28f881333e7c164ffc499ad9796f877f4e1051ee6d31bad19dec96c208b472¶
The context is created with aninfo parameter of:¶
6d6573736167652f626874747020726571756573740001002000010001¶
Applying the Seal operation from the HPKE context produces an encryptedmessage, allowing the Client to construct the followingEncapsulated Request:¶
010020000100014b28f881333e7c164ffc499ad9796f877f4e1051ee6d31bad19dec96c208b4726374e469135906992e1268c594d2a10c695d858c40a026e7965e7d86b83dd440b2c0185204b4d63525¶
The Client then sends this to the Oblivious Relay Resource in a POST request,which might look like the following HTTP/1.1 request:¶
POST /request.example.net/proxy HTTP/1.1Host: proxy.example.orgContent-Type: message/ohttp-reqContent-Length: 78<content is the Encapsulated Request above>¶
The Oblivious Relay Resource receives this request and forwards it to theOblivious Gateway Resource, which might look like:¶
POST /oblivious/request HTTP/1.1Host: example.comContent-Type: message/ohttp-reqContent-Length: 78<content is the Encapsulated Request above>¶
TheOblivious Gateway Resource receives this request, selects the key itgenerated previously using the key identifier from the message, and decrypts themessage. As this request is directed to the same server, the Oblivious GatewayResource does not need to initiate an HTTP request to theTarget Resource. Therequest can be served directly by the Target Resource, which generates a minimalresponse (consisting of just a 200 status code) as follows:¶
0140c8¶
The response is constructed by exporting a secret from the HPKE context:¶
62d87a6ba569ee81014c2641f52bea36¶
The key derivation for theEncapsulated Response uses both the encapsulated KEMkey from the request and a randomly selected nonce. This produces a salt of:¶
4b28f881333e7c164ffc499ad9796f877f4e1051ee6d31bad19dec96c208b472c789e7151fcba46158ca84b04464910d¶
The salt and secret are both passed to theExtract function of the selected KDF(HKDF-SHA256) to produce a pseudorandom key of:¶
979aaeae066cf211ab407b31ae49767f344e1501e475c84e8aff547cc5a683db¶
The pseudorandom key is used with theExpand function of the KDF and an infofield of "key" to produce a 16-byte key for the selected AEAD (AES-128-GCM):¶
5d0172a080e428b16d298c4ea0db620d¶
With the same KDF and pseudorandom key, an info field of "nonce" is used togenerate a 12-byte nonce:¶
f6bf1aeb88d6df87007fa263¶
The AEADSeal() function is then used to encrypt the response, which is addedto the randomized nonce value to produce the Encapsulated Response:¶
c789e7151fcba46158ca84b04464910d86f9013e404feea014e7be4a441f234f857fbd¶
TheOblivious Gateway Resource constructs a response with the same content:¶
HTTP/1.1 200 OKDate: Wed, 27 Jan 2021 04:45:07 GMTCache-Control: private, no-storeContent-Type: message/ohttp-resContent-Length: 38<content is the Encapsulated Response>¶
The same response might then be generated by theOblivious Relay Resource, whichmight change as little as theDate header. TheClient is then able to use theHPKE context it created and the nonce from the Encapsulated Response toconstruct the AEAD key and nonce and decrypt the response.¶
This design is based on a design for Oblivious DNS (queries) over HTTPS (DoH),described in[ODOH].David Benjamin,Mark Nottingham, andEric Rescorla made technical contributions. The authors also thankRalph Giles,Lucas Pardue, andTommy Pauly for invaluableassistance.¶