Internet-Draft MoLE HTTP Transport June 2026
Meunier Expires 25 December 2026 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-schlesinger-mole-http-transport-latest
Published:
Intended Status:
Informational
Expires:
Author:
T. Meunier
Cloudflare

MoLE HTTP Transport

Abstract

MoLE targets browser deployments, so Clients, Anchors, Moderators, and Sites need an HTTP transport for the protocol flows defined by the architecture.

This document defines HTTP authentication scheme for endorsement, credential issuance, and credential presentation. It also defines configuration material exposed by Anchors and Moderators.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://moderation-of-unlinkable-endorsements.github.io/internet-drafts/draft-schlesinger-mole-http-transport.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-schlesinger-mole-http-transport/.

Source for this draft and an issue tracker can be found at https://github.com/Moderation-of-unLinkable-Endorsements/internet-drafts.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 25 December 2026.

Table of Contents

1. Introduction

TODO

2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Presentation Language

This document uses the TLS presentation language [TLS13] to describe the structure of protocol messages. In addition to the base syntax, it uses two additional features: the ability for fields to be optional and the ability for vectors to have variable-size length headers.

3.1. Optional Value

An optional value is encoded with a presence-signaling octet, followed by the value itself if present. When decoding, a presence octet with a value other than 0 or 1 MUST be rejected as malformed.

struct {
    uint8 present;
    select (present) {
        case 0: struct{};
        case 1: T value;
    };
} optional<T>;

3.2. Variable-Size Vector Length Headers

In the TLS presentation language, vectors are encoded as a sequence of encoded elements prefixed with a length. The length field has a fixed size set by specifying the minimum and maximum lengths of the encoded sequence of elements.

In this document, there are several vectors whose sizes vary over significant ranges. So instead of using a fixed-size length field, it uses a variable-size length using a variable-length integer encoding based on the one described in Section 16 of [QUIC]. They differ only in that the one here requires a minimum-size encoding. Instead of presenting min and max values, the vector description simply includes a V. For example:

struct {
    uint32 fixed<0..255>;
    opaque variable<V>;
} StructWithVectors;

4. HTTP Authentication Scheme

We describe the HTTP authentication method used by a Client that has an Endorsement from an Anchor and obtains a Credential from a Moderator.

The Mole authentication scheme follows the HTTP authentication framework defined in [HTTP]. The same scheme is used for three protocol exchanges: Client to Anchor endorsement, Client to Moderator credential issuance, and Client to Site credential presentation.

Client Site WWW-Authenticate: CredentialChallenge (Run issuance and presentation protocol) Authorization: token Mole-Issuance: CredentialRequest Mole-Issuance: CredentialResponse

Mole-Issuance is a placeholder header. We might want Mole-Presentation as well.

5. Configuration

TODO(thibault) 1. if protocol section goes into its own draft, this should follow 2. I suspect we'll use JSON here. If we use key material, I think re-using JWKS is important (even if there are feelings).

Anchors and Moderators publish configuration used by Clients and Sites before running the HTTP authentication flows. Configuration includes endpoint URLs, supported protocol types, public key material, and the Anchor set associated with each Moderator policy.

6. Error Handling

Sites can use MoLE as optional authentication. A 200 response MAY include a WWW-Authenticate: Mole challenge. This tells the Client that a later request can include a presentation, for example to get a higher limit or avoid other friction.

A 401 response with a WWW-Authenticate: Mole challenge means that the Site requires MoLE, or another acceptable authentication scheme, before serving the resource. A 403 response means that the Site understood the presented MoLE material but did not accept it under policy.

6.1. Endorsement

The criteria to provide an endorsement is left to the Anchor. This document only defines the HTTP carriage for the Endorsement protocol messages.

6.1.1. Anchor -> Client 

struct {
  uint16 endorsement_type;
  opaque anchor_context<V>;
} EndorsementChallenge;

  • challenge contains a base64url EndorsementChallenge value, encoded per [BASE64].

WWW-Authenticate: Mole challenge="<endorsement-challenge>", realm="anchor"

6.1.2. Client -> Anchor 

struct {
  uint16 endorsement_type;
  opaque request<V>;
} EndorsementRequest;

Authorization: Mole endorsement-request="<endorsement-request>"

6.1.3. Anchor -> Client 

struct {
  uint16 endorsement_type;
  opaque response<V>;
} EndorsementResponse;

Mole-Endorsement: response="<endorsement-response>"

6.2. Issuance

6.2.1. Moderator -> Client 

struct {
  uint16 endorsement_type; // We always want endorsement type to be present
  opaque challenge<V>;
} ModeratorChallenge;

  • challenge which contains a base64url ModeratorChallenge value, encoded per [BASE64]

The challenge field is interpreted by the selected endorsement type.

6.2.1.1. Example refinement

The following structure is an example refinement of ModeratorChallenge.

struct {
  opaque policy_context<V>; // Moderator-generated policy identifier
  opaque anchor_set<V>; // Endorsement-type-specific Anchor material
} MoleModeratorChallenge;

In MoleModeratorChallenge, anchor_set is opaque. Clients MUST NOT assume array semantics unless the endorsement type defines them.

WWW-Authenticate: Mole challenge="<moderator-challenge>", realm="moderator"

6.2.2. Client -> Moderator

MUST be prefixed by endorsement_type.

Authorization: Mole endorsement="..."

6.3. Presentation

6.3.1. Site -> Client - Challenge 

struct {
  uint16 credential_type; // We always want credential type to be present
  opaque challenge<V>;
} CredentialChallenge;

  • challenge which contains a base64url CredentialChallenge value, encoded per [BASE64]

The challenge field is interpreted by the selected credential type.

6.3.1.1. Example refinement

The following structures are example refinements of CredentialChallenge.

struct {
  opaque moderator_uri<1..2^16-1>; // URI of the moderator
  opaque presentation_context<V>;
} MoleCredentialChallenge;

struct {
  opaque policy_context<V>; // Moderator-generated policy identifier
  opaque site_context<V>; // Site-chosen binding value, analogous to redemption_context in RFC9577
} MolePresentationContext;

The moderator_uri field contains a URI (defined by [URI]).

In MolePresentationContext, policy_context is generated by the Moderator. It identifies the Moderator policy and accepted Anchor set used for this Site. Different sites MAY use different policy contexts while sharing the same Moderator. The value MUST be non-empty.

The site_context field is chosen by the Site. It binds the presentation to a request, session, or time window. A non-empty value affects credential caching and replay handling.

TODO(thibault): 1. decide exact construction rules for site_context. maybe it should include policy_context. These two are separate from now to showcase the site is likely to proxy content from the moderator.

WWW-Authenticate: Mole challenge="<credential-challenge>", realm="site"

6.3.2. Client -> Site - Presentation 

struct {
  uint16 credential_type; // We always want credential type to be present
  opaque presentation_and_update<V>;
} CredentialPresentation;

The presentation_and_update field is interpreted by the selected credential type.

6.3.2.1. Example refinement

The following structure is an example refinement of CredentialPresentation.

struct {
  opaque presentation_context<V>;
  opaque presentation_proof[Npp];
  opaque update_request[Nur];
} MolePresentationAndUpdate;

TODO(thibault): 1. decide exact construction rules for presentation_and_update.

Authorization: Mole presentation="<credential-presentation>"

For Credential types that require private verification, the Site MUST validate the presentation with the Moderator identified by moderator_uri before granting access to a protected resource.

The exact validation method is TBD.

TODO(thibault): provide an actual instantiation example.

6.3.3. Site -> Moderator - Validation 

struct {
  uint16 credential_type;
  opaque presentation_and_update<V>;
} ValidationRequest;

struct {
  uint16 credential_type;
  uint8 valid;
  opaque update_response<V>;
} ValidationResult;

6.3.4. Site -> Client - Update

TODO(thibault) 1. This is the only place where we don't have an established pattern. We need to define a new header. [REVERSE-FLOW] uses PrivacyPass-Reverse. Here is a Mole-Update. I'd like something clearer. 2. Headers do not have a fixed protocol limit, but large values are hard to deploy. Other instantiations may define another method, such as returning a URL that the client can fetch. TBD

struct {
  uint16 credential_type;
  opaque update_response<V>;
} CredentialUpdate;

struct {
  optional<CredentialUpdate> update;
} OptionalCredentialUpdate;

The Site MUST send Mole-Update. The Site sets the update when the Credential remains usable after presentation. The Site marks the update as absent to intentionally consume the Credential. Clients MUST follow the Credential type semantics for reuse after an omitted update.

  • update which contains a base64url OptionalCredentialUpdate value, encoded per [BASE64]

Mole-Update: update="<optional-credential-update>"

Each credential type MUST define the challenge fields that partition cached Credentials, or state that Credentials of that type are not cacheable.

7. HTTP protocol (probably its own draft)

In Section 4, we define two protocol registries: endorsement and site.

7.1. Endorsement

0x0001 - Anchor-Hiding endorsement

This is the first protocol

7.2. Credentials

0x0001 - ACT

See [PRIVACYPASS_ACT]. Will need to be adapted to be specific here.

0x0002 - ReverseFlow(VOPRF(P384))

Presenting a VOPRF token, with the update being a request for a new VOPRF token.

8. Security Considerations

9. IANA Considerations

9.1. Authentication Scheme

We register Mole as defined in Section 4

10. References

10.1. Normative References

[HTTP]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, , <https://www.rfc-editor.org/rfc/rfc9110>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[TLS13]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, , <https://www.rfc-editor.org/rfc/rfc8446>.
[URI]
Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, , <https://www.rfc-editor.org/rfc/rfc3986>.

10.2. Informative References

[BASE64]
Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, , <https://www.rfc-editor.org/rfc/rfc4648>.
[PRIVACYPASS_ACT]
Schlesinger, S. and T. Meunier, "Privacy Pass Issuance Protocol for Anonymous Credit Tokens", Work in Progress, Internet-Draft, draft-schlesinger-privacypass-act-01, , <https://datatracker.ietf.org/doc/html/draft-schlesinger-privacypass-act-01>.
[QUIC]
Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Multiplexed and Secure Transport", RFC 9000, DOI 10.17487/RFC9000, , <https://www.rfc-editor.org/rfc/rfc9000>.
[REVERSE-FLOW]
Meunier, T., "Privacy Pass Reverse Flow", Work in Progress, Internet-Draft, draft-meunier-privacypass-reverse-flow-05, , <https://datatracker.ietf.org/doc/html/draft-meunier-privacypass-reverse-flow-05>.

Acknowledgments

TODO acknowledge.

Author's Address

Thibault Meunier
Cloudflare