We propose the mechanism makes the issuer key auditable.
Problem
Secure fetching the issuer key is a critical challenge for Privacy Pass.
If the issuer chooses a different key for each user, they can track users.
Solution
We propose to enforce issuers to set the (hash of) the issuer key on the X.509 extensions.
This stores the issue key on the Certificate Transparency logs and allows the public to audit it.
We propose the mechanism makes the issuer key auditable.
Problem
Secure fetching the issuer key is a critical challenge for Privacy Pass. If the issuer chooses a different key for each user, they can track users.
Solution
We propose to enforce issuers to set the (hash of) the issuer key on the X.509 extensions. This stores the issue key on the Certificate Transparency logs and allows the public to audit it.
Reference
Certificate Transparency: https://certificate.transparency.dev/