tfpauly
commented
2 years ago The latest version of the Privacy Pass architecture is actually where the issuer/attester/etc is defined: https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-02
Had you been referring to an older version?
A clear comparison of the model here, and the one of Privacy Pass, could be very useful to understand the choices that are made here.
Most precisely, it is interesting that in Privacy Pass, the link between the issuance (with client name) and redemption is broken via the use of an anonymous communication channel when redeeming the token and/or delays between issuance and redemption. Here instead, there are two different channels (client ↔ “issuing party”, client ↔ origin), and to hide the client name from the “issuing party”, it is split in two parties (attester, and issuer). This enables to have “simultaneous” issuance and redemption while still hiding the client identity from the origin.
Maybe adding such clarifications to Section 9 could help understanding the security model of this new protocol.