Are you assuming that the client enforces some limit on the number of distinct Issuers, as discussed in other Privacy Pass drafts? If any origin operates its own private Issuer, the Attester ends up learning that the user visited that origin, violating the separation goal. Do you intend to prevent this?
Yes, a 1:1 relationship between Issuer and Origin would indeed violate the goal of separating information from the Attester. It still doesn’t allow the Attester to know the origin state, but it does tell the Attester more about the origin identity than we’d want.
I think we don’t clearly state a requirement that the Client and/or Attester need to collectively check that there are a sufficient number of origins served by each issuer (conversely, that there aren’t too many issuers). As we’re considering Attester deployments, it would be a requirement when onboarding an Issuer to ensure that there is a sufficient set of origins. We can open an issue to add this text.
From the list: