From b99cf49cc721d8638365858cebc75676c025fe46 Mon Sep 17 00:00:00 2001
From: ID Bot <idbot@example.com>
Date: Thu, 16 Nov 2023 19:00:45 +0000
Subject: [PATCH] Script updating gh-pages from 26e0aa4. [ci skip]

---
 .../draft-ietf-privacypass-architecture.html  | 2884 -------------
 .../draft-ietf-privacypass-architecture.txt   | 1379 -------
 .../draft-ietf-privacypass-auth-scheme.html   | 2670 ------------
 .../draft-ietf-privacypass-auth-scheme.txt    | 1205 ------
 .../draft-ietf-privacypass-protocol.html      | 3569 -----------------
 .../draft-ietf-privacypass-protocol.txt       | 1868 ---------
 chris-wood-patch-8/index.html                 |   55 -
 draft-ietf-privacypass-architecture.html      |   10 +-
 draft-ietf-privacypass-architecture.txt       |   12 +-
 draft-ietf-privacypass-auth-scheme.html       |   10 +-
 draft-ietf-privacypass-auth-scheme.txt        |   10 +-
 draft-ietf-privacypass-protocol.html          |    8 +-
 draft-ietf-privacypass-protocol.txt           |    6 +-
 index.html                                    |   18 -
 14 files changed, 28 insertions(+), 13676 deletions(-)
 delete mode 100644 chris-wood-patch-8/draft-ietf-privacypass-architecture.html
 delete mode 100644 chris-wood-patch-8/draft-ietf-privacypass-architecture.txt
 delete mode 100644 chris-wood-patch-8/draft-ietf-privacypass-auth-scheme.html
 delete mode 100644 chris-wood-patch-8/draft-ietf-privacypass-auth-scheme.txt
 delete mode 100644 chris-wood-patch-8/draft-ietf-privacypass-protocol.html
 delete mode 100644 chris-wood-patch-8/draft-ietf-privacypass-protocol.txt
 delete mode 100644 chris-wood-patch-8/index.html

diff --git a/chris-wood-patch-8/draft-ietf-privacypass-architecture.html b/chris-wood-patch-8/draft-ietf-privacypass-architecture.html
deleted file mode 100644
index fd02d9d9..00000000
--- a/chris-wood-patch-8/draft-ietf-privacypass-architecture.html
+++ /dev/null
@@ -1,2884 +0,0 @@
-<!DOCTYPE html>
-<html lang="en" class="Internet-Draft">
-<head>
-<meta charset="utf-8">
-<meta content="Common,Latin" name="scripts">
-<meta content="initial-scale=1.0" name="viewport">
-<title>The Privacy Pass Architecture</title>
-<meta content="Alex Davidson" name="author">
-<meta content="Jana Iyengar" name="author">
-<meta content="Christopher A. Wood" name="author">
-<meta content="
-       This document specifies the Privacy Pass architecture and requirements for
-its constituent protocols used for authorization based on privacy-preserving
-authentication mechanisms. It describes the conceptual model of Privacy Pass
-and its protocols, its security and privacy goals, practical deployment models,
-and recommendations for each deployment model that helps ensure the desired
-security and privacy goals are fulfilled. 
-    " name="description">
-<meta content="xml2rfc 3.18.1" name="generator">
-<meta content="Internet-Draft" name="keyword">
-<meta content="draft-ietf-privacypass-architecture-latest" name="ietf.draft">
-<!-- Generator version information:
-  xml2rfc 3.18.1
-    Python 3.11.5
-    ConfigArgParse 1.5.3
-    google-i18n-address 3.1.0
-    intervaltree 3.1.0
-    Jinja2 3.1.2
-    lxml 4.9.3
-    platformdirs 3.11.0
-    pycountry 22.3.5
-    PyYAML 6.0
-    requests 2.31.0
-    setuptools 67.7.2
-    six 1.16.0
-    wcwidth 0.2.8
--->
-<link href="draft-ietf-privacypass-architecture.xml" rel="alternate" type="application/rfc+xml">
-<link href="#copyright" rel="license">
-<style type="text/css">@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic.woff2') format('woff2');
-  unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic.woff2') format('woff2');
-  unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Lora SemiBold'), local('Lora-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-semibold-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-@font-face {
-  font-family: 'Cabin Condensed';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Cabin Condensed';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Cabin Condensed';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-@font-face {
-  font-family: 'Oxygen Mono';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Oxygen Mono';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-:root {
-  color-scheme: light dark;
-  --background-color: #fff;
-  --text-color: #222;
-  --title-color: #191919;
-  --link-color: #2a6496;
-  --highlight-color: #f9f9f9;
-  --line-color: #eee;
-  --pilcrow-weak: #ddd;
-  --pilcrow-strong: #bbb;
-  --small-font-size: 14.5px;
-  --font-mono: 'Oxygen Mono', monospace;
-  scrollbar-color: #bbb #eee;
-}
-body {
-  max-width: 600px;
-  margin: 75px auto;
-  padding: 0 5px;
-  color: var(--text-color);
-  background-color: var(--background-color);
-  font: 16px/22px "Lora", serif;
-  scroll-behavior: smooth;
-}
-
-.ears {
-  display: none;
-}
-
-/* headings */
-h1, h2, h3, h4, h5, h6 {
-  font-family: "Cabin Condensed", sans-serif;
-  font-weight: 600;
-  margin: 0.8em 0 0.3em;
-  font-size-adjust: 0.5;
-  color: var(--title-color);
-}
-h1#title {
-  font-size: 32px;
-  line-height: 40px;
-  clear: both;
-}
-h1#title, h1#rfcnum {
-  margin: 1.5em 0 0.2em;
-}
-h1#rfcnum + h1#title {
-  margin: 0.2em 0;
-}
-
-h1, h2, h3 {
-  font-size: 22px;
-  line-height: 27px;
-}
-h4, h5, h6 {
-  font-size: 20px;
-  line-height: 24px;
-}
-
-/* general structure */
-.author {
-  padding-bottom: 0.3em;
-}
-#abstract+p {
-  font-size: 18px;
-  line-height: 24px;
-}
-#abstract+p code, #abstract+p samp, #abstract+p tt {
-  font-size: 16px;
-  line-height: 0;
-}
-
-p {
-  padding: 0;
-  margin: 0.5em 0;
-  text-align: left;
-}
-div {
-  margin: 0;
-}
-.alignRight.art-text {
-  background-color: var(--highlight-color);
-  border: 1px solid var(--line-color);
-  border-radius: 3px;
-  padding: 0.5em 1em 0;
-  margin-bottom: 0.5em;
-}
-.alignRight.art-text pre {
-  padding: 0;
-  width: auto;
-}
-.alignRight {
-  margin: 1em 0;
-}
-.alignRight > *:first-child {
-  border: none;
-  margin: 0;
-  float: right;
-  clear: both;
-}
-.alignRight > *:nth-child(2) {
-  clear: both;
-  display: block;
-  border: none;
-}
-svg {
-  display: block;
-}
-/* font-family isn't space-separated, but =~ will have to do */
-svg[font-family~="monospace" i], svg [font-family~="monospace" i] {
-  font-family: var(--font-mono);
-}
-.alignCenter.art-text {
-  background-color: var(--highlight-color);
-  border: 1px solid var(--line-color);
-  border-radius: 3px;
-  padding: 0.5em 1em 0;
-  margin-bottom: 0.5em;
-}
-.alignCenter.art-text pre {
-  padding: 0;
-  width: auto;
-}
-.alignCenter {
-  margin: 1em 0;
-}
-.alignCenter > *:first-child {
-  border: none;
-  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
-     support flexbox yet.
-  */
-  display: table;
-  margin: 0 auto;
-}
-
-/* lists */
-ol, ul {
-  padding: 0;
-  margin: 0 0 0.5em 2em;
-}
-:is(ol, ul) :is(ol, ul) {
-  margin-left: 1em;
-}
-li {
-  margin: 0 0 0.25em 0;
-}
-.ulCompact li {
-  margin: 0;
-}
-ul.empty, .ulEmpty {
-  list-style-type: none;
-}
-ul.empty li, .ulEmpty li {
-  margin-top: 0.5em;
-}
-:is(ul, ol).compact, .ulCompact, .olCompact {
-  line-height: 1;
-  margin: 0 0 0 2em;
-}
-
-/* definition lists */
-dl {
-  clear: left;
-  --indent: 3ch;
-  /* --indent: attr(indent ch); not supported in any browser, but we can dream */
-}
-dl.olPercent {
-  --indent: 5ch;
-}
-dl > dt {
-  float: left;
-  margin-right: 2ch;
-  min-width: 8ch;
-}
-dl.dlNewline > dt {
-  float: none;
-}
-dl > dd {
-  margin-bottom: .8em;
-  margin-left: var(--indent) !important; /* stupid element overrides */
-  min-height: 2ex;
-}
-dl.olPercent > dt {
-  min-width: calc(var(--indent) - 2ch);
-}
-:is(dl.compact, .dlCompact) > dd {
-  margin-bottom: 0;
-}
-:is(dl.compact, .dlCompact) > dd > :is(:first-child, .break:first-child + *) {
-  margin-top: 0;
-}
-:is(dl.compact, .dlCompact) > dd > :is(:last-child) {
-  margin-bottom: 0;
-}
-dl > dd > dl {
-  margin-top: 0.5em;
-  margin-bottom: 0;
-}
-:is(dd, span).break {
-  display: none;
-}
-
-/* links */
-a, a[href].selfRef:hover {
-  text-decoration: none;
-}
-a[href] {
-  color: var(--link-color);
-}
-a[href].selfRef, .iref + a[href].internal {
-  color: var(--text-color);
-}
-a[href]:hover {
-  text-decoration: underline;
-}
-a[href].selfRef:hover {
-  background-color: var(--highlight-color);
-}
-a.xref:is(.cite, .auto), :is(#status-of-memo, #copyright) a {
-  white-space: nowrap;
-}
-
-/* Figures */
-tt, code, pre {
-  background-color: var(--highlight-color);
-  font: 14px/22px var(--font-mono);
-}
-tt, code {
-  /* changing the font for inline elements leads to different ascender
-     and descender heights; as we want to retain baseline alignment,
-     remove leading to avoid altering the final height of lines
-     note: this fails if these blocks take an entire line,
-     a different solution would be great */
-  line-height: 0;
-}
-:is(h1, h2, h3, h4, h5, h6) :is(tt, code) {
-  font-size: 84%;
-}
-pre {
-  border: 1px solid var(--line-color);
-  font-size: 13.5px;
-  line-height: 16px;
-  letter-spacing: -0.2px;
-  margin: 5px;
-  padding: 5px;
-}
-img {
-  max-width: 100%;
-}
-figure {
-  margin: 0.5em 0;
-  padding: 0;
-}
-figure blockquote {
-  margin: 0.8em 0.4em 0.4em;
-}
-figcaption, caption {
-  font-style: italic;
-  margin: 0.5em 1.5em;
-  text-align: left;
-}
-@media screen {
-  /* Auto-collapse boilerplate. */
-  :is(#status-of-memo, #copyright) p {
-    margin: -2px 0;
-    max-height: 0;
-    transition: max-height 2s ease, margin 0.5s ease 0.5s;
-    overflow: hidden;
-  }
-  :is(#status-of-memo, #copyright):hover p,
-  :is(#status-of-memo, #copyright) h2:target ~ p {
-    margin: 0.5em 0;
-    max-height: 500px;
-    overflow: auto;
-  }
-  pre, svg {
-    display: inline-block;
-    overflow-x: auto;
-  }
-  pre {
-    max-width: 100%;
-    width: calc(100% - 22px - 1em);
-  }
-  svg {
-    max-width: calc(100% - 22px - 1em);
-  }
-  figure pre {
-    display: block;
-    width: calc(100% - 25px);
-  }
-  :is(pre, svg) + .pilcrow {
-    display: inline-block;
-    vertical-align: text-bottom;
-    padding-bottom: 8px;
-  }
-}
-
-/* aside, blockquote */
-aside, blockquote {
-  margin-left: 0;
-  padding: 0 2em;
-  font-style: italic;
-}
-blockquote {
-  margin: 1em 0;
-}
-cite {
-  display: block;
-  text-align: right;
-  font-style: italic;
-}
-
-/* tables */
-table {
-  max-width: 100%;
-  margin: 0 0 1em;
-  border-collapse: collapse;
-}
-table.right {
-  margin-left: auto;
-}
-table.center {
-  margin-left: auto;
-  margin-right: auto;
-}
-table.left {
-  margin-right: auto;
-}
-thead, tbody {
-  border: 1px solid var(--line-color);
-}
-th, td {
-  text-align: left;
-  vertical-align: top;
-  padding: 5px 10px;
-}
-th {
-  background-color: var(--line-color);
-}
-:is(tr:nth-child(2n), thead+tbody > tr:nth-child(2n+1)) > td {
-  background-color: var(--background-color);
-}
-:is(tr:nth-child(2n+1), thead+tbody > tr:nth-child(2n)) > td {
-  background-color: var(--highlight-color);
-}
-table caption {
-  margin: 0;
-  padding: 3px 0 3px 1em;
-}
-table p {
-  margin: 0;
-}
-
-/* pilcrow */
-a.pilcrow {
-  margin-left: 3px;
-  opacity: 0.2;
-  user-select: none;
-}
-a.pilcrow[href] { color: var(--pilcrow-weak); }
-a.pilcrow[href]:hover { text-decoration: none; }
-@media not print {
-  :hover > a.pilcrow {
-    opacity: 1;
-  }
-  a.pilcrow[href]:hover {
-    color: var(--pilcrow-strong);
-    background-color: transparent;
-  }
-}
-@media print {
-  a.pilcrow {
-    display: none;
-  }
-}
-
-/* misc */
-hr {
-  border: 0;
-  border-top: 1px solid var(--line-color);
-}
-.bcp14 {
-  font-variant: small-caps;
-  font-weight: 600;
-  font-size: var(--small-font-size);
-}
-.role {
-  font-variant: all-small-caps;
-}
-sub, sup {
-  line-height: 1;
-  font-size: 80%;
-}
-
-/* info block */
-#identifiers {
-  margin: 0;
-  font-size: var(--small-font-size);
-  line-height: 18px;
-  --identifier-width: 15ch;
-}
-#identifiers dt {
-  width: var(--identifier-width);
-  min-width: var(--identifier-width);
-  clear: left;
-  float: left;
-  text-align: right;
-  margin-right: 1ch;
-}
-#identifiers dd {
-  margin: 0;
-  margin-left: calc(1em + var(--identifier-width)) !important;
-  min-width: 5em;
-}
-#identifiers .authors .author {
-  display: inline-block;
-  margin-right: 1.5em;
-}
-#identifiers .authors .org {
-  font-style: italic;
-}
-
-/* The prepared/rendered info at the very bottom of the page */
-.docInfo {
-  color: #999;
-  font-size: 0.9em;
-  font-style: italic;
-  margin-top: 2em;
-}
-.docInfo .prepared {
-  float: left;
-}
-.docInfo .prepared {
-  float: right;
-}
-
-/* table of contents */
-#toc {
-  padding: 0.75em 0 2em 0;
-  margin-bottom: 1em;
-}
-#toc nav ul {
-  margin: 0 0.5em 0 0;
-  padding: 0;
-  list-style: none;
-}
-#toc nav li {
-  line-height: 1.3em;
-  margin: 2px 0;
-  padding-left: 1.2em;
-  text-indent: -1.2em;
-}
-#toc a.xref {
-  white-space: normal;
-}
-/* references */
-.references dt {
-  text-align: right;
-  font-weight: bold;
-  min-width: 10ch;
-  margin-right: 1.5ch;
-}
-.references dt:target::before {
-  content: "⇒";
-  width: 15px;
-  margin: 0 10px 0 -25px;
-}
-.references dd {
-  margin-left: 12ch !important;
-  overflow: auto;
-}
-
-.refInstance {
-  margin-bottom: 1.25em;
-}
-
-.references .ascii {
-  margin-bottom: 0.25em;
-}
-
-/* index */
-#rfc\.index\.index + ul {
-  margin-left: 0;
-}
-
-/* authors */
-address.vcard {
-  font-style: normal;
-  margin: 1em 0;
-}
-address.vcard .nameRole {
-  font-weight: 700;
-  margin-left: 0;
-}
-address.vcard .label {
-  margin: 0.5em 0;
-}
-address.vcard .type {
-  display: none;
-}
-.alternative-contact {
-  margin: 1.5em 0 1em;
-}
-hr.addr {
-  border-top: 1px dashed;
-  margin: 0;
-  color: #ddd;
-  max-width: calc(100% - 16px);
-}
-@media (min-width: 500px) {
-  #authors-addresses > section {
-    column-count: 2;
-    column-gap: 20px;
-  }
-  #authors-addresses > section > h2 {
-    column-span: all;
-  }
-  /* hack for break-inside: avoid-column */
-  #authors-addresses address {
-    display: inline-block;
-    break-inside: avoid-column;
-  }
-}
-
-.rfcEditorRemove p:first-of-type {
-  font-style: italic;
-}
-.cref {
-  background-color: rgba(249, 232, 105, 0.3);
-  padding: 2px 4px;
-}
-.crefSource {
-  font-style: italic;
-}
-/* alternative layout for smaller screens */
-@media screen and (max-width: 929px) {
-  #toc {
-    position: fixed;
-    z-index: 2;
-    top: 0;
-    right: 0;
-    padding: 1px 0 0 0;
-    margin: 0;
-    border-bottom: 1px solid #ccc;
-    opacity: 0.6;
-  }
-  #toc.active {
-      opacity: 1;
-  }
-  #toc h2 {
-    margin: 0;
-    padding: 2px 0 2px 6px;
-    padding-right: 1em;
-    font-size: 18px;
-    line-height: 24px;
-    min-width: 190px;
-    text-align: right;
-    background-color: #444;
-    color: white;
-    cursor: pointer;
-  }
-  #toc h2::before { /* css hamburger */
-    float: right;
-    position: relative;
-    width: 1em;
-    height: 1px;
-    left: -164px;
-    margin: 8px 0 0 0;
-    background: white none repeat scroll 0 0;
-    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
-    content: "";
-  }
-  #toc nav {
-    display: none;
-    background-color: var(--background-color);
-    padding: 0.5em 1em 1em;
-    overflow: auto;
-    overscroll-behavior: contain;
-    height: calc(100vh - 48px);
-    border-left: 1px solid #ddd;
-  }
-  #toc.active nav {
-    display: block;
-  }
-  /* Make the collapsed ToC header render white on gray also when it's a link */
-  #toc h2 a,
-  #toc h2 a:link,
-  #toc h2 a:focus,
-  #toc h2 a:hover,
-  #toc a.toplink,
-  #toc a.toplink:hover {
-    color: white;
-    background-color: #444;
-    text-decoration: none;
-  }
-  #toc a.toplink {
-    margin-top: 2px;
-  }
-}
-
-/* alternative layout for wide screens */
-@media screen and (min-width: 930px) {
-  body {
-    padding-right: 360px;
-    padding-right: calc(min(180px + 20%, 500px));
-  }
-  #toc {
-    position: fixed;
-    bottom: 0;
-    right: 0;
-    right: calc(50vw - 480px);
-    width: 312px;
-    margin: 0;
-    padding: 0;
-    z-index: 1;
-  }
-  #toc h2 {
-    margin: 0;
-    padding: 0.25em 1em 1em 0;
-  }
-  #toc nav {
-    display: block;
-    height: calc(90vh - 84px);
-    bottom: 0;
-    padding: 0.5em 0 2em;
-    overflow: auto;
-    overscroll-behavior: contain;
-    scrollbar-width: thin;
-  }
-  #toc nav > ul  {
-    margin-bottom: 2em;
-  }
-  #toc ul {
-    margin: 0 0 0 4px;
-    font-size: var(--small-font-size);
-  }
-  #toc ul :is(p, li) {
-    margin: 2px 0;
-    line-height: 22px;
-  }
-  img { /* future proofing */
-    max-width: 100%;
-    height: auto;
-  }
-}
-
-/* pagination */
-@media print {
-  body {
-    width: 100%;
-  }
-  p {
-    orphans: 3;
-    widows: 3;
-  }
-  #n-copyright-notice {
-    border-bottom: none;
-  }
-  #toc, #n-introduction {
-    page-break-before: always;
-  }
-  #toc {
-    border-top: none;
-    padding-top: 0;
-  }
-  figure, pre, .vcard {
-    page-break-inside: avoid;
-  }
-  h1, h2, h3, h4, h5, h6 {
-    page-break-after: avoid;
-  }
-  :is(h2, h3, h4, h5, h6)+*, dd {
-    page-break-before: avoid;
-  }
-  pre {
-    white-space: pre-wrap;
-    word-wrap: break-word;
-    font-size: 10pt;
-  }
-  table {
-    border: 1px solid #ddd;
-  }
-  td {
-    border-top: 1px solid #ddd;
-  }
-  .toplink {
-    display: none;
-  }
-}
-
-@page :first {
-  padding-top: 0;
-  @top-left {
-    content: normal;
-    border: none;
-  }
-  @top-center {
-    content: normal;
-    border: none;
-  }
-  @top-right {
-    content: normal;
-    border: none;
-  }
-}
-
-@page {
-  size: A4;
-  margin-bottom: 45mm;
-  padding-top: 20px;
-}
-
-/* Changes introduced to fix issues found during implementation */
-
-/* Separate body from document info even without intervening H1 */
-section {
-  clear: both;
-}
-
-/* Top align author divs, to avoid names without organization dropping level with org names */
-.author {
-  vertical-align: top;
-}
-
-/* Style section numbers with more space between number and title */
-.section-number {
-  padding-right: 0.5em;
-}
-
-/* Add styling for a link in the ToC that points to the top of the document */
-a.toplink {
-  float: right;
-  margin: 8px 0.5em 0;
-}
-
-/* Provide styling for table cell text alignment */
-table .text-left {
-  text-align: left;
-}
-table .text-center {
-  text-align: center;
-}
-table .text-right {
-  text-align: right;
-}
-
-/* Make the alternative author contact information look less like just another
-   author, and group it closer with the primary author contact information */
-.alternative-contact {
-  margin: 0.5em 0 0.25em 0;
-}
-address .non-ascii {
-  margin: 0 0 0 2em;
-}
-
-/* With it being possible to set tables with alignment
-  left, center, and right, { width: 100%; } does not make sense */
-table {
-  width: auto;
-}
-
-/* Avoid reference text that sits in a block with very wide left margin,
-   because of a long floating dt label.*/
-.references dd {
-  overflow: visible;
-}
-
-/* Control caption placement */
-caption {
-  caption-side: bottom;
-}
-
-/* Limit the width of the author address vcard, so names in right-to-left
-   script don't end up on the other side of the page. */
-
-address.vcard {
-  max-width: 20em;
-  margin-right: auto;
-}
-
-/* For address alignment dependent on LTR or RTL scripts */
-address div.left {
-  text-align: left;
-}
-address div.right {
-  text-align: right;
-}
-
-/* Dark mode. */
-@media (prefers-color-scheme: dark) {
-:root {
-  --background-color: #121212;
-  --text-color: #f0f0f0;
-  --title-color: #fff;
-  --link-color: #4da4f0;
-  --highlight-color: #282828;
-  --line-color: #444;
-  --pilcrow-weak: #444;
-  --pilcrow-strong: #666;
-  scrollbar-color: #777 #333;
-}
-}
-
-/* SVG Trick: a prefix match works because only black and white are allowed */
-svg :is([stroke="black"], [stroke^="#000"]) {
-  stroke: var(--text-color);
-}
-svg :is([stroke="white"], [stroke^="#fff"]) {
-  stroke: var(--background-color);
-}
-svg :is([fill="black"], [fill^="#000"], :not([fill])) {
-  fill: var(--text-color);
-}
-svg :is([fill="white"], [fill^="#fff"]) {
-  fill: var(--background-color);
-}
-</style>
-
-</head>
-<body class="xml2rfc">
-<table class="ears">
-<thead><tr>
-<td class="left">Internet-Draft</td>
-<td class="center">Privacy Pass Architecture</td>
-<td class="right">October 2023</td>
-</tr></thead>
-<tfoot><tr>
-<td class="left">Davidson, et al.</td>
-<td class="center">Expires 15 April 2024</td>
-<td class="right">[Page]</td>
-</tr></tfoot>
-</table>
-<div id="external-metadata" class="document-information"></div>
-<div id="internal-metadata" class="document-information">
-<dl id="identifiers">
-<dt class="label-workgroup">Workgroup:</dt>
-<dd class="workgroup">Network Working Group</dd>
-<dt class="label-internet-draft">Internet-Draft:</dt>
-<dd class="internet-draft">draft-ietf-privacypass-architecture-latest</dd>
-<dt class="label-published">Published:</dt>
-<dd class="published">
-<time datetime="2023-10-13" class="published">13 October 2023</time>
-    </dd>
-<dt class="label-intended-status">Intended Status:</dt>
-<dd class="intended-status">Informational</dd>
-<dt class="label-expires">Expires:</dt>
-<dd class="expires"><time datetime="2024-04-15">15 April 2024</time></dd>
-<dt class="label-authors">Authors:</dt>
-<dd class="authors">
-<div class="author">
-      <div class="author-name">A. Davidson</div>
-<div class="org">LIP</div>
-</div>
-<div class="author">
-      <div class="author-name">J. Iyengar</div>
-<div class="org">Fastly</div>
-</div>
-<div class="author">
-      <div class="author-name">C. A. Wood</div>
-<div class="org">Cloudflare</div>
-</div>
-</dd>
-</dl>
-</div>
-<h1 id="title">The Privacy Pass Architecture</h1>
-<section id="section-abstract">
-      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
-<p id="section-abstract-1">This document specifies the Privacy Pass architecture and requirements for
-its constituent protocols used for authorization based on privacy-preserving
-authentication mechanisms. It describes the conceptual model of Privacy Pass
-and its protocols, its security and privacy goals, practical deployment models,
-and recommendations for each deployment model that helps ensure the desired
-security and privacy goals are fulfilled.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
-</section>
-<div id="status-of-memo">
-<section id="section-boilerplate.1">
-        <h2 id="name-status-of-this-memo">
-<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
-        </h2>
-<p id="section-boilerplate.1-1">
-        This Internet-Draft is submitted in full conformance with the
-        provisions of BCP 78 and BCP 79.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.1-2">
-        Internet-Drafts are working documents of the Internet Engineering Task
-        Force (IETF). Note that other groups may also distribute working
-        documents as Internet-Drafts. The list of current Internet-Drafts is
-        at <span><a href="https://datatracker.ietf.org/drafts/current/">https://datatracker.ietf.org/drafts/current/</a></span>.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.1-3">
-        Internet-Drafts are draft documents valid for a maximum of six months
-        and may be updated, replaced, or obsoleted by other documents at any
-        time. It is inappropriate to use Internet-Drafts as reference
-        material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.1-4">
-        This Internet-Draft will expire on 15 April 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="copyright">
-<section id="section-boilerplate.2">
-        <h2 id="name-copyright-notice">
-<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
-        </h2>
-<p id="section-boilerplate.2-1">
-            Copyright (c) 2023 IETF Trust and the persons identified as the
-            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.2-2">
-            This document is subject to BCP 78 and the IETF Trust's Legal
-            Provisions Relating to IETF Documents
-            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
-            publication of this document. Please review these documents
-            carefully, as they describe your rights and restrictions with
-            respect to this document. Code Components extracted from this
-            document must include Revised BSD License text as described in
-            Section 4.e of the Trust Legal Provisions and are provided without
-            warranty as described in the Revised BSD License.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="toc">
-<section id="section-toc.1">
-        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
-<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
-        </h2>
-<nav class="toc"><ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
-            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="auto internal xref">1</a>.  <a href="#name-introduction" class="internal xref">Introduction</a></p>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
-            <p id="section-toc.1-1.2.1" class="keepWithNext"><a href="#section-2" class="auto internal xref">2</a>.  <a href="#name-terminology" class="internal xref">Terminology</a></p>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
-            <p id="section-toc.1-1.3.1"><a href="#section-3" class="auto internal xref">3</a>.  <a href="#name-architecture" class="internal xref">Architecture</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1">
-                <p id="section-toc.1-1.3.2.1.1" class="keepWithNext"><a href="#section-3.1" class="auto internal xref">3.1</a>.  <a href="#name-overview" class="internal xref">Overview</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2">
-                <p id="section-toc.1-1.3.2.2.1"><a href="#section-3.2" class="auto internal xref">3.2</a>.  <a href="#name-use-cases" class="internal xref">Use Cases</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.3">
-                <p id="section-toc.1-1.3.2.3.1"><a href="#section-3.3" class="auto internal xref">3.3</a>.  <a href="#name-privacy-goals-and-threat-mo" class="internal xref">Privacy Goals and Threat Model</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.4">
-                <p id="section-toc.1-1.3.2.4.1"><a href="#section-3.4" class="auto internal xref">3.4</a>.  <a href="#name-redemption-protocol" class="internal xref">Redemption Protocol</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.5">
-                <p id="section-toc.1-1.3.2.5.1"><a href="#section-3.5" class="auto internal xref">3.5</a>.  <a href="#name-issuance-protocol" class="internal xref">Issuance Protocol</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.5.2.1">
-                    <p id="section-toc.1-1.3.2.5.2.1.1"><a href="#section-3.5.1" class="auto internal xref">3.5.1</a>.  <a href="#name-attester-role" class="internal xref">Attester Role</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.5.2.2">
-                    <p id="section-toc.1-1.3.2.5.2.2.1"><a href="#section-3.5.2" class="auto internal xref">3.5.2</a>.  <a href="#name-issuer-role" class="internal xref">Issuer Role</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.5.2.3">
-                    <p id="section-toc.1-1.3.2.5.2.3.1"><a href="#section-3.5.3" class="auto internal xref">3.5.3</a>.  <a href="#name-issuance-metadata" class="internal xref">Issuance Metadata</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.5.2.4">
-                    <p id="section-toc.1-1.3.2.5.2.4.1"><a href="#section-3.5.4" class="auto internal xref">3.5.4</a>.  <a href="#name-future-issuance-protocol-re" class="internal xref">Future Issuance Protocol Requirements</a></p>
-</li>
-                </ul>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.6">
-                <p id="section-toc.1-1.3.2.6.1"><a href="#section-3.6" class="auto internal xref">3.6</a>.  <a href="#name-information-flow" class="internal xref">Information Flow</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.6.2.1">
-                    <p id="section-toc.1-1.3.2.6.2.1.1"><a href="#section-3.6.1" class="auto internal xref">3.6.1</a>.  <a href="#name-token-challenge-flow" class="internal xref">Token Challenge Flow</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.6.2.2">
-                    <p id="section-toc.1-1.3.2.6.2.2.1"><a href="#section-3.6.2" class="auto internal xref">3.6.2</a>.  <a href="#name-attestation-flow" class="internal xref">Attestation Flow</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.6.2.3">
-                    <p id="section-toc.1-1.3.2.6.2.3.1"><a href="#section-3.6.3" class="auto internal xref">3.6.3</a>.  <a href="#name-issuance-flow" class="internal xref">Issuance Flow</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.6.2.4">
-                    <p id="section-toc.1-1.3.2.6.2.4.1"><a href="#section-3.6.4" class="auto internal xref">3.6.4</a>.  <a href="#name-token-redemption-flow" class="internal xref">Token Redemption Flow</a></p>
-</li>
-                </ul>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
-            <p id="section-toc.1-1.4.1"><a href="#section-4" class="auto internal xref">4</a>.  <a href="#name-deployment-models" class="internal xref">Deployment Models</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.1">
-                <p id="section-toc.1-1.4.2.1.1"><a href="#section-4.1" class="auto internal xref">4.1</a>.  <a href="#name-shared-origin-attester-issu" class="internal xref">Shared Origin, Attester, Issuer</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.2">
-                <p id="section-toc.1-1.4.2.2.1"><a href="#section-4.2" class="auto internal xref">4.2</a>.  <a href="#name-joint-attester-and-issuer" class="internal xref">Joint Attester and Issuer</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.3">
-                <p id="section-toc.1-1.4.2.3.1"><a href="#section-4.3" class="auto internal xref">4.3</a>.  <a href="#name-joint-origin-and-issuer" class="internal xref">Joint Origin and Issuer</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.4">
-                <p id="section-toc.1-1.4.2.4.1"><a href="#section-4.4" class="auto internal xref">4.4</a>.  <a href="#name-split-origin-attester-issue" class="internal xref">Split Origin, Attester, Issuer</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
-            <p id="section-toc.1-1.5.1"><a href="#section-5" class="auto internal xref">5</a>.  <a href="#name-deployment-considerations" class="internal xref">Deployment Considerations</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1">
-                <p id="section-toc.1-1.5.2.1.1"><a href="#section-5.1" class="auto internal xref">5.1</a>.  <a href="#name-discriminatory-treatment" class="internal xref">Discriminatory Treatment</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.2">
-                <p id="section-toc.1-1.5.2.2.1"><a href="#section-5.2" class="auto internal xref">5.2</a>.  <a href="#name-centralization" class="internal xref">Centralization</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
-            <p id="section-toc.1-1.6.1"><a href="#section-6" class="auto internal xref">6</a>.  <a href="#name-privacy-considerations" class="internal xref">Privacy Considerations</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.1">
-                <p id="section-toc.1-1.6.2.1.1"><a href="#section-6.1" class="auto internal xref">6.1</a>.  <a href="#name-partitioning-by-issuance-me" class="internal xref">Partitioning by Issuance Metadata</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2">
-                <p id="section-toc.1-1.6.2.2.1"><a href="#section-6.2" class="auto internal xref">6.2</a>.  <a href="#name-partitioning-by-issuance-co" class="internal xref">Partitioning by Issuance Consistency</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3">
-                <p id="section-toc.1-1.6.2.3.1"><a href="#section-6.3" class="auto internal xref">6.3</a>.  <a href="#name-partitioning-by-side-channe" class="internal xref">Partitioning by Side-Channels</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
-            <p id="section-toc.1-1.7.1"><a href="#section-7" class="auto internal xref">7</a>.  <a href="#name-security-considerations" class="internal xref">Security Considerations</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1">
-                <p id="section-toc.1-1.7.2.1.1"><a href="#section-7.1" class="auto internal xref">7.1</a>.  <a href="#name-token-caching" class="internal xref">Token Caching</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
-            <p id="section-toc.1-1.8.1"><a href="#section-8" class="auto internal xref">8</a>.  <a href="#name-iana-considerations" class="internal xref">IANA Considerations</a></p>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
-            <p id="section-toc.1-1.9.1"><a href="#section-9" class="auto internal xref">9</a>.  <a href="#name-references" class="internal xref">References</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.1">
-                <p id="section-toc.1-1.9.2.1.1"><a href="#section-9.1" class="auto internal xref">9.1</a>.  <a href="#name-normative-references" class="internal xref">Normative References</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.2">
-                <p id="section-toc.1-1.9.2.2.1"><a href="#section-9.2" class="auto internal xref">9.2</a>.  <a href="#name-informative-references" class="internal xref">Informative References</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
-            <p id="section-toc.1-1.10.1"><a href="#appendix-A" class="auto internal xref">Appendix A</a>.  <a href="#name-acknowledgements" class="internal xref">Acknowledgements</a></p>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11">
-            <p id="section-toc.1-1.11.1"><a href="#appendix-B" class="auto internal xref"></a><a href="#name-authors-addresses" class="internal xref">Authors' Addresses</a></p>
-</li>
-        </ul>
-</nav>
-</section>
-</div>
-<div id="introduction">
-<section id="section-1">
-      <h2 id="name-introduction">
-<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
-      </h2>
-<p id="section-1-1">Privacy Pass is an architecture for authorization based on privacy-preserving
-authentication mechanisms. In other words, relying parties authenticate clients
-in a privacy-preserving way, i.e., without learning any unique, per-client
-information through the authentication protocol, and then make authorization
-decisions on the basis of that authentication succeeding or failing. Possible
-authorization decisions might be to provide clients with read access to a
-particular resource or write access to a particular resource.<a href="#section-1-1" class="pilcrow">¶</a></p>
-<p id="section-1-2">Typical approaches for authorizing clients, such as through the use of long-term
-state (cookies), are not privacy-friendly since they allow servers to track
-clients across sessions and interactions. Privacy Pass takes a different
-approach: instead of presenting linkable state-carrying information to servers,
-e.g., a cookie indicating whether or not the client is an authorized user or
-has completed some prior challenge, clients present unlinkable proofs that
-attest to this information. These proofs, or tokens, are private in the sense
-that a given token cannot be linked to the protocol interaction where that
-token was initially issued.<a href="#section-1-2" class="pilcrow">¶</a></p>
-<p id="section-1-3">At a high level, the Privacy Pass architecture consists of two protocols:
-redemption and issuance. The redemption protocol, described in
-<span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span>, runs between Clients and
-Origins (servers). It allows Origins to challenge Clients to present tokens
-for consumption. Origins verify the token to authenticate the Client -- without
-learning any specific information about the Client -- and then make an authorization
-decision on the basis of the token verifying successfully or not. Depending
-on the type of token, e.g., whether or not it can be cached, the Client
-either presents a previously obtained token or invokes an issuance protocol,
-such as <span>[<a href="#ISSUANCE" class="cite xref">ISSUANCE</a>]</span>, to acquire a token to
-present as authorization.<a href="#section-1-3" class="pilcrow">¶</a></p>
-<p id="section-1-4">This document describes requirements for both redemption and issuance
-protocols and how they interact. It also provides recommendations on how
-the architecture should be deployed to ensure the privacy of clients and
-the security of all participating entities.<a href="#section-1-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="terminology">
-<section id="section-2">
-      <h2 id="name-terminology">
-<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-terminology" class="section-name selfRef">Terminology</a>
-      </h2>
-<p id="section-2-1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
-NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
-"MAY", and "OPTIONAL" in this document are to be interpreted as
-described in BCP 14 <span>[<a href="#RFC2119" class="cite xref">RFC2119</a>]</span> <span>[<a href="#RFC8174" class="cite xref">RFC8174</a>]</span> when, and only when, they
-appear in all capitals, as shown here.<a href="#section-2-1" class="pilcrow">¶</a></p>
-<p id="section-2-2">The following terms are used throughout this document:<a href="#section-2-2" class="pilcrow">¶</a></p>
-<span class="break"></span><dl class="dlParallel" id="section-2-3">
-        <dt id="section-2-3.1">Client:</dt>
-        <dd style="margin-left: 1.5em" id="section-2-3.2">
-          <p id="section-2-3.2.1">An entity that seeks authorization to an Origin. Using <span>[<a href="#RFC9334" class="cite xref">RFC9334</a>]</span> terminology,
-Clients implement the RATS Attester role.<a href="#section-2-3.2.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-<dt id="section-2-3.3">Token:</dt>
-        <dd style="margin-left: 1.5em" id="section-2-3.4">
-          <p id="section-2-3.4.1">A cryptographic authentication message used for authorization decisions,
-produced as output from an issuance mechanism or protocol.<a href="#section-2-3.4.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-<dt id="section-2-3.5">Origin:</dt>
-        <dd style="margin-left: 1.5em" id="section-2-3.6">
-          <p id="section-2-3.6.1">An entity that consumes tokens presented by Clients and uses them to make authorization decisions.<a href="#section-2-3.6.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-<dt id="section-2-3.7">Token challenge:</dt>
-        <dd style="margin-left: 1.5em" id="section-2-3.8">
-          <p id="section-2-3.8.1">The mechanism by which Origins request tokens from Clients, often denoted TokenChallenge.<a href="#section-2-3.8.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-<dt id="section-2-3.9">Token request:</dt>
-        <dd style="margin-left: 1.5em" id="section-2-3.10">
-          <p id="section-2-3.10.1">A message used by Clients to request a token from an Issuer, often denoted TokenRequest.<a href="#section-2-3.10.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-<dt id="section-2-3.11">Token response:</dt>
-        <dd style="margin-left: 1.5em" id="section-2-3.12">
-          <p id="section-2-3.12.1">A message used by Issuers to send tokens to a Client, often denoted TokenResponse.<a href="#section-2-3.12.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-<dt id="section-2-3.13">Redemption:</dt>
-        <dd style="margin-left: 1.5em" id="section-2-3.14">
-          <p id="section-2-3.14.1">The mechanism by which Clients present tokens to Origins for the
-purposes of authorization.<a href="#section-2-3.14.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-<dt id="section-2-3.15">Issuer:</dt>
-        <dd style="margin-left: 1.5em" id="section-2-3.16">
-          <p id="section-2-3.16.1">An entity that issues tokens to Clients for properties
-attested to by the Attester.<a href="#section-2-3.16.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-<dt id="section-2-3.17">Issuance:</dt>
-        <dd style="margin-left: 1.5em" id="section-2-3.18">
-          <p id="section-2-3.18.1">The mechanism by which an Issuer produces tokens for Clients.<a href="#section-2-3.18.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-<dt id="section-2-3.19">Attester:</dt>
-        <dd style="margin-left: 1.5em" id="section-2-3.20">
-          <p id="section-2-3.20.1">An entity that attests to properties of Clients for the
-purposes of token issuance. Using <span>[<a href="#RFC9334" class="cite xref">RFC9334</a>]</span> terminology, Attesters implement
-the RATS Verifier role.<a href="#section-2-3.20.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-<dt id="section-2-3.21">Attestation procedure:</dt>
-        <dd style="margin-left: 1.5em" id="section-2-3.22">
-          <p id="section-2-3.22.1">The procedure by which an Attester determines whether or not a Client
-has the specific set of properties that are necessary for token issuance.<a href="#section-2-3.22.1" class="pilcrow">¶</a></p>
-</dd>
-      <dd class="break"></dd>
-</dl>
-<p id="section-2-4">The trust relationships between each of the entities in this list is further
-elaborated upon in <a href="#privacy-and-trust" class="auto internal xref">Section 3.3</a>.<a href="#section-2-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="architecture">
-<section id="section-3">
-      <h2 id="name-architecture">
-<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-architecture" class="section-name selfRef">Architecture</a>
-      </h2>
-<p id="section-3-1">The Privacy Pass architecture consists of four logical entities --
-Client, Origin, Issuer, and Attester -- that work in concert
-for token redemption and issuance. This section presents an overview
-of Privacy Pass, a high-level description of the threat model and
-privacy goals of the architecture, and the goals and requirements of
-the redemption and issuance protocols. Deployment variations for the
-Origin, Issuer, and Attester in this architecture, including
-considerations for implementing these entities, are further discussed
-in <a href="#deployment" class="auto internal xref">Section 4</a>.<a href="#section-3-1" class="pilcrow">¶</a></p>
-<div id="overview">
-<section id="section-3.1">
-        <h3 id="name-overview">
-<a href="#section-3.1" class="section-number selfRef">3.1. </a><a href="#name-overview" class="section-name selfRef">Overview</a>
-        </h3>
-<p id="section-3.1-1">This section describes the typical interaction flow for Privacy Pass.<a href="#section-3.1-1" class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal type-1" id="section-3.1-2">
-<li id="section-3.1-2.1">
-            <p id="section-3.1-2.1.1">A Client interacts with an Origin by sending a request or otherwise
-interacting with the Origin in a way that triggers a response containing
-a token challenge. The token challenge indicates a specific Issuer to use.<a href="#section-3.1-2.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.1-2.2">
-            <p id="section-3.1-2.2.1">If the Client already has a token available that satisfies the token
-challenge, e.g., because the Client has a cache of previously issued tokens,
-it can skip to <a href="#step-redemption" class="internal xref">step 6</a> and redeem its
-token; see <a href="#hoarding" class="auto internal xref">Section 7.1</a> for security considerations of cached tokens.<a href="#section-3.1-2.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.1-2.3">
-            <p id="section-3.1-2.3.1">If the Client does not have a token available and decides it wants to
-obtain one (or more) bound to the token challenge, it then invokes the
-issuance protocol. As a prerequisite to the issuance protocol, the Client
-runs the deployment-specific attestation process that is required for the
-designated Issuer. Client attestation can be done via proof of solving a
-CAPTCHA, checking device or hardware attestation validity, etc.; see
-<a href="#attester" class="auto internal xref">Section 3.5.1</a> for more details.<a href="#section-3.1-2.3.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.1-2.4">
-            <p id="section-3.1-2.4.1">If the attestation process completes successfully, the client creates a
-token request to send to the designated Issuer (generally via the Attester,
-though it is not required to be sent through the Attester).
-The Attester and Issuer might be functions on the same server, depending on the
-deployment model (see <a href="#deployment" class="auto internal xref">Section 4</a>). Depending on the attestation process, it
-is possible for attestation to run alongside the issuance protocol, e.g., where
-Clients send necessary attestation information to the Attester along with their
-token request. If the attestation process fails, the Client receives an error
-and issuance aborts without a token.<a href="#section-3.1-2.4.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.1-2.5">
-            <p id="section-3.1-2.5.1">The Issuer generates a token response based on the token request, which
-is returned to the Client (generally via the Attester). Upon receiving the
-token response, the Client computes a token from the token challenge and token
-response. This token can be validated by anyone with the per-Issuer key, but
-cannot be linked to the content of the token request or token response.<a href="#section-3.1-2.5.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.1-2.6">
-            <div id="step-redemption">
-<p id="section-3.1-2.6.1">If the Client has a token, it includes it in a subsequent request to
-the Origin, as authorization. This token is sent only once in reaction to a
-challenge; Clients do not send tokens more than once, even if they receive
-duplicate or redundant challenges. The Origin
-validates that the token was generated by the expected Issuer and has not
-already been redeemed for the corresponding token challenge.  If the Client
-does not have a token, perhaps because issuance failed, the client does not
-reply to the Origin's challenge with a new request.<a href="#section-3.1-2.6.1" class="pilcrow">¶</a></p>
-</div>
-</li>
-        </ol>
-<span id="name-privacy-pass-redemption-and"></span><div id="fig-overview">
-<figure id="figure-1">
-          <div id="section-3.1-3.1">
-            <div class="alignLeft art-svg artwork" id="section-3.1-3.1.1">
-<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="224" width="520" viewBox="0 0 520 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
-                <path d="M 8,32 L 8,64" fill="none" stroke="black"></path>
-                <path d="M 40,64 L 40,208" fill="none" stroke="black"></path>
-                <path d="M 80,32 L 80,64" fill="none" stroke="black"></path>
-                <path d="M 184,32 L 184,64" fill="none" stroke="black"></path>
-                <path d="M 216,64 L 216,208" fill="none" stroke="black"></path>
-                <path d="M 256,32 L 256,64" fill="none" stroke="black"></path>
-                <path d="M 336,32 L 336,64" fill="none" stroke="black"></path>
-                <path d="M 376,64 L 376,144" fill="none" stroke="black"></path>
-                <path d="M 376,192 L 376,208" fill="none" stroke="black"></path>
-                <path d="M 424,32 L 424,64" fill="none" stroke="black"></path>
-                <path d="M 440,32 L 440,64" fill="none" stroke="black"></path>
-                <path d="M 472,64 L 472,208" fill="none" stroke="black"></path>
-                <path d="M 512,32 L 512,64" fill="none" stroke="black"></path>
-                <path d="M 8,32 L 80,32" fill="none" stroke="black"></path>
-                <path d="M 184,32 L 256,32" fill="none" stroke="black"></path>
-                <path d="M 336,32 L 424,32" fill="none" stroke="black"></path>
-                <path d="M 440,32 L 512,32" fill="none" stroke="black"></path>
-                <path d="M 8,64 L 80,64" fill="none" stroke="black"></path>
-                <path d="M 184,64 L 256,64" fill="none" stroke="black"></path>
-                <path d="M 336,64 L 424,64" fill="none" stroke="black"></path>
-                <path d="M 440,64 L 512,64" fill="none" stroke="black"></path>
-                <path d="M 48,96 L 88,96" fill="none" stroke="black"></path>
-                <path d="M 168,96 L 216,96" fill="none" stroke="black"></path>
-                <path d="M 40,112 L 56,112" fill="none" stroke="black"></path>
-                <path d="M 192,112 L 208,112" fill="none" stroke="black"></path>
-                <path d="M 224,126 L 240,126" fill="none" stroke="black"></path>
-                <path d="M 224,130 L 240,130" fill="none" stroke="black"></path>
-                <path d="M 352,126 L 368,126" fill="none" stroke="black"></path>
-                <path d="M 352,130 L 368,130" fill="none" stroke="black"></path>
-                <path d="M 216,160 L 288,160" fill="none" stroke="black"></path>
-                <path d="M 408,160 L 464,160" fill="none" stroke="black"></path>
-                <path d="M 224,176 L 288,176" fill="none" stroke="black"></path>
-                <path d="M 416,176 L 472,176" fill="none" stroke="black"></path>
-                <path d="M 48,192 L 64,192" fill="none" stroke="black"></path>
-                <path d="M 192,192 L 216,192" fill="none" stroke="black"></path>
-                <polygon class="arrowhead" points="472,160 460,154.4 460,165.6" fill="black" transform="rotate(0,464,160)"></polygon>
-                <polygon class="arrowhead" points="376,128 364,122.4 364,133.6" fill="black" transform="rotate(0,368,128)"></polygon>
-                <polygon class="arrowhead" points="232,176 220,170.4 220,181.6" fill="black" transform="rotate(180,224,176)"></polygon>
-                <polygon class="arrowhead" points="232,128 220,122.4 220,133.6" fill="black" transform="rotate(180,224,128)"></polygon>
-                <polygon class="arrowhead" points="216,112 204,106.4 204,117.6" fill="black" transform="rotate(0,208,112)"></polygon>
-                <polygon class="arrowhead" points="56,192 44,186.4 44,197.6" fill="black" transform="rotate(180,48,192)"></polygon>
-                <polygon class="arrowhead" points="56,96 44,90.4 44,101.6" fill="black" transform="rotate(180,48,96)"></polygon>
-                <g class="text">
-                  <text x="44" y="52">Origin</text>
-                  <text x="220" y="52">Client</text>
-                  <text x="380" y="52">Attester</text>
-                  <text x="476" y="52">Issuer</text>
-                  <text x="128" y="100">Request</text>
-                  <text x="124" y="116">TokenChallenge</text>
-                  <text x="296" y="132">Attestation</text>
-                  <text x="348" y="164">TokenRequest</text>
-                  <text x="352" y="180">TokenResponse</text>
-                  <text x="128" y="196">Request+Token</text>
-                </g>
-              </svg><a href="#section-3.1-3.1.1" class="pilcrow">¶</a>
-</div>
-</div>
-<figcaption><a href="#figure-1" class="selfRef">Figure 1</a>:
-<a href="#name-privacy-pass-redemption-and" class="selfRef">Privacy pass redemption and issuance protocol interaction</a>
-          </figcaption></figure>
-</div>
-</section>
-</div>
-<div id="use-cases">
-<section id="section-3.2">
-        <h3 id="name-use-cases">
-<a href="#section-3.2" class="section-number selfRef">3.2. </a><a href="#name-use-cases" class="section-name selfRef">Use Cases</a>
-        </h3>
-<p id="section-3.2-1">Use cases for Privacy Pass are broad and depend greatly on the deployment model
-as discussed in <a href="#deployment" class="auto internal xref">Section 4</a>. The initial motivating use case for Privacy Pass
-<span>[<a href="#PrivacyPassCloudflare" class="cite xref">PrivacyPassCloudflare</a>]</span> was to help rate-limit malicious or otherwise abusive
-traffic from services such as Tor <span>[<a href="#DMS2004" class="cite xref">DMS2004</a>]</span>. The generalized and evolved
-architecture described in this document also work for this use case. However,
-for added clarity, some more possible use cases are described below.<a href="#section-3.2-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-3.2-2.1">
-            <p id="section-3.2-2.1.1">Low-quality, anti-fraud signal for open Internet services. Tokens can attest that
-the Client behind the user agent is likely not a bot attempting to perform some
-form of automated attack such as credential stuffing. Example attestation procedures
-for this use case might be solving some form of CAPTCHA or presenting evidence of a
-valid, unlocked device in good standing.<a href="#section-3.2-2.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-3.2-2.2">
-            <p id="section-3.2-2.2.1">Privacy-preserving authentication for proprietary services. Tokens can attest that
-the Client is a valid subscriber for a proprietary service, such as a deployment of
-Oblivious HTTP <span>[<a href="#OHTTP" class="cite xref">OHTTP</a>]</span>.<a href="#section-3.2-2.2.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-</section>
-</div>
-<div id="privacy-and-trust">
-<section id="section-3.3">
-        <h3 id="name-privacy-goals-and-threat-mo">
-<a href="#section-3.3" class="section-number selfRef">3.3. </a><a href="#name-privacy-goals-and-threat-mo" class="section-name selfRef">Privacy Goals and Threat Model</a>
-        </h3>
-<p id="section-3.3-1">The end-to-end flow for Privacy Pass described in <a href="#overview" class="auto internal xref">Section 3.1</a> involves three
-different types of contexts:<a href="#section-3.3-1" class="pilcrow">¶</a></p>
-<span class="break"></span><dl class="dlParallel" id="section-3.3-2">
-          <dt id="section-3.3-2.1">Redemption context:</dt>
-          <dd style="margin-left: 1.5em" id="section-3.3-2.2">
-            <p id="section-3.3-2.2.1">The interactions and set of information shared
-between the Client and Origin, i.e., the information that is provided or
-otherwise available to the Origin during redemption that might be used
-to identify a Client and construct a token challenge. This context includes all
-information associated with redemption, such as the timestamp of the event,
-Client-visible information (including the IP address), and the Origin name.<a href="#section-3.3-2.2.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-3.3-2.3">Issuance context:</dt>
-          <dd style="margin-left: 1.5em" id="section-3.3-2.4">
-            <p id="section-3.3-2.4.1">The interactions and set of information shared between the Client, Attester,
-and Issuer, i.e., the information that is provided or otherwise available
-to Attester and Issuer during issuance that might be used to identify a Client.
-This context includes all information associated with issuance, such as the
-timestamp of the event, any Client-visible information (including the IP
-address), and the Origin name (if revealed during issuance). This does not
-include the token challenge in its entirety, as that is kept secret from the
-Issuer during the issuance protocol.<a href="#section-3.3-2.4.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-3.3-2.5">Attestation context:</dt>
-          <dd style="margin-left: 1.5em" id="section-3.3-2.6">
-            <p id="section-3.3-2.6.1">The interactions and set of information shared between
-the Client and Attester only, for the purposes of attesting the validity of
-the Client, that is provided or otherwise available during attestation that
-might be used to identify the Client. This context includes all information
-associated with attestation, such as the timestamp of the event and any
-Client-visible information, including information needed for the attestation
-procedure to complete.<a href="#section-3.3-2.6.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-</dl>
-<p id="section-3.3-3">The privacy goals of Privacy Pass assume a threat model in which Origins trust
-specific Issuers to produce tokens, and Issuers in turn trust one or more
-Attesters to correctly run the attestation procedure with Clients. This
-arrangement ensures that tokens which validate for a given Issuer were only
-issued to a Client that successfully completed attestation with an Attester
-that the Issuer trusts. Moreover, this arrangement means that if an Origin
-accepts tokens issued by an Issuer that trusts multiple Attesters, then a
-Client can use any one of these Attesters to issue and redeem tokens for the
-Origin. Whether or not these different entities in the architecture collude
-for learning redemption, issuance, or attestation contexts, as well as the
-necessary preconditions for context unlinkability, depends on the deployment
-model; see <a href="#deployment" class="auto internal xref">Section 4</a> for more details.<a href="#section-3.3-3" class="pilcrow">¶</a></p>
-<p id="section-3.3-4">The mechanisms for establishing trust between each entity in this arrangement
-are deployment-specific. For example, in settings where Clients interact with
-Issuers through an Attester, Attesters and Issuers might use
-mutually authenticated TLS to authenticate one another. In settings where
-Clients do not communicate with Issuers through an Attester, the Attesters
-might convey this trust via a digital signature that Issuers can verify.<a href="#section-3.3-4" class="pilcrow">¶</a></p>
-<p id="section-3.3-5">Clients explicitly trust Attesters to perform attestation correctly and in a
-way that does not violate their privacy. In particular, this means that Attesters
-which may be privy to private information about Clients are trusted to not disclose
-this information to non-colluding parties. Colluding parties are assumed to have
-access to the same information; see <a href="#deployment" class="auto internal xref">Section 4</a> for more about different
-deployment models and non-collusion assumptions. However, Clients assume Issuers and
-Origins are malicious.<a href="#section-3.3-5" class="pilcrow">¶</a></p>
-<p id="section-3.3-6">Given this threat model, the privacy goals of Privacy Pass are oriented around
-unlinkability based on redemption, issuance, and attestation contexts, as
-described below.<a href="#section-3.3-6" class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal type-1" id="section-3.3-7">
-<li id="section-3.3-7.1">
-            <p id="section-3.3-7.1.1">Origin-Client unlinkability. This means that given two redemption contexts,
-the Origin cannot determine if both redemption contexts correspond to the same
-Client or two different Clients. Informally, this means that a Client in a
-redemption context is indistinguishable from any other Client that might use
-the same redemption context. The set of Clients that share the same redemption
-context is referred to as a redemption anonymity set.<a href="#section-3.3-7.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.3-7.2">
-            <p id="section-3.3-7.2.1">Issuer-Client unlinkability. This is similar to Origin-Client unlinkability
-in that a Client in an issuance context is indistinguishable from any other
-Client that might use the same issuance context. The set of Clients that share
-the same issuance context is referred to as an issuance anonymity set.<a href="#section-3.3-7.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.3-7.3">
-            <p id="section-3.3-7.3.1">Attester-Origin unlinkability. This is similar to Origin-Client and
-Issuer-Client unlinkability. It means that given two attestation contexts,
-the Attester cannot determine if both contexts correspond to the same Origin
-or two different Origins. The set of Origins that share the same attestation
-context is referred to as an attestation anonymity set.<a href="#section-3.3-7.3.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.3-7.4">
-            <p id="section-3.3-7.4.1">Redemption context unlinkability. Given two redemption contexts, the Origin
-cannot determine which issuance and attestation contexts each redemption
-corresponds to, even with the collaboration of the Issuer and Attester (should
-these be different parties). This means that any information that may be learned
-about the Client during the issuance and attestation flows cannot be used by the
-Origin to compromise Client privacy.<a href="#section-3.3-7.4.1" class="pilcrow">¶</a></p>
-</li>
-        </ol>
-<p id="section-3.3-8">These unlinkability properties ensure that only the Client is able to correlate
-information that might be used to identify them with activity on the Origin.
-The Attester, Issuer, and Origin only receive the information necessary to perform
-their respective functions.<a href="#section-3.3-8" class="pilcrow">¶</a></p>
-<p id="section-3.3-9">The manner in which these unlinkability properties are achieved depends on the
-deployment model, type of attestation, and issuance protocol details. For example,
-as discussed in <a href="#deployment" class="auto internal xref">Section 4</a>, in some cases it is necessary to use an anonymization
-service such as Tor <span>[<a href="#DMS2004" class="cite xref">DMS2004</a>]</span> which hides Clients IP addresses. In general,
-anonymization services ensures that all Clients which use the service are indistinguishable
-from one another, though in practice there may be small distinguishing features
-(TLS fingerprints, HTTP headers, etc). Moreover, Clients generally trust these services
-to not disclose private Client information (such as IP addresses) to untrusted parties.
-Failure to use an anonymization service when interacting with Attesters, Issuers, or
-Origins can allow the set of possible Clients to be partitioned by the Client's IP address,
-and can therefore lead to unlinkability violations. Similarly, malicious Origins
-may attempt to link two redemption contexts together by using Client-specific
-Issuer public keys. See <a href="#deployment-considerations" class="auto internal xref">Section 5</a> and <a href="#privacy" class="auto internal xref">Section 6</a> for more
-information.<a href="#section-3.3-9" class="pilcrow">¶</a></p>
-<p id="section-3.3-10">The remainder of this section describes the functional properties and security
-requirements of the redemption and issuance protocols in more detail. <a href="#flow" class="auto internal xref">Section 3.6</a>
-describes how information flows between Issuer, Origin, Client, and Attester
-through these protocols.<a href="#section-3.3-10" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="redemption">
-<section id="section-3.4">
-        <h3 id="name-redemption-protocol">
-<a href="#section-3.4" class="section-number selfRef">3.4. </a><a href="#name-redemption-protocol" class="section-name selfRef">Redemption Protocol</a>
-        </h3>
-<p id="section-3.4-1">The Privacy Pass redemption protocol, described in
-<span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span>, is an authorization protocol
-wherein Clients present tokens to Origins for authorization. Normally,
-redemption is preceded by a challenge, wherein the Origin challenges
-Clients for a token with a TokenChallenge (<span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>], <a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.1" class="relref">Section 2.1</a></span>) and,
-if possible, Clients present a valid Token (<span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>], <a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.2" class="relref">Section 2.2</a></span>)
-in reaction to the challenge. This interaction is shown below.<a href="#section-3.4-1" class="pilcrow">¶</a></p>
-<span id="name-challenge-and-redemption-pr"></span><div id="fig-redemption">
-<figure id="figure-2">
-          <div id="section-3.4-2.1">
-            <div class="alignLeft art-svg artwork" id="section-3.4-2.1.1">
-<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="432" viewBox="0 0 432 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
-                <path d="M 8,32 L 8,64" fill="none" stroke="black"></path>
-                <path d="M 40,64 L 40,160" fill="none" stroke="black"></path>
-                <path d="M 80,32 L 80,64" fill="none" stroke="black"></path>
-                <path d="M 184,32 L 184,64" fill="none" stroke="black"></path>
-                <path d="M 216,64 L 216,160" fill="none" stroke="black"></path>
-                <path d="M 256,32 L 256,64" fill="none" stroke="black"></path>
-                <path d="M 8,32 L 80,32" fill="none" stroke="black"></path>
-                <path d="M 184,32 L 256,32" fill="none" stroke="black"></path>
-                <path d="M 8,64 L 80,64" fill="none" stroke="black"></path>
-                <path d="M 184,64 L 256,64" fill="none" stroke="black"></path>
-                <path d="M 48,96 L 88,96" fill="none" stroke="black"></path>
-                <path d="M 168,96 L 216,96" fill="none" stroke="black"></path>
-                <path d="M 40,112 L 56,112" fill="none" stroke="black"></path>
-                <path d="M 192,112 L 208,112" fill="none" stroke="black"></path>
-                <path d="M 232,126 L 248,126" fill="none" stroke="black"></path>
-                <path d="M 232,130 L 248,130" fill="none" stroke="black"></path>
-                <path d="M 408,126 L 424,126" fill="none" stroke="black"></path>
-                <path d="M 408,130 L 424,130" fill="none" stroke="black"></path>
-                <path d="M 48,144 L 64,144" fill="none" stroke="black"></path>
-                <path d="M 192,144 L 216,144" fill="none" stroke="black"></path>
-                <polygon class="arrowhead" points="432,128 420,122.4 420,133.6" fill="black" transform="rotate(0,424,128)"></polygon>
-                <polygon class="arrowhead" points="240,128 228,122.4 228,133.6" fill="black" transform="rotate(180,232,128)"></polygon>
-                <polygon class="arrowhead" points="216,112 204,106.4 204,117.6" fill="black" transform="rotate(0,208,112)"></polygon>
-                <polygon class="arrowhead" points="56,144 44,138.4 44,149.6" fill="black" transform="rotate(180,48,144)"></polygon>
-                <polygon class="arrowhead" points="56,96 44,90.4 44,101.6" fill="black" transform="rotate(180,48,96)"></polygon>
-                <g class="text">
-                  <text x="44" y="52">Origin</text>
-                  <text x="220" y="52">Client</text>
-                  <text x="128" y="100">Request</text>
-                  <text x="124" y="116">TokenChallenge</text>
-                  <text x="292" y="132">Issuance</text>
-                  <text x="364" y="132">protocol</text>
-                  <text x="128" y="148">Request+Token</text>
-                </g>
-              </svg><a href="#section-3.4-2.1.1" class="pilcrow">¶</a>
-</div>
-</div>
-<figcaption><a href="#figure-2" class="selfRef">Figure 2</a>:
-<a href="#name-challenge-and-redemption-pr" class="selfRef">Challenge and redemption protocol interaction</a>
-          </figcaption></figure>
-</div>
-<p id="section-3.4-3">Alternatively, when configured to do so, Clients may opportunistically present
-Token values to Origins without a corresponding TokenChallenge.<a href="#section-3.4-3" class="pilcrow">¶</a></p>
-<p id="section-3.4-4">The structure and semantics of the TokenChallenge and Token messages depend
-on the issuance protocol and token type being used; see <span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span> for
-more information.<a href="#section-3.4-4" class="pilcrow">¶</a></p>
-<p id="section-3.4-5">The challenge provides the client with the information necessary to obtain
-tokens that the server might subsequently accept in the redemption context.
-There are a number of ways in which the token may vary based on this challenge,
-including:<a href="#section-3.4-5" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-3.4-6.1">
-            <p id="section-3.4-6.1.1">Issuance protocol. The challenge identifies the type of issuance protocol
-required for producing the token. Different issuance protocols have different
-security properties, e.g., some issuance protocols may produce tokens that
-are publicly verifiable, whereas others may not have this property.<a href="#section-3.4-6.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-3.4-6.2">
-            <p id="section-3.4-6.2.1">Issuer identity. Token challenges identify which Issuers are trusted for a
-given issuance protocol. As described in <a href="#privacy-and-trust" class="auto internal xref">Section 3.3</a>, the choice
-of Issuer determines the type of Attesters and attestation procedures possible
-for a token from the specified Issuer, but the Origin does not learn exactly
-which Attester was used for a given token issuance event.<a href="#section-3.4-6.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-3.4-6.3">
-            <p id="section-3.4-6.3.1">Redemption context. Challenges can be bound to a given redemption context,
-which influences a client's ability to pre-fetch and cache tokens. For
-example, an empty redemption context always allows tokens to be issued and
-redeemed non-interactively, whereas a fresh and random redemption context
-means that the redeemed token must be issued only after the client receives
-the challenge. See <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.1.1" class="relref">Section 2.1.1</a> of [<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span> for more details.<a href="#section-3.4-6.3.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-3.4-6.4">
-            <p id="section-3.4-6.4.1">Per-Origin or cross-Origin. Challenges can be constrained to the Origin for
-which the challenge originated (referred to as per-Origin tokens), or
-can be used across multiple Origins (referred to as cross-Origin tokens).
-The set of Origins for which a cross-Origin token is applicable is referred
-to as the cross-Origin set. Opting into this set is done by explicitly agreeing
-on the contents of the set. Every Origin in a cross-Origin set, by opting in,
-agrees to admit tokens for any other Origin in the set. See
-<span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.1.1" class="relref">Section 2.1.1</a> of [<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span> for more information on how this set is created.<a href="#section-3.4-6.4.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-<p id="section-3.4-7">Origins that admit cross-Origin tokens bear some risk of allowing tokens
-issued for one Origin to be spent in an interaction with another Origin.
-In particular, cross-Origin tokens issued based on a challenge for
-one Origin can be redeemed at another Origin in the cross-Origin set,
-which can make it difficult to regulate token consumption. Depending on the
-use case, Origins may need to maintain state to track redeemed tokens. For
-example, Origins that accept cross-Origin tokens across shared redemption
-contexts SHOULD track which tokens have been redeemed already in those
-redemption contexts, since these tokens can be issued and then spent multiple
-times for any such challenge. Note that Clients which redeem the
-same token to multiple Origins do risk those Origins being able to link
-Client activity together, which can disincentivize this behavior. See
-<span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.1.1" class="relref">Section 2.1.1</a> of [<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span> for discussion.<a href="#section-3.4-7" class="pilcrow">¶</a></p>
-<p id="section-3.4-8">How Clients respond to token challenges can have privacy implications.
-For example, if an Origin allows the Client to choose an Issuer, then the choice
-of Issuer can reveal information about the Client used to partition anonymity
-sets; see <a href="#rotation-and-consistency" class="auto internal xref">Section 6.2</a> for more information about these privacy
-considerations.<a href="#section-3.4-8" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="issuance-protocol">
-<section id="section-3.5">
-        <h3 id="name-issuance-protocol">
-<a href="#section-3.5" class="section-number selfRef">3.5. </a><a href="#name-issuance-protocol" class="section-name selfRef">Issuance Protocol</a>
-        </h3>
-<p id="section-3.5-1">The Privacy Pass issuance protocol, described in <span>[<a href="#ISSUANCE" class="cite xref">ISSUANCE</a>]</span>, is a two-message
-protocol that takes as input a TokenChallenge from the redemption protocol
-(<span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>], <a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.1" class="relref">Section 2.1</a></span>) and produces a Token
-(<span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>], <a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.2" class="relref">Section 2.2</a></span>), as shown in <a href="#fig-overview" class="auto internal xref">Figure 1</a>.<a href="#section-3.5-1" class="pilcrow">¶</a></p>
-<p id="section-3.5-2">The structure and semantics of the TokenRequest and TokenResponse messages
-depend on the issuance protocol and token type being used; see <span>[<a href="#ISSUANCE" class="cite xref">ISSUANCE</a>]</span>
-for more information.<a href="#section-3.5-2" class="pilcrow">¶</a></p>
-<p id="section-3.5-3">Clients interact with the Attester and Issuer to produce a token for
-a challenge. The context in which an Attester vouches for a Client during
-issuance is referred to as the attestation context. This context includes all
-information associated with the issuance event, such as the timestamp of the
-event and Client-visible information, including the IP address or other
-information specific to the type of attestation done.<a href="#section-3.5-3" class="pilcrow">¶</a></p>
-<p id="section-3.5-4">Each issuance protocol may be different, e.g., in the number and types of
-participants, underlying cryptographic constructions used when issuing tokens,
-and even privacy properties.<a href="#section-3.5-4" class="pilcrow">¶</a></p>
-<p id="section-3.5-5">Clients initiate the issuance protocol using the token challenge, a randomly
-generated nonce, and public key for the Issuer, all of which are the Client's
-private input to the protocol and ultimately bound to an output Token;
-see <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.2" class="relref">Section 2.2</a> of [<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span> for details. Future specifications
-may change or extend the Client's input to the issuance protocol to produce
-Tokens with a different structure.<a href="#section-3.5-5" class="pilcrow">¶</a></p>
-<p id="section-3.5-6">Token properties vary based on the issuance protocol. Important properties
-supported in this architecture are described below.<a href="#section-3.5-6" class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal type-1" id="section-3.5-7">
-<li id="section-3.5-7.1">
-            <p id="section-3.5-7.1.1">Public verifiability. This means the Token can be verified using the Issuer
-public key. A Token that does not have public verifiability can only be verified
-using the Issuer secret key.<a href="#section-3.5-7.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.5-7.2">
-            <p id="section-3.5-7.2.1">Public metadata. This means that the Token can be cryptographically bound to
-arbitrary public information. See <a href="#metadata-privacy" class="auto internal xref">Section 6.1</a> for privacy considerations
-of public metadata.<a href="#section-3.5-7.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.5-7.3">
-            <p id="section-3.5-7.3.1">Private metadata. This means that the Token can be cryptographically bound to
-arbitrary private information, i.e., information that the Client does not observe
-during Token issuance or redemption. See <a href="#metadata-privacy" class="auto internal xref">Section 6.1</a> for privacy
-considerations of private metadata.<a href="#section-3.5-7.3.1" class="pilcrow">¶</a></p>
-</li>
-        </ol>
-<p id="section-3.5-8">The issuance protocol itself can be any interactive protocol between Client,
-Issuer, or other parties that produces a valid token bound to the Client's
-private input, subject to the following security requirements.<a href="#section-3.5-8" class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal type-1" id="section-3.5-9">
-<li id="section-3.5-9.1">
-            <p id="section-3.5-9.1.1">Unconditional input secrecy. The issuance protocol MUST NOT reveal anything
-about the Client's private input, including the challenge and nonce, to the
-Attester or Issuer, regardless of the hardness assumptions of the underlying
-cryptographic protocol(s). This property is sometimes also referred to as
-blindness.<a href="#section-3.5-9.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.5-9.2">
-            <p id="section-3.5-9.2.1">One-more forgery security. The issuance protocol MUST NOT allow malicious
-Clients or Attesters (acting as Clients) to forge tokens offline or otherwise
-without interacting with the Issuer directly.<a href="#section-3.5-9.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-3.5-9.3">
-            <p id="section-3.5-9.3.1">Concurrent security. The issuance protocol MUST be safe to run concurrently
-with arbitrarily many Clients, Attesters and Issuers.<a href="#section-3.5-9.3.1" class="pilcrow">¶</a></p>
-</li>
-        </ol>
-<p id="section-3.5-10">See <a href="#extensions" class="auto internal xref">Section 3.5.4</a> for requirements on new issuance protocol variants and
-related extensions.<a href="#section-3.5-10" class="pilcrow">¶</a></p>
-<p id="section-3.5-11">In the sections below, we describe the Attester and Issuer roles in more
-detail.<a href="#section-3.5-11" class="pilcrow">¶</a></p>
-<div id="attester">
-<section id="section-3.5.1">
-          <h4 id="name-attester-role">
-<a href="#section-3.5.1" class="section-number selfRef">3.5.1. </a><a href="#name-attester-role" class="section-name selfRef">Attester Role</a>
-          </h4>
-<p id="section-3.5.1-1">In Privacy Pass, attestation is the process by which an Attester bears
-witness to, confirms, or authenticates a Client so as to verify properties
-about the Client that are required for Issuance. Issuers trust Attesters
-to perform attestation correctly, i.e., to implement attestation procedures
-in a way that are not subverted or bypassed by malicious Clients.<a href="#section-3.5.1-1" class="pilcrow">¶</a></p>
-<p id="section-3.5.1-2"><span>[<a href="#RFC9334" class="cite xref">RFC9334</a>]</span> describes an architecture for attestation procedures. Using
-that architecture as a conceptual basis, Clients are RATS attesters that
-produce attestation evidence, and Attesters are RATS verifiers that
-appraise the validity of attestation evidence.<a href="#section-3.5.1-2" class="pilcrow">¶</a></p>
-<p id="section-3.5.1-3">The type of attestation procedure is a deployment-specific option and outside
-the scope of the issuance protocol. Example attestation procedures are below.<a href="#section-3.5.1-3" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-3.5.1-4.1">
-              <p id="section-3.5.1-4.1.1">Solving a CAPTCHA. Clients that solve CAPTCHA challenges can be attested to
-have this capability for the purpose of being ruled out as a bot or otherwise
-automated Client.<a href="#section-3.5.1-4.1.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-3.5.1-4.2">
-              <p id="section-3.5.1-4.2.1">Presenting evidence of Client device validity. Some Clients run on trusted
-hardware that are capable of producing device-level attestation evidence.<a href="#section-3.5.1-4.2.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-3.5.1-4.3">
-              <p id="section-3.5.1-4.3.1">Proving properties about Client state. Clients can be associated with state
-and the Attester can verify this state. Examples of state include the
-Client's geographic region and whether the Client has a valid
-application-layer account.<a href="#section-3.5.1-4.3.1" class="pilcrow">¶</a></p>
-</li>
-          </ul>
-<p id="section-3.5.1-5">Attesters may support different types of attestation procedures.<a href="#section-3.5.1-5" class="pilcrow">¶</a></p>
-<p id="section-3.5.1-6">Each attestation procedure has different security properties. For
-example, attesting to having a valid account is different from attesting to
-running on trusted hardware. Supporting multiple attestation procedures is
-an important step towards ensuring equitable access for Clients; see <a href="#discrimination" class="auto internal xref">Section 5.1</a>.<a href="#section-3.5.1-6" class="pilcrow">¶</a></p>
-<p id="section-3.5.1-7">The role of the Attester in the issuance protocol and its impact on privacy
-depends on the type of attestation procedure, issuance protocol, and deployment
-model. For instance, increasing the number of required attestation procedures
-could decrease the overall anonymity set size. As an example, the number of Clients
-that have solved a CAPTCHA in the past day, that have a valid account, and that
-are running on a trusted device is less than the number of Clients that have
-solved a CAPTCHA in the past day. See <a href="#rotation-and-consistency" class="auto internal xref">Section 6.2</a> for more discussion
-of how the variety of attestation procedures can negatively impact Client privacy.<a href="#section-3.5.1-7" class="pilcrow">¶</a></p>
-<p id="section-3.5.1-8">Depending on the issuance protocol, the Issuer might learn
-information about the Origin. To ensure Issuer-Client unlinkability, the Issuer
-should be unable to link that information to a specific Client. For such
-issuance protocols where the Attester has access to Client-specific
-information, such as is the case for attestation procedures that involve
-Client-specific information (such as application-layer account information)
-or for deployment models where the Attester learns Client-specific information
-(such as Client IP addresses), Clients trust the Attester to not share any
-Client-specific information with the Issuer. In deployments where the Attester
-does not learn Client-specific information, or where the Attester and Issuer are
-operated by the same entity (such as in the Joint Attester and Issuer model
-described in <a href="#deploy-joint-issuer" class="auto internal xref">Section 4.2</a>), the Client does not need to explicitly
-trust the Attester in this regard.<a href="#section-3.5.1-8" class="pilcrow">¶</a></p>
-<p id="section-3.5.1-9">Issuers trust Attesters to correctly and reliably perform attestation. However,
-certain types of attestation can vary in value over time, e.g., if the
-attestation procedure is compromised. Broken
-attestation procedures are considered exceptional events and require
-configuration changes to address the underlying cause. For example, if
-an attestation procedure is compromised or subverted because of a zero-day
-exploit on devices that implement the attestation procedure, then the
-corresponding attestation procedure should be untrusted until the exploit is
-patched. Addressing changes in attestation quality is therefore a
-deployment-specific task. In Split Attester and Issuer deployments (see
-<a href="#deploy-split" class="auto internal xref">Section 4.4</a>), Issuers can choose to remove compromised Attesters from
-their trusted set until the compromise is patched.<a href="#section-3.5.1-9" class="pilcrow">¶</a></p>
-<p id="section-3.5.1-10">From the perspective of an Origin, tokens produced by an Issuer with at least
-one compromised Attester cannot be trusted assuming the Origin does not know
-which attestation procedure was used for issuance. This is because the Origin
-cannot distinguish between tokens that were issued via compromised Attesters
-and tokens that were issued via uncompromised Attesters absent some
-distinguishing information in the tokens themselves or from the Issuer. As a
-result, until the attestation procedure is fixed, the Issuer cannot be trusted
-by Origins. Moreover, as a consequence, any tokens issued by an Issuer with a
-compromised attester may no longer be trusted by Origins, even if those tokens
-were issued to Clients interacting with an uncompromised Attester.<a href="#section-3.5.1-10" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="issuer-role">
-<section id="section-3.5.2">
-          <h4 id="name-issuer-role">
-<a href="#section-3.5.2" class="section-number selfRef">3.5.2. </a><a href="#name-issuer-role" class="section-name selfRef">Issuer Role</a>
-          </h4>
-<p id="section-3.5.2-1">In Privacy Pass, the Issuer is responsible for completing the issuance protocol
-for Clients that complete attestation through a trusted Attester. As described
-in <a href="#attester" class="auto internal xref">Section 3.5.1</a>, Issuers explicitly trust Attesters to correctly and reliably
-perform attestation. Origins explicitly trust Issuers to only issue tokens
-from trusted Attesters. Clients do not explicitly trust Issuers.<a href="#section-3.5.2-1" class="pilcrow">¶</a></p>
-<p id="section-3.5.2-2">Depending on the deployment model case, issuance may require some form of
-Client anonymization service, similar to an IP-hiding proxy, so that Issuers
-cannot learn information about Clients. This can be provided by an explicit
-participant in the issuance protocol, or it can be provided via external means,
-such as through the use of an IP-hiding proxy service like Tor <span>[<a href="#DMS2004" class="cite xref">DMS2004</a>]</span>.
-In general, Clients SHOULD minimize or remove identifying
-information where possible when invoking the issuance protocol.<a href="#section-3.5.2-2" class="pilcrow">¶</a></p>
-<p id="section-3.5.2-3">Issuers are uniquely identifiable by all Clients with a consistent
-identifier. In a web context, this identifier might be the Issuer host name.
-Issuers maintain one or more configurations, including issuance key pairs, for
-use in the issuance protocol. Each configuration is assumed to have a unique
-and canonical identifier, sometimes referred to as a key identifier or key ID.
-Issuers can rotate these configurations as needed to mitigate risk of compromise;
-see <a href="#rotation-and-consistency" class="auto internal xref">Section 6.2</a> for more considerations around configuration
-rotation. The Issuer public key for each active configuration is made available
-to Origins and Clients for use in the issuance and redemption protocols.<a href="#section-3.5.2-3" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="metadata">
-<section id="section-3.5.3">
-          <h4 id="name-issuance-metadata">
-<a href="#section-3.5.3" class="section-number selfRef">3.5.3. </a><a href="#name-issuance-metadata" class="section-name selfRef">Issuance Metadata</a>
-          </h4>
-<p id="section-3.5.3-1">Certain instantiations of the issuance protocol may permit public or private
-metadata to be cryptographically bound to a token. As an example, one
-trivial way to include public metadata is to assign a unique Issuer
-public key for each value of metadata, such that N keys yields
-log<sub>2</sub>(N) bits of metadata. Metadata may be public or private.<a href="#section-3.5.3-1" class="pilcrow">¶</a></p>
-<p id="section-3.5.3-2">Public metadata is that which clients can observe as part of the token
-issuance flow. Public metadata can either be transparent or opaque. For
-example, transparent public metadata is a value that the client either
-generates itself, or the Issuer provides during the issuance flow and
-the client can check for correctness. Opaque public metadata is metadata
-the client can see but cannot check for correctness. As an example, the
-opaque public metadata might be a "fraud detection signal", computed on
-behalf of the Issuer, during token issuance. Generally speaking, Clients
-cannot determine if this value is generated in a way that permits tracking.<a href="#section-3.5.3-2" class="pilcrow">¶</a></p>
-<p id="section-3.5.3-3">Private metadata is that which Clients cannot observe as part of the token
-issuance flow. Such instantiations can be built on the Private Metadata Bit
-construction from Kreuter et al. <span>[<a href="#KLOR20" class="cite xref">KLOR20</a>]</span>
-or the attribute-based VOPRF from Huang et al. <span>[<a href="#HIJK21" class="cite xref">HIJK21</a>]</span>.<a href="#section-3.5.3-3" class="pilcrow">¶</a></p>
-<p id="section-3.5.3-4">Metadata can be arbitrarily long or bounded in length. The amount of permitted
-metadata may be determined by application or by the underlying cryptographic
-protocol. The total amount of metadata bits included in a token is the sum of
-public and private metadata bits. Every bit of metadata can be used to
-partition the Client issuance or redemption anonymity sets; see
-<a href="#metadata-privacy" class="auto internal xref">Section 6.1</a> for more information.<a href="#section-3.5.3-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="extensions">
-<section id="section-3.5.4">
-          <h4 id="name-future-issuance-protocol-re">
-<a href="#section-3.5.4" class="section-number selfRef">3.5.4. </a><a href="#name-future-issuance-protocol-re" class="section-name selfRef">Future Issuance Protocol Requirements</a>
-          </h4>
-<p id="section-3.5.4-1">The Privacy Pass architecture and ecosystem are both intended to be receptive
-to extensions that expand the current set of functionalities through new
-issuance protocols. Each new issuance protocol and extension MUST adhere
-to the following requirements:<a href="#section-3.5.4-1" class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal type-1" id="section-3.5.4-2">
-<li id="section-3.5.4-2.1">
-              <p id="section-3.5.4-2.1.1">Include a detailed analysis of the privacy impacts of the extension, why
-these impacts are justified, and guidelines on how to use the protocol
-to mitigate or minimize negative deployment or privacy consequences
-discussed in <a href="#deployment-considerations" class="auto internal xref">Section 5</a> and <a href="#privacy" class="auto internal xref">Section 6</a>, respectively.<a href="#section-3.5.4-2.1.1" class="pilcrow">¶</a></p>
-</li>
-            <li id="section-3.5.4-2.2">
-              <p id="section-3.5.4-2.2.1">Adhere to the guidelines specified in <a href="#issuer-role" class="auto internal xref">Section 3.5.2</a> for managing Issuer
-public key data.<a href="#section-3.5.4-2.2.1" class="pilcrow">¶</a></p>
-</li>
-            <li id="section-3.5.4-2.3">
-              <p id="section-3.5.4-2.3.1">Clearly specify how to interpret and validate TokenChallenge and Token
-messages that are exchanged during the redemption protocol.<a href="#section-3.5.4-2.3.1" class="pilcrow">¶</a></p>
-</li>
-          </ol>
-</section>
-</div>
-</section>
-</div>
-<div id="flow">
-<section id="section-3.6">
-        <h3 id="name-information-flow">
-<a href="#section-3.6" class="section-number selfRef">3.6. </a><a href="#name-information-flow" class="section-name selfRef">Information Flow</a>
-        </h3>
-<p id="section-3.6-1">The end-to-end process of redemption and issuance protocols involves information
-flowing between Issuer, Origin, Client, and Attester. That information can
-have implications on the privacy goals that Privacy Pass aims to provide
-as outlined in <a href="#privacy-and-trust" class="auto internal xref">Section 3.3</a>. In this section, we describe the flow
-of information between each party. How this information affects the privacy
-goals in particular deployment models is further discussed in <a href="#deployment" class="auto internal xref">Section 4</a>.<a href="#section-3.6-1" class="pilcrow">¶</a></p>
-<div id="challenge-flow">
-<section id="section-3.6.1">
-          <h4 id="name-token-challenge-flow">
-<a href="#section-3.6.1" class="section-number selfRef">3.6.1. </a><a href="#name-token-challenge-flow" class="section-name selfRef">Token Challenge Flow</a>
-          </h4>
-<p id="section-3.6.1-1">To use Privacy Pass, Origins choose an Issuer from which they are willing to
-accept tokens. Origins then construct a token challenge using this specified
-Issuer and information from the redemption context it shares with the Client.
-This token challenge is then delivered to a Client. The token challenge conveys
-information about the Issuer and the redemption context, such as whether the
-Origin desires a per-Origin or cross-Origin token. Any entity that sees
-the token challenge might learn things about the Client as known to the Origin.
-This is why input secrecy is a requirement for issuance protocols, as it
-ensures that the challenge is not directly available to the Issuer.<a href="#section-3.6.1-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="attestation-flow">
-<section id="section-3.6.2">
-          <h4 id="name-attestation-flow">
-<a href="#section-3.6.2" class="section-number selfRef">3.6.2. </a><a href="#name-attestation-flow" class="section-name selfRef">Attestation Flow</a>
-          </h4>
-<p id="section-3.6.2-1">Clients interact with the Attester to prove that they meet some required
-set of properties. In doing so, Clients contribute information to the
-attestation context, which might include sensitive information such as
-application-layer identities, IP addresses, and so on. Clients can choose
-whether or not to contribute this information based on local policy or
-preference.<a href="#section-3.6.2-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="issue-flow">
-<section id="section-3.6.3">
-          <h4 id="name-issuance-flow">
-<a href="#section-3.6.3" class="section-number selfRef">3.6.3. </a><a href="#name-issuance-flow" class="section-name selfRef">Issuance Flow</a>
-          </h4>
-<p id="section-3.6.3-1">Clients use the issuance protocol to produce a token bound to a token
-challenge. In doing so, there are several ways in which the issuance protocol
-contributes information to the attestation or issuance contexts. For example, a
-token request may contribute information to the attestation or issuance
-contexts as described below.<a href="#section-3.6.3-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-3.6.3-2.1">
-              <p id="section-3.6.3-2.1.1">Issuance protocol. The type of issuance protocol can contribute information
-about the Issuer's capabilities to the attestation or issuance contexts, as
-well as the capabilities of a given Client. For example, if a Client is
-presented with multiple issuance protocol options, then the choice of which
-issuance protocol to use can contribute information about the Client's
-capabilities.<a href="#section-3.6.3-2.1.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-3.6.3-2.2">
-              <p id="section-3.6.3-2.2.1">Issuer configuration. Information about the Issuer configuration, such as
-its identity or the public key used to validate tokens it creates, can be
-revealed during issuance and contribute to the attestation or issuance
-contexts.<a href="#section-3.6.3-2.2.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-3.6.3-2.3">
-              <p id="section-3.6.3-2.3.1">Attestation information. The issuance protocol can contribute information to
-the attestation or issuance contexts based on what attestation procedure the
-Issuer uses to trust a token request. In particular, a token request that is
-validated by a given Attester means that the Client which generated the token
-request must be capable of the completing the designated attestation procedure.<a href="#section-3.6.3-2.3.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-3.6.3-2.4">
-              <p id="section-3.6.3-2.4.1">Origin information. The issuance protocol can contribute information about
-the Origin that challenged the Client in <a href="#challenge-flow" class="auto internal xref">Section 3.6.1</a>. In particular,
-a token request designated for a specific Issuer might imply that the resulting
-token is for an Origin that trusts the specified Issuer. However, this is not
-always true, as some token requests can correspond to cross-Origin tokens,
-i.e., they are tokens that would be accepted at any Origin that accepts the
-cross-Origin token.<a href="#section-3.6.3-2.4.1" class="pilcrow">¶</a></p>
-</li>
-          </ul>
-<p id="section-3.6.3-3">Moreover, a token may contribute information to the issuance attestation or
-contexts as described below.<a href="#section-3.6.3-3" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-3.6.3-4.1">
-              <p id="section-3.6.3-4.1.1">Origin information. The issuance protocol can contribute information about
-the Origin in how it responds to a token request. For example, if an Issuer
-learns the Origin during issuance and is also configured to respond in some way
-on the basis of that information, and the Client interacts with the Issuer
-transitively through the Attester, that response can reveal information to the
-Attester.<a href="#section-3.6.3-4.1.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-3.6.3-4.2">
-              <p id="section-3.6.3-4.2.1">Token. The token produced by the issuance protocol can contain information
-from the issuance context. In particular, depending on the issuance protocol,
-tokens can contain public or private metadata, and Issuers can choose that
-metadata on the basis of information in the issuance context.<a href="#section-3.6.3-4.2.1" class="pilcrow">¶</a></p>
-</li>
-          </ul>
-<p id="section-3.6.3-5">Exceptional cases in the issuance protocol, such as when either the
-Attester or Issuer aborts the protocol, can contribute information to the
-attestation or issuance contexts. The extent to which information in this
-context harms the Issuer-Client or Attester-Origin unlinkability goals in
-<a href="#privacy-and-trust" class="auto internal xref">Section 3.3</a> depends on deployment model; see <a href="#deployment" class="auto internal xref">Section 4</a>.
-Clients can choose whether or not to contribute information to these contexts
-based on local policy or preference.<a href="#section-3.6.3-5" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="redemption-flow">
-<section id="section-3.6.4">
-          <h4 id="name-token-redemption-flow">
-<a href="#section-3.6.4" class="section-number selfRef">3.6.4. </a><a href="#name-token-redemption-flow" class="section-name selfRef">Token Redemption Flow</a>
-          </h4>
-<p id="section-3.6.4-1">Clients send tokens to Origins during the redemption protocol. Any information
-that is added to the token during issuance can therefore be sent to the Origin.
-Information can either be explicitly passed in a token, or it can be implicit
-in the way the Client responds to a token challenge. For example, if a Client
-fails to complete issuance, and consequently fails to redeem a token for
-a token challenge, this can reveal information to the Origin that
-it might not otherwise have access to. However, an Origin cannot necessarily
-distinguish between a Client that fails to complete issuance and one that
-ignores the token challenge altogether.<a href="#section-3.6.4-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-</section>
-</div>
-<div id="deployment">
-<section id="section-4">
-      <h2 id="name-deployment-models">
-<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-deployment-models" class="section-name selfRef">Deployment Models</a>
-      </h2>
-<p id="section-4-1">The Origin, Attester, and Issuer portrayed in <a href="#fig-overview" class="auto internal xref">Figure 1</a> can be
-instantiated and deployed in a number of ways. The deployment model directly
-influences the manner in which attestation, issuance, and redemption contexts
-are separated to achieve Origin-Client, Issuer-Client, and Attester-Origin
-unlinkability.<a href="#section-4-1" class="pilcrow">¶</a></p>
-<p id="section-4-2">This section covers some expected deployment models and their corresponding
-security and privacy considerations. Each deployment model is described in
-terms of the trust relationships and communication patterns between Client,
-Attester, Issuer, and Origin. Entities drawn within the same bounding box are
-assumed to be operated by the same party and are therefore able to collude.
-Collusion can enable linking of attestation, issuance, and redemption contexts.
-Entities not drawn within the same bounding box are assumed to not
-collude, meaning that entities operated by separate parties that do not collude.
-Mechanisms for enforcing non-collusion are out of scope for this architecture.<a href="#section-4-2" class="pilcrow">¶</a></p>
-<div id="deploy-shared">
-<section id="section-4.1">
-        <h3 id="name-shared-origin-attester-issu">
-<a href="#section-4.1" class="section-number selfRef">4.1. </a><a href="#name-shared-origin-attester-issu" class="section-name selfRef">Shared Origin, Attester, Issuer</a>
-        </h3>
-<p id="section-4.1-1">In this model, the Origin, Attester, and Issuer are all operated by the same
-entity, as shown in <a href="#fig-deploy-shared" class="auto internal xref">Figure 3</a>.<a href="#section-4.1-1" class="pilcrow">¶</a></p>
-<span id="name-shared-deployment-model"></span><div id="fig-deploy-shared">
-<figure id="figure-3">
-          <div id="section-4.1-2.1">
-            <div class="alignLeft art-svg artwork" id="section-4.1-2.1.1">
-<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="528" viewBox="0 0 528 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
-                <path d="M 8,48 L 8,80" fill="none" stroke="black"></path>
-                <path d="M 40,80 L 40,240" fill="none" stroke="black"></path>
-                <path d="M 80,48 L 80,80" fill="none" stroke="black"></path>
-                <path d="M 144,32 L 144,80" fill="none" stroke="black"></path>
-                <path d="M 168,48 L 168,80" fill="none" stroke="black"></path>
-                <path d="M 216,80 L 216,104" fill="none" stroke="black"></path>
-                <path d="M 216,120 L 216,160" fill="none" stroke="black"></path>
-                <path d="M 256,48 L 256,80" fill="none" stroke="black"></path>
-                <path d="M 304,48 L 304,80" fill="none" stroke="black"></path>
-                <path d="M 344,80 L 344,96" fill="none" stroke="black"></path>
-                <path d="M 344,128 L 344,192" fill="none" stroke="black"></path>
-                <path d="M 376,48 L 376,80" fill="none" stroke="black"></path>
-                <path d="M 424,48 L 424,80" fill="none" stroke="black"></path>
-                <path d="M 456,80 L 456,208" fill="none" stroke="black"></path>
-                <path d="M 496,48 L 496,80" fill="none" stroke="black"></path>
-                <path d="M 520,48 L 520,80" fill="none" stroke="black"></path>
-                <path d="M 144,32 L 504,32" fill="none" stroke="black"></path>
-                <path d="M 8,48 L 80,48" fill="none" stroke="black"></path>
-                <path d="M 168,48 L 256,48" fill="none" stroke="black"></path>
-                <path d="M 304,48 L 376,48" fill="none" stroke="black"></path>
-                <path d="M 424,48 L 496,48" fill="none" stroke="black"></path>
-                <path d="M 8,80 L 80,80" fill="none" stroke="black"></path>
-                <path d="M 168,80 L 256,80" fill="none" stroke="black"></path>
-                <path d="M 304,80 L 376,80" fill="none" stroke="black"></path>
-                <path d="M 424,80 L 496,80" fill="none" stroke="black"></path>
-                <path d="M 160,96 L 208,96" fill="none" stroke="black"></path>
-                <path d="M 224,96 L 336,96" fill="none" stroke="black"></path>
-                <path d="M 352,96 L 448,96" fill="none" stroke="black"></path>
-                <path d="M 464,96 L 504,96" fill="none" stroke="black"></path>
-                <path d="M 48,112 L 304,112" fill="none" stroke="black"></path>
-                <path d="M 440,112 L 456,112" fill="none" stroke="black"></path>
-                <path d="M 48,142 L 72,142" fill="none" stroke="black"></path>
-                <path d="M 48,146 L 72,146" fill="none" stroke="black"></path>
-                <path d="M 184,142 L 208,142" fill="none" stroke="black"></path>
-                <path d="M 184,146 L 208,146" fill="none" stroke="black"></path>
-                <path d="M 40,176 L 128,176" fill="none" stroke="black"></path>
-                <path d="M 248,176 L 336,176" fill="none" stroke="black"></path>
-                <path d="M 48,192 L 128,192" fill="none" stroke="black"></path>
-                <path d="M 256,192 L 344,192" fill="none" stroke="black"></path>
-                <path d="M 40,224 L 208,224" fill="none" stroke="black"></path>
-                <path d="M 272,224 L 456,224" fill="none" stroke="black"></path>
-                <path d="M 504,32 C 512.83064,32 520,39.16936 520,48" fill="none" stroke="black"></path>
-                <path d="M 160,96 C 151.16936,96 144,88.83064 144,80" fill="none" stroke="black"></path>
-                <path d="M 504,96 C 512.83064,96 520,88.83064 520,80" fill="none" stroke="black"></path>
-                <polygon class="arrowhead" points="464,224 452,218.4 452,229.6" fill="black" transform="rotate(0,456,224)"></polygon>
-                <polygon class="arrowhead" points="344,176 332,170.4 332,181.6" fill="black" transform="rotate(0,336,176)"></polygon>
-                <polygon class="arrowhead" points="216,144 204,138.4 204,149.6" fill="black" transform="rotate(0,208,144)"></polygon>
-                <polygon class="arrowhead" points="56,192 44,186.4 44,197.6" fill="black" transform="rotate(180,48,192)"></polygon>
-                <polygon class="arrowhead" points="56,144 44,138.4 44,149.6" fill="black" transform="rotate(180,48,144)"></polygon>
-                <polygon class="arrowhead" points="56,112 44,106.4 44,117.6" fill="black" transform="rotate(180,48,112)"></polygon>
-                <g class="text">
-                  <text x="44" y="68">Client</text>
-                  <text x="212" y="68">Attester</text>
-                  <text x="340" y="68">Issuer</text>
-                  <text x="460" y="68">Origin</text>
-                  <text x="372" y="116">TokenChallenge</text>
-                  <text x="128" y="148">Attestation</text>
-                  <text x="188" y="180">TokenRequest</text>
-                  <text x="192" y="196">TokenResponse</text>
-                  <text x="240" y="228">Token</text>
-                  <text x="456" y="244">|</text>
-                </g>
-              </svg><a href="#section-4.1-2.1.1" class="pilcrow">¶</a>
-</div>
-</div>
-<figcaption><a href="#figure-3" class="selfRef">Figure 3</a>:
-<a href="#name-shared-deployment-model" class="selfRef">Shared Deployment Model</a>
-          </figcaption></figure>
-</div>
-<p id="section-4.1-3">This model represents the initial deployment of Privacy Pass, as described in
-<span>[<a href="#PrivacyPassCloudflare" class="cite xref">PrivacyPassCloudflare</a>]</span>. In this model, the Attester, Issuer, and Origin
-share the attestation, issuance, and redemption contexts. As a result,
-attestation mechanisms that can uniquely identify a Client, e.g., requiring
-that Clients authenticate with some type of application-layer account, are
-not appropriate, as they could lead to unlinkability violations.<a href="#section-4.1-3" class="pilcrow">¶</a></p>
-<p id="section-4.1-4">Origin-Client, Issuer-Client, and Attester-Origin unlinkability requires that
-issuance and redemption events be separated over time, such as through the use
-of tokens that correspond to token challenges with an empty redemption context
-(see <a href="#redemption" class="auto internal xref">Section 3.4</a>), or be separated over space, such as through the use of an
-anonymizing service when connecting to the Origin.<a href="#section-4.1-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="deploy-joint-issuer">
-<section id="section-4.2">
-        <h3 id="name-joint-attester-and-issuer">
-<a href="#section-4.2" class="section-number selfRef">4.2. </a><a href="#name-joint-attester-and-issuer" class="section-name selfRef">Joint Attester and Issuer</a>
-        </h3>
-<p id="section-4.2-1">In this model, the Attester and Issuer are operated by the same entity
-that is separate from the Origin. The Origin trusts the joint Attester
-and Issuer to perform attestation and issue Tokens. Clients interact
-with the joint Attester and Issuer for attestation and issuance. This
-arrangement is shown in <a href="#fig-deploy-joint-issuer" class="auto internal xref">Figure 4</a>.<a href="#section-4.2-1" class="pilcrow">¶</a></p>
-<span id="name-joint-attester-and-issuer-d"></span><div id="fig-deploy-joint-issuer">
-<figure id="figure-4">
-          <div id="section-4.2-2.1">
-            <div class="alignLeft art-svg artwork" id="section-4.2-2.1.1">
-<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="520" viewBox="0 0 520 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
-                <path d="M 8,48 L 8,80" fill="none" stroke="black"></path>
-                <path d="M 40,80 L 40,240" fill="none" stroke="black"></path>
-                <path d="M 80,48 L 80,80" fill="none" stroke="black"></path>
-                <path d="M 160,32 L 160,80" fill="none" stroke="black"></path>
-                <path d="M 184,48 L 184,80" fill="none" stroke="black"></path>
-                <path d="M 232,80 L 232,104" fill="none" stroke="black"></path>
-                <path d="M 232,120 L 232,160" fill="none" stroke="black"></path>
-                <path d="M 272,48 L 272,80" fill="none" stroke="black"></path>
-                <path d="M 320,48 L 320,80" fill="none" stroke="black"></path>
-                <path d="M 360,80 L 360,96" fill="none" stroke="black"></path>
-                <path d="M 360,128 L 360,192" fill="none" stroke="black"></path>
-                <path d="M 392,48 L 392,80" fill="none" stroke="black"></path>
-                <path d="M 416,48 L 416,80" fill="none" stroke="black"></path>
-                <path d="M 440,48 L 440,80" fill="none" stroke="black"></path>
-                <path d="M 472,80 L 472,208" fill="none" stroke="black"></path>
-                <path d="M 512,48 L 512,80" fill="none" stroke="black"></path>
-                <path d="M 160,32 L 400,32" fill="none" stroke="black"></path>
-                <path d="M 8,48 L 80,48" fill="none" stroke="black"></path>
-                <path d="M 184,48 L 272,48" fill="none" stroke="black"></path>
-                <path d="M 320,48 L 392,48" fill="none" stroke="black"></path>
-                <path d="M 440,48 L 512,48" fill="none" stroke="black"></path>
-                <path d="M 8,80 L 80,80" fill="none" stroke="black"></path>
-                <path d="M 184,80 L 272,80" fill="none" stroke="black"></path>
-                <path d="M 320,80 L 392,80" fill="none" stroke="black"></path>
-                <path d="M 440,80 L 512,80" fill="none" stroke="black"></path>
-                <path d="M 176,96 L 224,96" fill="none" stroke="black"></path>
-                <path d="M 240,96 L 352,96" fill="none" stroke="black"></path>
-                <path d="M 368,96 L 400,96" fill="none" stroke="black"></path>
-                <path d="M 48,112 L 320,112" fill="none" stroke="black"></path>
-                <path d="M 456,112 L 472,112" fill="none" stroke="black"></path>
-                <path d="M 48,142 L 80,142" fill="none" stroke="black"></path>
-                <path d="M 48,146 L 80,146" fill="none" stroke="black"></path>
-                <path d="M 192,142 L 224,142" fill="none" stroke="black"></path>
-                <path d="M 192,146 L 224,146" fill="none" stroke="black"></path>
-                <path d="M 40,176 L 144,176" fill="none" stroke="black"></path>
-                <path d="M 264,176 L 352,176" fill="none" stroke="black"></path>
-                <path d="M 48,192 L 136,192" fill="none" stroke="black"></path>
-                <path d="M 264,192 L 360,192" fill="none" stroke="black"></path>
-                <path d="M 40,224 L 224,224" fill="none" stroke="black"></path>
-                <path d="M 288,224 L 472,224" fill="none" stroke="black"></path>
-                <path d="M 400,32 C 408.83064,32 416,39.16936 416,48" fill="none" stroke="black"></path>
-                <path d="M 176,96 C 167.16936,96 160,88.83064 160,80" fill="none" stroke="black"></path>
-                <path d="M 400,96 C 408.83064,96 416,88.83064 416,80" fill="none" stroke="black"></path>
-                <polygon class="arrowhead" points="480,224 468,218.4 468,229.6" fill="black" transform="rotate(0,472,224)"></polygon>
-                <polygon class="arrowhead" points="360,176 348,170.4 348,181.6" fill="black" transform="rotate(0,352,176)"></polygon>
-                <polygon class="arrowhead" points="232,144 220,138.4 220,149.6" fill="black" transform="rotate(0,224,144)"></polygon>
-                <polygon class="arrowhead" points="56,192 44,186.4 44,197.6" fill="black" transform="rotate(180,48,192)"></polygon>
-                <polygon class="arrowhead" points="56,144 44,138.4 44,149.6" fill="black" transform="rotate(180,48,144)"></polygon>
-                <polygon class="arrowhead" points="56,112 44,106.4 44,117.6" fill="black" transform="rotate(180,48,112)"></polygon>
-                <g class="text">
-                  <text x="44" y="68">Client</text>
-                  <text x="228" y="68">Attester</text>
-                  <text x="356" y="68">Issuer</text>
-                  <text x="476" y="68">Origin</text>
-                  <text x="388" y="116">TokenChallenge</text>
-                  <text x="136" y="148">Attestation</text>
-                  <text x="204" y="180">TokenRequest</text>
-                  <text x="200" y="196">TokenResponse</text>
-                  <text x="256" y="228">Token</text>
-                  <text x="472" y="244">|</text>
-                </g>
-              </svg><a href="#section-4.2-2.1.1" class="pilcrow">¶</a>
-</div>
-</div>
-<figcaption><a href="#figure-4" class="selfRef">Figure 4</a>:
-<a href="#name-joint-attester-and-issuer-d" class="selfRef">Joint Attester and Issuer Deployment Model</a>
-          </figcaption></figure>
-</div>
-<p id="section-4.2-3">This model is useful if an Origin wants to offload attestation and issuance to
-a trusted entity. In this model, the Attester and Issuer share an attestation
-and issuance context for the Client, which is separate from the Origin's
-redemption context.<a href="#section-4.2-3" class="pilcrow">¶</a></p>
-<p id="section-4.2-4">Similar to the Shared Origin, Attester, Issuer model, Issuer-Client and
-Origin-Client unlinkability in this model requires issuance and redemption
-events, respectively, be separated over time or space. Attester-Origin
-unlinkability requires that the Attester and Issuer do not learn the Origin
-for a particular token request. For this reason, issuance protocols that
-require the Issuer to learn information about the Origin, such as that which
-is described in <span>[<a href="#RATE-LIMITED" class="cite xref">RATE-LIMITED</a>]</span>, are not
-appropriate since they could lead to Attester-Origin unlinkability violations
-through the Origin name.<a href="#section-4.2-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="deploy-joint-origin">
-<section id="section-4.3">
-        <h3 id="name-joint-origin-and-issuer">
-<a href="#section-4.3" class="section-number selfRef">4.3. </a><a href="#name-joint-origin-and-issuer" class="section-name selfRef">Joint Origin and Issuer</a>
-        </h3>
-<p id="section-4.3-1">In this model, the Origin and Issuer are operated by the same entity, separate
-from the Attester, as shown in the figure below. The Issuer accepts token
-requests that come from trusted Attesters. Since the Attester and Issuer are
-separate entities, this model requires some mechanism by which Issuers
-establish trust in the Attester (as described in <a href="#privacy-and-trust" class="auto internal xref">Section 3.3</a>).
-For example, in settings where the Attester is a Client-trusted service that
-directly communicates with the Issuer, one way to establish this trust is via
-mutually-authenticated TLS. However, alternative authentication mechanisms are
-possible. This arrangement is shown in <a href="#fig-deploy-joint-origin" class="auto internal xref">Figure 5</a>.<a href="#section-4.3-1" class="pilcrow">¶</a></p>
-<span id="name-joint-origin-and-issuer-dep"></span><div id="fig-deploy-joint-origin">
-<figure id="figure-5">
-          <div id="section-4.3-2.1">
-            <div class="alignLeft art-svg artwork" id="section-4.3-2.1.1">
-<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="528" viewBox="0 0 528 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
-                <path d="M 8,48 L 8,80" fill="none" stroke="black"></path>
-                <path d="M 40,80 L 40,240" fill="none" stroke="black"></path>
-                <path d="M 80,48 L 80,80" fill="none" stroke="black"></path>
-                <path d="M 168,48 L 168,80" fill="none" stroke="black"></path>
-                <path d="M 216,80 L 216,104" fill="none" stroke="black"></path>
-                <path d="M 216,120 L 216,160" fill="none" stroke="black"></path>
-                <path d="M 256,48 L 256,80" fill="none" stroke="black"></path>
-                <path d="M 280,32 L 280,80" fill="none" stroke="black"></path>
-                <path d="M 304,48 L 304,80" fill="none" stroke="black"></path>
-                <path d="M 344,80 L 344,96" fill="none" stroke="black"></path>
-                <path d="M 344,128 L 344,192" fill="none" stroke="black"></path>
-                <path d="M 376,48 L 376,80" fill="none" stroke="black"></path>
-                <path d="M 424,48 L 424,80" fill="none" stroke="black"></path>
-                <path d="M 456,80 L 456,208" fill="none" stroke="black"></path>
-                <path d="M 496,48 L 496,80" fill="none" stroke="black"></path>
-                <path d="M 520,48 L 520,80" fill="none" stroke="black"></path>
-                <path d="M 280,32 L 504,32" fill="none" stroke="black"></path>
-                <path d="M 8,48 L 80,48" fill="none" stroke="black"></path>
-                <path d="M 168,48 L 256,48" fill="none" stroke="black"></path>
-                <path d="M 304,48 L 376,48" fill="none" stroke="black"></path>
-                <path d="M 424,48 L 496,48" fill="none" stroke="black"></path>
-                <path d="M 8,80 L 80,80" fill="none" stroke="black"></path>
-                <path d="M 168,80 L 256,80" fill="none" stroke="black"></path>
-                <path d="M 304,80 L 376,80" fill="none" stroke="black"></path>
-                <path d="M 424,80 L 496,80" fill="none" stroke="black"></path>
-                <path d="M 296,96 L 336,96" fill="none" stroke="black"></path>
-                <path d="M 352,96 L 448,96" fill="none" stroke="black"></path>
-                <path d="M 464,96 L 504,96" fill="none" stroke="black"></path>
-                <path d="M 48,112 L 304,112" fill="none" stroke="black"></path>
-                <path d="M 440,112 L 456,112" fill="none" stroke="black"></path>
-                <path d="M 48,142 L 72,142" fill="none" stroke="black"></path>
-                <path d="M 48,146 L 72,146" fill="none" stroke="black"></path>
-                <path d="M 184,142 L 208,142" fill="none" stroke="black"></path>
-                <path d="M 184,146 L 208,146" fill="none" stroke="black"></path>
-                <path d="M 40,176 L 136,176" fill="none" stroke="black"></path>
-                <path d="M 256,176 L 336,176" fill="none" stroke="black"></path>
-                <path d="M 48,192 L 128,192" fill="none" stroke="black"></path>
-                <path d="M 256,192 L 344,192" fill="none" stroke="black"></path>
-                <path d="M 40,224 L 208,224" fill="none" stroke="black"></path>
-                <path d="M 272,224 L 456,224" fill="none" stroke="black"></path>
-                <path d="M 504,32 C 512.83064,32 520,39.16936 520,48" fill="none" stroke="black"></path>
-                <path d="M 296,96 C 287.16936,96 280,88.83064 280,80" fill="none" stroke="black"></path>
-                <path d="M 504,96 C 512.83064,96 520,88.83064 520,80" fill="none" stroke="black"></path>
-                <polygon class="arrowhead" points="464,224 452,218.4 452,229.6" fill="black" transform="rotate(0,456,224)"></polygon>
-                <polygon class="arrowhead" points="344,176 332,170.4 332,181.6" fill="black" transform="rotate(0,336,176)"></polygon>
-                <polygon class="arrowhead" points="216,144 204,138.4 204,149.6" fill="black" transform="rotate(0,208,144)"></polygon>
-                <polygon class="arrowhead" points="56,192 44,186.4 44,197.6" fill="black" transform="rotate(180,48,192)"></polygon>
-                <polygon class="arrowhead" points="56,144 44,138.4 44,149.6" fill="black" transform="rotate(180,48,144)"></polygon>
-                <polygon class="arrowhead" points="56,112 44,106.4 44,117.6" fill="black" transform="rotate(180,48,112)"></polygon>
-                <g class="text">
-                  <text x="44" y="68">Client</text>
-                  <text x="212" y="68">Attester</text>
-                  <text x="340" y="68">Issuer</text>
-                  <text x="460" y="68">Origin</text>
-                  <text x="372" y="116">TokenChallenge</text>
-                  <text x="128" y="148">Attestation</text>
-                  <text x="196" y="180">TokenRequest</text>
-                  <text x="192" y="196">TokenResponse</text>
-                  <text x="240" y="228">Token</text>
-                  <text x="456" y="244">|</text>
-                </g>
-              </svg><a href="#section-4.3-2.1.1" class="pilcrow">¶</a>
-</div>
-</div>
-<figcaption><a href="#figure-5" class="selfRef">Figure 5</a>:
-<a href="#name-joint-origin-and-issuer-dep" class="selfRef">Joint Origin and Issuer Deployment Model</a>
-          </figcaption></figure>
-</div>
-<p id="section-4.3-3">This model is useful for Origins that require Client-identifying attestation,
-e.g., through the use of application-layer account information, but do not
-otherwise want to learn information about individual Clients beyond what is
-observed during the token redemption, such as Client IP addresses.<a href="#section-4.3-3" class="pilcrow">¶</a></p>
-<p id="section-4.3-4">In this model, attestation contexts are separate from issuer and redemption
-contexts. As a result, any type of attestation is suitable in this model.<a href="#section-4.3-4" class="pilcrow">¶</a></p>
-<p id="section-4.3-5">Moreover, any type of token challenge is suitable assuming there is more than
-one Origin involved, since no single party will have access to the identifying
-Client information and unique Origin information. Issuers that produce tokens
-for a single Origin are not suitable in this model since an Attester can
-infer the Origin from a token request, as described in <a href="#issue-flow" class="auto internal xref">Section 3.6.3</a>. However,
-since the issuance protocol provides input secrecy, the Attester does not learn
-details about the corresponding token challenge, such as whether the token
-challenge is per-Origin or cross-Origin.<a href="#section-4.3-5" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="deploy-split">
-<section id="section-4.4">
-        <h3 id="name-split-origin-attester-issue">
-<a href="#section-4.4" class="section-number selfRef">4.4. </a><a href="#name-split-origin-attester-issue" class="section-name selfRef">Split Origin, Attester, Issuer</a>
-        </h3>
-<p id="section-4.4-1">In this model, the Origin, Attester, and Issuer are all operated by different
-entities. As with the joint Origin and Issuer model, the Issuer accepts token
-requests that come from trusted Attesters, and the details of that trust
-establishment depend on the issuance protocol and relationship between
-Attester and Issuer; see <a href="#privacy-and-trust" class="auto internal xref">Section 3.3</a>. This arrangement is shown
-in <a href="#fig-overview" class="auto internal xref">Figure 1</a>.<a href="#section-4.4-1" class="pilcrow">¶</a></p>
-<p id="section-4.4-2">This is the most general deployment model, and is necessary for some
-types of issuance protocols where the Attester plays a role in token
-issuance; see <span>[<a href="#RATE-LIMITED" class="cite xref">RATE-LIMITED</a>]</span> for one such type of issuance protocol.<a href="#section-4.4-2" class="pilcrow">¶</a></p>
-<p id="section-4.4-3">In this model, the Attester, Issuer, and Origin have a separate view
-of the Client: the Attester sees potentially sensitive Client identifying
-information, such as account identifiers or IP addresses, the Issuer
-sees only the information necessary for issuance, and the Origin sees
-token challenges, corresponding tokens, and Client source information,
-such as their IP address. As a result, attestation, issuance, and redemption
-contexts are separate, and therefore any type of token challenge is suitable in
-this model as long as there is more than a single Origin.<a href="#section-4.4-3" class="pilcrow">¶</a></p>
-<p id="section-4.4-4">As in the Joint Origin and Issuer model in <a href="#deploy-joint-origin" class="auto internal xref">Section 4.3</a>, and as
-described in <a href="#issue-flow" class="auto internal xref">Section 3.6.3</a>, if the Issuer produces tokens for a single Origin,
-then per-Origin tokens are not appropriate since the Attester can infer the
-Origin from a token request.<a href="#section-4.4-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="deployment-considerations">
-<section id="section-5">
-      <h2 id="name-deployment-considerations">
-<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-deployment-considerations" class="section-name selfRef">Deployment Considerations</a>
-      </h2>
-<p id="section-5-1"><a href="#deployment" class="auto internal xref">Section 4</a> discusses deployment models that are possible in practice.
-Beyond possible implications on security and privacy properties of the
-resulting system, Privacy Pass deployments can impact the overall ecosystem
-in two important ways: (1) discriminatory treatment of Clients and the gated
-access to otherwise open services, and (2) centralization. This section
-describes considerations relevant to these topics.<a href="#section-5-1" class="pilcrow">¶</a></p>
-<div id="discrimination">
-<section id="section-5.1">
-        <h3 id="name-discriminatory-treatment">
-<a href="#section-5.1" class="section-number selfRef">5.1. </a><a href="#name-discriminatory-treatment" class="section-name selfRef">Discriminatory Treatment</a>
-        </h3>
-<p id="section-5.1-1">Origins can use tokens as a signal for distinguishing between Clients
-that are capable of completing attestation with one Attester trusted by the
-Origin's chosen Issuer, and Clients that are not capable of doing the same. A
-consequence of this is that Privacy Pass could enable discriminatory treatment
-of Clients based on Attestation support. For example, an Origin could only
-authorize Clients that successfully authenticate with a token, prohibiting access
-to all other Clients.<a href="#section-5.1-1" class="pilcrow">¶</a></p>
-<p id="section-5.1-2">The type of attestation procedures supported for a particular deployment depends
-greatly on the use case. For example, consider a proprietary deployment of Privacy Pass
-that authorizes clients to access a resource such as an anonymization service. In this
-context, it is reasonable to support specific types of attestation procedures that
-demonstrate Clients can access the resource, such as with an account or specific
-type of device. However, in open deployments of Privacy Pass that are used to
-safeguard access to otherwise open or publicly accessible resources, diversity
-in attestation procedures is critically important so as to not discriminate against
-Clients that choose certain software, hardware, or identity providers.<a href="#section-5.1-2" class="pilcrow">¶</a></p>
-<p id="section-5.1-3">In principle, Issuers should strive to mitigate discriminatory behavior by
-providing equitable access to all Clients. This can be done by working with a
-set of Attesters that are suitable for all Clients. In practice, this may require
-tradeoffs in what type of attestation Issuers are willing to trust so as to
-enable more widespread support. In other words, trusting a variety of Attesters
-with a diverse set of attestation procedures would presumably increase support
-among Clients, though most likely at the expense of decreasing the overall value
-of tokens issued by the Issuer.<a href="#section-5.1-3" class="pilcrow">¶</a></p>
-<p id="section-5.1-4">For example, to disallow discriminatory behavior between Clients with and
-without device attestation support, an Issuer may wish to support Attesters
-that support CAPTCHA-based attestation. This means that the overall attestation
-value of a Privacy Pass token is bound by the difficulty in spoofing or
-bypassing either one of these attestation procedures.<a href="#section-5.1-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="centralization">
-<section id="section-5.2">
-        <h3 id="name-centralization">
-<a href="#section-5.2" class="section-number selfRef">5.2. </a><a href="#name-centralization" class="section-name selfRef">Centralization</a>
-        </h3>
-<p id="section-5.2-1">A consequence of limiting the number of participants (Attesters or Issuers) in
-Privacy Pass deployments for meaningful privacy is that it forces concentrated
-centralization amongst those participants.
-<span>[<a href="#CENTRALIZATION" class="cite xref">CENTRALIZATION</a>]</span> discusses
-several ways in which this might be mitigated. For example, a multi-stakeholder
-governance model could be established to determine what candidate participants
-are fit to operate as participants in a Privacy Pass deployment. This is
-precisely the system used to control the Web's trust model.<a href="#section-5.2-1" class="pilcrow">¶</a></p>
-<p id="section-5.2-2">Alternatively, Privacy Pass deployments might mitigate this problem through
-implementation. For example, rather than centralize the role of attestation
-in one or few entities, attestation could be a distributed function performed
-by a quorum of many parties, provided that neither Issuers nor Origins learn
-which Attester implementations were chosen. As a result, Clients could have
-more opportunities to switch between attestation participants.<a href="#section-5.2-2" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="privacy">
-<section id="section-6">
-      <h2 id="name-privacy-considerations">
-<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-privacy-considerations" class="section-name selfRef">Privacy Considerations</a>
-      </h2>
-<p id="section-6-1">The previous section discusses the impact of deployment details on
-Origin-Client, Issuer-Client, and Attester-Origin unlinkability.
-The value these properties affords to end users depends on
-the size of anonymity sets in which Clients or Origins are
-unlinkable. For example, consider two different deployments, one wherein
-there exists a redemption anonymity set of size two and another
-wherein there redemption anonymity set of size 2<sup>32</sup>. Although
-Origin-Client unlinkability guarantees that the Origin cannot link any two
-requests to the same Client based on these contexts, respectively, the
-probability of determining the "true" Client is higher the smaller these
-sets become.<a href="#section-6-1" class="pilcrow">¶</a></p>
-<p id="section-6-2">In practice, there are a number of ways in which the size of anonymity sets
-may be reduced or partitioned, though they all center around the concept of
-consistency. In particular, by definition, all Clients in an anonymity set
-share a consistent view of information needed to run the issuance and
-redemption protocols. An example type of information needed to run these
-protocols is the Issuer public key. When two Clients have inconsistent
-information, these Clients effectively have different redemption contexts and
-therefore belong in different anonymity sets.<a href="#section-6-2" class="pilcrow">¶</a></p>
-<p id="section-6-3">The following sections discuss issues that can influence anonymity set size.
-For each issue, we discuss mitigations or safeguards to protect against the
-underlying problem.<a href="#section-6-3" class="pilcrow">¶</a></p>
-<div id="metadata-privacy">
-<section id="section-6.1">
-        <h3 id="name-partitioning-by-issuance-me">
-<a href="#section-6.1" class="section-number selfRef">6.1. </a><a href="#name-partitioning-by-issuance-me" class="section-name selfRef">Partitioning by Issuance Metadata</a>
-        </h3>
-<p id="section-6.1-1">Any public or private metadata bits of information can be used to further
-segment the size of the Client's anonymity set. Any Issuer that wanted to
-track a single Client could add a single metadata bit to Client tokens. For
-the tracked Client it would set the bit to <code>1</code>, and <code>0</code> otherwise. Adding
-additional bits provides an exponential increase in tracking granularity
-similarly to introducing more Issuers (though with more potential targeting).<a href="#section-6.1-1" class="pilcrow">¶</a></p>
-<p id="section-6.1-2">For this reason, deployments should take the amount of metadata used by an Issuer
-in creating redemption tokens must into account -- together with the bits
-of information that Issuers may learn about Clients otherwise. Since this
-metadata may be useful for practical deployments of Privacy Pass, Issuers
-must balance this against the reduction in Client privacy.<a href="#section-6.1-2" class="pilcrow">¶</a></p>
-<p id="section-6.1-3">The number of permitted metadata values often depends on deployment-specific
-details. In general, limiting the amount of metadata permitted helps limit the
-extent to which metadata can uniquely identify individual Clients. Failure to
-bound the number of possible metadata values can therefore lead to reduction in
-Client privacy. Most token types do not admit any metadata, so this bound is
-implicitly enforced.<a href="#section-6.1-3" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="rotation-and-consistency">
-<section id="section-6.2">
-        <h3 id="name-partitioning-by-issuance-co">
-<a href="#section-6.2" class="section-number selfRef">6.2. </a><a href="#name-partitioning-by-issuance-co" class="section-name selfRef">Partitioning by Issuance Consistency</a>
-        </h3>
-<p id="section-6.2-1">Anonymity sets can be partitioned by information used for the issuance
-protocol, including: metadata, Issuer configuration (keys), and Issuer
-selection.<a href="#section-6.2-1" class="pilcrow">¶</a></p>
-<p id="section-6.2-2">Any issuance metadata bits of information can be used to partition the Client
-anonymity set. For example, any Issuer that wanted to track a single Client
-could add a single metadata bit to Client tokens. For the tracked Client it
-would set the bit to <code>1</code>, and <code>0</code> otherwise. Adding additional bits provides an
-exponential increase in tracking granularity similarly to introducing more
-Issuers (though with more potential targeting).<a href="#section-6.2-2" class="pilcrow">¶</a></p>
-<p id="section-6.2-3">The number of active Issuer configurations also contributes to anonymity set
-partitioning. In particular, when an Issuer updates their configuration and
-the corresponding key pair, any Client that invokes the issuance protocol with
-this configuration becomes part of a set of Clients which also ran the
-issuance protocol using the same configuration. Issuer configuration updates,
-e.g., due to key rotation, are an important part of hedging against long-term
-private key compromise. In general, key rotations represent a trade-off between
-Client privacy and Issuer security. Therefore, it is important that key
-rotations occur on a regular cycle to reduce the harm of an Issuer key
-compromise.<a href="#section-6.2-3" class="pilcrow">¶</a></p>
-<p id="section-6.2-4">Lastly, if Clients are willing to issue and redeem tokens from a large number
-of Issuers for a specific Origin, and that Origin accepts tokens from all
-Issuers, partitioning can occur. As an example, if a Client obtains tokens from
-many Issuers and an Origin later challenges that Client for a token from each
-Issuer, the Origin can learn information about the Client. This arrangement
-might happen if Clients request tokens from different Issuers, each of which
-have different Attester preferences. Each per-Issuer token that a Client holds
-essentially corresponds to a bit of information about the Client that Origin
-learns. Therefore, there is an exponential loss in privacy relative to the
-number of Issuers.<a href="#section-6.2-4" class="pilcrow">¶</a></p>
-<p id="section-6.2-5">The fundamental problem here is that the number of possible issuance
-configurations, including the keys in use and the Issuer identities themselves,
-can partition the Client anonymity set. To mitigate this problem, Clients
-SHOULD bound the number of active issuance configurations per Origin as well as
-across Origins. Moreover, Clients SHOULD employ some form of consistency
-mechanism to ensure that they receive the same configuration information and
-are not being actively partitioned into smaller anonymity sets. See
-<span>[<a href="#CONSISTENCY" class="cite xref">CONSISTENCY</a>]</span> for possible consistency
-mechanisms. Depending on the deployment, the Attester might assist the Client
-in applying these consistency checks across clients. Failure to apply a
-consistency check can allow Client-specific keys to violate Origin-Client
-unlinkability.<a href="#section-6.2-5" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="partitioning-by-side-channels">
-<section id="section-6.3">
-        <h3 id="name-partitioning-by-side-channe">
-<a href="#section-6.3" class="section-number selfRef">6.3. </a><a href="#name-partitioning-by-side-channe" class="section-name selfRef">Partitioning by Side-Channels</a>
-        </h3>
-<p id="section-6.3-1">Side-channel attacks, such as those based on timing correlation, could be
-used to reduce anonymity set size. In particular,
-for interactive tokens that are bound to a Client-specific redemption
-context, the anonymity set of Clients during the issuance protocol consists
-of those Clients that started issuance between the time of the Origin's
-challenge and the corresponding token redemption. Depending on the number
-of Clients using a particular Issuer during that time window, the set can
-be small. Applications should take such side channels into consideration before
-choosing a particular deployment model and type of token challenge and
-redemption context.<a href="#section-6.3-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="security">
-<section id="section-7">
-      <h2 id="name-security-considerations">
-<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
-      </h2>
-<p id="section-7-1">This document describes security and privacy requirements for the Privacy Pass
-redemption and issuance protocols. It also describes deployment models built
-around non-collusion assumptions and privacy considerations for using Privacy
-Pass within those models. Ensuring Client privacy -- separation of attestation
-and redemption contexts -- requires active work on behalf of the Client,
-especially in the presence of malicious Issuers and Origins. Implementing
-mitigations discussed in <a href="#deployment" class="auto internal xref">Section 4</a> and <a href="#privacy" class="auto internal xref">Section 6</a> is therefore necessary
-to ensure that Privacy Pass offers meaningful privacy improvements to end-users.<a href="#section-7-1" class="pilcrow">¶</a></p>
-<div id="hoarding">
-<section id="section-7.1">
-        <h3 id="name-token-caching">
-<a href="#section-7.1" class="section-number selfRef">7.1. </a><a href="#name-token-caching" class="section-name selfRef">Token Caching</a>
-        </h3>
-<p id="section-7.1-1">Depending on the Origin's token challenge, Clients can request and cache more
-than one token using an issuance protocol. Cached tokens help improve privacy by
-separating the time of token issuance from the time of token redemption, and
-also allow Clients to reduce the overhead of receiving new tokens via the
-issuance protocol.<a href="#section-7.1-1" class="pilcrow">¶</a></p>
-<p id="section-7.1-2">As a consequence, Origins that send token challenges which are compatible with
-cached tokens need to take precautions to ensure that tokens are not replayed.
-This is typically done via keeping track of tokens that are redeemed for the
-period of time in which cached tokens would be accepted for particular
-challenges.<a href="#section-7.1-2" class="pilcrow">¶</a></p>
-<p id="section-7.1-3">Moreover, since tokens are not intrinsically bound to Clients, it is possible
-for malicious Clients to collude and share tokens in a so-called "hoarding
-attack." As an example of this attack, many distributed Clients could obtain
-cacheable tokens and then share them with a single Client to redeem in a way
-that would violate an Origin's attempt to limit tokens to any one particular
-Client. In general, mechanisms for mitigating hoarding attacks depend on the
-deployment model and use case. For example, in the Joint Origin and Issuer model,
-comparing the issuance and redemption contexts can help detect hoarding attacks,
-i.e., if the distribution of redemption contexts is noticeably different from the
-distribution of issuance contexts. Rate limiting issuance, either at the Client,
-Attester, or Issuer, can also help mitigate these attacks.<a href="#section-7.1-3" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="iana">
-<section id="section-8">
-      <h2 id="name-iana-considerations">
-<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
-      </h2>
-<p id="section-8-1">This document has no IANA actions.<a href="#section-8-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-<section id="section-9">
-      <h2 id="name-references">
-<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-references" class="section-name selfRef">References</a>
-      </h2>
-<div id="sec-normative-references">
-<section id="section-9.1">
-        <h3 id="name-normative-references">
-<a href="#section-9.1" class="section-number selfRef">9.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
-        </h3>
-<dl class="references">
-<dt id="AUTHSCHEME">[AUTHSCHEME]</dt>
-        <dd>
-<span class="refAuthor">Pauly, T.</span>, <span class="refAuthor">Valdez, S.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"The Privacy Pass HTTP Authentication Scheme"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-privacypass-auth-scheme-14</span>, <time datetime="2023-09-25" class="refDate">25 September 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14">https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC2119">[RFC2119]</dt>
-        <dd>
-<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc2119">https://www.rfc-editor.org/rfc/rfc2119</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC8174">[RFC8174]</dt>
-      <dd>
-<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8174">https://www.rfc-editor.org/rfc/rfc8174</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-</dl>
-</section>
-</div>
-<div id="sec-informative-references">
-<section id="section-9.2">
-        <h3 id="name-informative-references">
-<a href="#section-9.2" class="section-number selfRef">9.2. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
-        </h3>
-<dl class="references">
-<dt id="CENTRALIZATION">[CENTRALIZATION]</dt>
-        <dd>
-<span class="refAuthor">Nottingham, M.</span>, <span class="refTitle">"Centralization, Decentralization, and Internet Standards"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-nottingham-avoiding-internet-centralization-14</span>, <time datetime="2023-09-14" class="refDate">14 September 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-nottingham-avoiding-internet-centralization-14">https://datatracker.ietf.org/doc/html/draft-nottingham-avoiding-internet-centralization-14</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="CONSISTENCY">[CONSISTENCY]</dt>
-        <dd>
-<span class="refAuthor">Davidson, A.</span>, <span class="refAuthor">Finkel, M.</span>, <span class="refAuthor">Thomson, M.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"Key Consistency and Discovery"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-privacypass-key-consistency-01</span>, <time datetime="2023-07-10" class="refDate">10 July 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01">https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="DMS2004">[DMS2004]</dt>
-        <dd>
-<span class="refAuthor">Dingledine, R.</span>, <span class="refAuthor">Mathewson, N.</span>, and <span class="refAuthor">P. Syverson</span>, <span class="refTitle">"Tor: The Second-Generation Onion Router"</span>, <time datetime="2004-08" class="refDate">August 2004</time>, <span>&lt;<a href="https://svn.torproject.org/svn/projects/design-paper/tor-design.html">https://svn.torproject.org/svn/projects/design-paper/tor-design.html</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="HIJK21">[HIJK21]</dt>
-        <dd>
-<span class="refAuthor">Huang, S.</span>, <span class="refAuthor">Iyengar, S.</span>, <span class="refAuthor">Jeyaraman, S.</span>, <span class="refAuthor">Kushwah, S.</span>, <span class="refAuthor">Lee, C. K.</span>, <span class="refAuthor">Luo, Z.</span>, <span class="refAuthor">Mohassel, P.</span>, <span class="refAuthor">Raghunathan, A.</span>, <span class="refAuthor">Shaikh, S.</span>, <span class="refAuthor">Sung, Y. C.</span>, and <span class="refAuthor">A. Zhang</span>, <span class="refTitle">"PrivateStats: De-Identified Authenticated Logging at Scale"</span>, <time datetime="2021-01" class="refDate">January 2021</time>, <span>&lt;<a href="https://research.fb.com/privatestats">https://research.fb.com/privatestats</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="ISSUANCE">[ISSUANCE]</dt>
-        <dd>
-<span class="refAuthor">Celi, S.</span>, <span class="refAuthor">Davidson, A.</span>, <span class="refAuthor">Valdez, S.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"Privacy Pass Issuance Protocol"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-privacypass-protocol-16</span>, <time datetime="2023-10-03" class="refDate">3 October 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-protocol-16">https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-protocol-16</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="KLOR20">[KLOR20]</dt>
-        <dd>
-<span class="refAuthor">Kreuter, B.</span>, <span class="refAuthor">Lepoint, T.</span>, <span class="refAuthor">Orrù, M.</span>, and <span class="refAuthor">M. Raykova</span>, <span class="refTitle">"Anonymous Tokens with Private Metadata Bit"</span>, <span class="refContent">Springer International Publishing</span>, <span class="seriesInfo">Advances in Cryptology – CRYPTO 2020 pp. 308-336</span>, <span class="seriesInfo">DOI 10.1007/978-3-030-56784-2_11</span>, <span class="seriesInfo">ISBN ["9783030567835", "9783030567842"]</span>, <time datetime="2020" class="refDate">2020</time>, <span>&lt;<a href="https://doi.org/10.1007/978-3-030-56784-2_11">https://doi.org/10.1007/978-3-030-56784-2_11</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="OHTTP">[OHTTP]</dt>
-        <dd>
-<span class="refAuthor">Thomson, M.</span> and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"Oblivious HTTP"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-ohai-ohttp-10</span>, <time datetime="2023-08-25" class="refDate">25 August 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-ohai-ohttp-10">https://datatracker.ietf.org/doc/html/draft-ietf-ohai-ohttp-10</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="PrivacyPassCloudflare">[PrivacyPassCloudflare]</dt>
-        <dd>
-<span class="refAuthor">Sullivan, N.</span>, <span class="refTitle">"Cloudflare Supports Privacy Pass"</span>, <span>n.d.</span>, <span>&lt;<a href="https://blog.cloudflare.com/cloudflare-supports-privacy-pass/">https://blog.cloudflare.com/cloudflare-supports-privacy-pass/</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="PrivacyPassExtension">[PrivacyPassExtension]</dt>
-        <dd>
-<span class="refTitle">"Privacy Pass Browser Extension"</span>, <span>n.d.</span>, <span>&lt;<a href="https://github.com/privacypass/challenge-bypass-extension">https://github.com/privacypass/challenge-bypass-extension</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RATE-LIMITED">[RATE-LIMITED]</dt>
-        <dd>
-<span class="refAuthor">Hendrickson, S.</span>, <span class="refAuthor">Iyengar, J.</span>, <span class="refAuthor">Pauly, T.</span>, <span class="refAuthor">Valdez, S.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"Rate-Limited Token Issuance Protocol"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-privacypass-rate-limit-tokens-03</span>, <time datetime="2022-07-06" class="refDate">6 July 2022</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-privacypass-rate-limit-tokens-03">https://datatracker.ietf.org/doc/html/draft-privacypass-rate-limit-tokens-03</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC9334">[RFC9334]</dt>
-      <dd>
-<span class="refAuthor">Birkholz, H.</span>, <span class="refAuthor">Thaler, D.</span>, <span class="refAuthor">Richardson, M.</span>, <span class="refAuthor">Smith, N.</span>, and <span class="refAuthor">W. Pan</span>, <span class="refTitle">"Remote ATtestation procedureS (RATS) Architecture"</span>, <span class="seriesInfo">RFC 9334</span>, <span class="seriesInfo">DOI 10.17487/RFC9334</span>, <time datetime="2023-01" class="refDate">January 2023</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc9334">https://www.rfc-editor.org/rfc/rfc9334</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-</dl>
-</section>
-</div>
-</section>
-<div id="acknowledgements">
-<section id="appendix-A">
-      <h2 id="name-acknowledgements">
-<a href="#appendix-A" class="section-number selfRef">Appendix A. </a><a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
-      </h2>
-<p id="appendix-A-1">The authors would like to thank Eric Kinnear, Scott Hendrickson, Tommy Pauly,
-Christopher Patton, Benjamin Schwartz, Martin Thomson, Steven Valdez and other
-contributors of the Privacy Pass Working Group for many helpful contributions
-to this document.<a href="#appendix-A-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="authors-addresses">
-<section id="appendix-B">
-      <h2 id="name-authors-addresses">
-<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
-      </h2>
-<address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">Alex Davidson</span></div>
-<div dir="auto" class="left"><span class="org">LIP</span></div>
-<div dir="auto" class="left"><span class="locality">Lisbon</span></div>
-<div dir="auto" class="left"><span class="country-name">Portugal</span></div>
-<div class="email">
-<span>Email:</span>
-<a href="mailto:alex.davidson92@gmail.com" class="email">alex.davidson92@gmail.com</a>
-</div>
-</address>
-<address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">Jana Iyengar</span></div>
-<div dir="auto" class="left"><span class="org">Fastly</span></div>
-<div class="email">
-<span>Email:</span>
-<a href="mailto:jri@fastly.com" class="email">jri@fastly.com</a>
-</div>
-</address>
-<address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">Christopher A. Wood</span></div>
-<div dir="auto" class="left"><span class="org">Cloudflare</span></div>
-<div dir="auto" class="left"><span class="street-address">101 Townsend St</span></div>
-<div dir="auto" class="left">
-<span class="locality">San Francisco</span>,  </div>
-<div dir="auto" class="left"><span class="country-name">United States of America</span></div>
-<div class="email">
-<span>Email:</span>
-<a href="mailto:caw@heapingbits.net" class="email">caw@heapingbits.net</a>
-</div>
-</address>
-</section>
-</div>
-<script>const toc = document.getElementById("toc");
-toc.querySelector("h2").addEventListener("click", e => {
-  toc.classList.toggle("active");
-});
-toc.querySelector("nav").addEventListener("click", e => {
-  toc.classList.remove("active");
-});
-</script>
-</body>
-</html>
diff --git a/chris-wood-patch-8/draft-ietf-privacypass-architecture.txt b/chris-wood-patch-8/draft-ietf-privacypass-architecture.txt
deleted file mode 100644
index 13e3d435..00000000
--- a/chris-wood-patch-8/draft-ietf-privacypass-architecture.txt
+++ /dev/null
@@ -1,1379 +0,0 @@
-
-
-
-
-Network Working Group                                        A. Davidson
-Internet-Draft                                                       LIP
-Intended status: Informational                                J. Iyengar
-Expires: 15 April 2024                                            Fastly
-                                                              C. A. Wood
-                                                              Cloudflare
-                                                         13 October 2023
-
-
-                     The Privacy Pass Architecture
-               draft-ietf-privacypass-architecture-latest
-
-Abstract
-
-   This document specifies the Privacy Pass architecture and
-   requirements for its constituent protocols used for authorization
-   based on privacy-preserving authentication mechanisms.  It describes
-   the conceptual model of Privacy Pass and its protocols, its security
-   and privacy goals, practical deployment models, and recommendations
-   for each deployment model that helps ensure the desired security and
-   privacy goals are fulfilled.
-
-Status of This Memo
-
-   This Internet-Draft is submitted in full conformance with the
-   provisions of BCP 78 and BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF).  Note that other groups may also distribute
-   working documents as Internet-Drafts.  The list of current Internet-
-   Drafts is at https://datatracker.ietf.org/drafts/current/.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   This Internet-Draft will expire on 15 April 2024.
-
-Copyright Notice
-
-   Copyright (c) 2023 IETF Trust and the persons identified as the
-   document authors.  All rights reserved.
-
-   This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents (https://trustee.ietf.org/
-   license-info) in effect on the date of publication of this document.
-   Please review these documents carefully, as they describe your rights
-   and restrictions with respect to this document.  Code Components
-   extracted from this document must include Revised BSD License text as
-   described in Section 4.e of the Trust Legal Provisions and are
-   provided without warranty as described in the Revised BSD License.
-
-Table of Contents
-
-   1.  Introduction
-   2.  Terminology
-   3.  Architecture
-     3.1.  Overview
-     3.2.  Use Cases
-     3.3.  Privacy Goals and Threat Model
-     3.4.  Redemption Protocol
-     3.5.  Issuance Protocol
-       3.5.1.  Attester Role
-       3.5.2.  Issuer Role
-       3.5.3.  Issuance Metadata
-       3.5.4.  Future Issuance Protocol Requirements
-     3.6.  Information Flow
-       3.6.1.  Token Challenge Flow
-       3.6.2.  Attestation Flow
-       3.6.3.  Issuance Flow
-       3.6.4.  Token Redemption Flow
-   4.  Deployment Models
-     4.1.  Shared Origin, Attester, Issuer
-     4.2.  Joint Attester and Issuer
-     4.3.  Joint Origin and Issuer
-     4.4.  Split Origin, Attester, Issuer
-   5.  Deployment Considerations
-     5.1.  Discriminatory Treatment
-     5.2.  Centralization
-   6.  Privacy Considerations
-     6.1.  Partitioning by Issuance Metadata
-     6.2.  Partitioning by Issuance Consistency
-     6.3.  Partitioning by Side-Channels
-   7.  Security Considerations
-     7.1.  Token Caching
-   8.  IANA Considerations
-   9.  References
-     9.1.  Normative References
-     9.2.  Informative References
-   Appendix A.  Acknowledgements
-   Authors' Addresses
-
-1.  Introduction
-
-   Privacy Pass is an architecture for authorization based on privacy-
-   preserving authentication mechanisms.  In other words, relying
-   parties authenticate clients in a privacy-preserving way, i.e.,
-   without learning any unique, per-client information through the
-   authentication protocol, and then make authorization decisions on the
-   basis of that authentication succeeding or failing.  Possible
-   authorization decisions might be to provide clients with read access
-   to a particular resource or write access to a particular resource.
-
-   Typical approaches for authorizing clients, such as through the use
-   of long-term state (cookies), are not privacy-friendly since they
-   allow servers to track clients across sessions and interactions.
-   Privacy Pass takes a different approach: instead of presenting
-   linkable state-carrying information to servers, e.g., a cookie
-   indicating whether or not the client is an authorized user or has
-   completed some prior challenge, clients present unlinkable proofs
-   that attest to this information.  These proofs, or tokens, are
-   private in the sense that a given token cannot be linked to the
-   protocol interaction where that token was initially issued.
-
-   At a high level, the Privacy Pass architecture consists of two
-   protocols: redemption and issuance.  The redemption protocol,
-   described in [AUTHSCHEME], runs between Clients and Origins
-   (servers).  It allows Origins to challenge Clients to present tokens
-   for consumption.  Origins verify the token to authenticate the Client
-   -- without learning any specific information about the Client -- and
-   then make an authorization decision on the basis of the token
-   verifying successfully or not.  Depending on the type of token, e.g.,
-   whether or not it can be cached, the Client either presents a
-   previously obtained token or invokes an issuance protocol, such as
-   [ISSUANCE], to acquire a token to present as authorization.
-
-   This document describes requirements for both redemption and issuance
-   protocols and how they interact.  It also provides recommendations on
-   how the architecture should be deployed to ensure the privacy of
-   clients and the security of all participating entities.
-
-2.  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
-   "OPTIONAL" in this document are to be interpreted as described in
-   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
-   capitals, as shown here.
-
-   The following terms are used throughout this document:
-
-   Client:  An entity that seeks authorization to an Origin.  Using
-      [RFC9334] terminology, Clients implement the RATS Attester role.
-
-   Token:  A cryptographic authentication message used for authorization
-      decisions, produced as output from an issuance mechanism or
-      protocol.
-
-   Origin:  An entity that consumes tokens presented by Clients and uses
-      them to make authorization decisions.
-
-   Token challenge:  The mechanism by which Origins request tokens from
-      Clients, often denoted TokenChallenge.
-
-   Token request:  A message used by Clients to request a token from an
-      Issuer, often denoted TokenRequest.
-
-   Token response:  A message used by Issuers to send tokens to a
-      Client, often denoted TokenResponse.
-
-   Redemption:  The mechanism by which Clients present tokens to Origins
-      for the purposes of authorization.
-
-   Issuer:  An entity that issues tokens to Clients for properties
-      attested to by the Attester.
-
-   Issuance:  The mechanism by which an Issuer produces tokens for
-      Clients.
-
-   Attester:  An entity that attests to properties of Clients for the
-      purposes of token issuance.  Using [RFC9334] terminology,
-      Attesters implement the RATS Verifier role.
-
-   Attestation procedure:  The procedure by which an Attester determines
-      whether or not a Client has the specific set of properties that
-      are necessary for token issuance.
-
-   The trust relationships between each of the entities in this list is
-   further elaborated upon in Section 3.3.
-
-3.  Architecture
-
-   The Privacy Pass architecture consists of four logical entities --
-   Client, Origin, Issuer, and Attester -- that work in concert for
-   token redemption and issuance.  This section presents an overview of
-   Privacy Pass, a high-level description of the threat model and
-   privacy goals of the architecture, and the goals and requirements of
-   the redemption and issuance protocols.  Deployment variations for the
-   Origin, Issuer, and Attester in this architecture, including
-   considerations for implementing these entities, are further discussed
-   in Section 4.
-
-3.1.  Overview
-
-   This section describes the typical interaction flow for Privacy Pass.
-
-   1.  A Client interacts with an Origin by sending a request or
-       otherwise interacting with the Origin in a way that triggers a
-       response containing a token challenge.  The token challenge
-       indicates a specific Issuer to use.
-
-   2.  If the Client already has a token available that satisfies the
-       token challenge, e.g., because the Client has a cache of
-       previously issued tokens, it can skip to step 6 and redeem its
-       token; see Section 7.1 for security considerations of cached
-       tokens.
-
-   3.  If the Client does not have a token available and decides it
-       wants to obtain one (or more) bound to the token challenge, it
-       then invokes the issuance protocol.  As a prerequisite to the
-       issuance protocol, the Client runs the deployment-specific
-       attestation process that is required for the designated Issuer.
-       Client attestation can be done via proof of solving a CAPTCHA,
-       checking device or hardware attestation validity, etc.; see
-       Section 3.5.1 for more details.
-
-   4.  If the attestation process completes successfully, the client
-       creates a token request to send to the designated Issuer
-       (generally via the Attester, though it is not required to be sent
-       through the Attester).  The Attester and Issuer might be
-       functions on the same server, depending on the deployment model
-       (see Section 4).  Depending on the attestation process, it is
-       possible for attestation to run alongside the issuance protocol,
-       e.g., where Clients send necessary attestation information to the
-       Attester along with their token request.  If the attestation
-       process fails, the Client receives an error and issuance aborts
-       without a token.
-
-   5.  The Issuer generates a token response based on the token request,
-       which is returned to the Client (generally via the Attester).
-       Upon receiving the token response, the Client computes a token
-       from the token challenge and token response.  This token can be
-       validated by anyone with the per-Issuer key, but cannot be linked
-       to the content of the token request or token response.
-
-   6.  If the Client has a token, it includes it in a subsequent request
-       to the Origin, as authorization.  This token is sent only once in
-       reaction to a challenge; Clients do not send tokens more than
-       once, even if they receive duplicate or redundant challenges.
-       The Origin validates that the token was generated by the expected
-       Issuer and has not already been redeemed for the corresponding
-       token challenge.  If the Client does not have a token, perhaps
-       because issuance failed, the client does not reply to the
-       Origin's challenge with a new request.
-
-   +--------+            +--------+         +----------+ +--------+
-   | Origin |            | Client |         | Attester | | Issuer |
-   +---+----+            +---+----+         +----+-----+ +---+----+
-       |                     |                   |           |
-       |<----- Request ------+                   |           |
-       +-- TokenChallenge -->|                   |           |
-       |                     |<== Attestation ==>|           |
-       |                     |                   |           |
-       |                     +--------- TokenRequest ------->|
-       |                     |<-------- TokenResponse -------+
-       |<-- Request+Token ---+                   |           |
-       |                     |                   |           |
-
-    Figure 1: Privacy pass redemption and issuance protocol interaction
-
-3.2.  Use Cases
-
-   Use cases for Privacy Pass are broad and depend greatly on the
-   deployment model as discussed in Section 4.  The initial motivating
-   use case for Privacy Pass [PrivacyPassCloudflare] was to help rate-
-   limit malicious or otherwise abusive traffic from services such as
-   Tor [DMS2004].  The generalized and evolved architecture described in
-   this document also work for this use case.  However, for added
-   clarity, some more possible use cases are described below.
-
-   *  Low-quality, anti-fraud signal for open Internet services.  Tokens
-      can attest that the Client behind the user agent is likely not a
-      bot attempting to perform some form of automated attack such as
-      credential stuffing.  Example attestation procedures for this use
-      case might be solving some form of CAPTCHA or presenting evidence
-      of a valid, unlocked device in good standing.
-
-   *  Privacy-preserving authentication for proprietary services.
-      Tokens can attest that the Client is a valid subscriber for a
-      proprietary service, such as a deployment of Oblivious HTTP
-      [OHTTP].
-
-3.3.  Privacy Goals and Threat Model
-
-   The end-to-end flow for Privacy Pass described in Section 3.1
-   involves three different types of contexts:
-
-   Redemption context:  The interactions and set of information shared
-      between the Client and Origin, i.e., the information that is
-      provided or otherwise available to the Origin during redemption
-      that might be used to identify a Client and construct a token
-      challenge.  This context includes all information associated with
-      redemption, such as the timestamp of the event, Client-visible
-      information (including the IP address), and the Origin name.
-
-   Issuance context:  The interactions and set of information shared
-      between the Client, Attester, and Issuer, i.e., the information
-      that is provided or otherwise available to Attester and Issuer
-      during issuance that might be used to identify a Client.  This
-      context includes all information associated with issuance, such as
-      the timestamp of the event, any Client-visible information
-      (including the IP address), and the Origin name (if revealed
-      during issuance).  This does not include the token challenge in
-      its entirety, as that is kept secret from the Issuer during the
-      issuance protocol.
-
-   Attestation context:  The interactions and set of information shared
-      between the Client and Attester only, for the purposes of
-      attesting the validity of the Client, that is provided or
-      otherwise available during attestation that might be used to
-      identify the Client.  This context includes all information
-      associated with attestation, such as the timestamp of the event
-      and any Client-visible information, including information needed
-      for the attestation procedure to complete.
-
-   The privacy goals of Privacy Pass assume a threat model in which
-   Origins trust specific Issuers to produce tokens, and Issuers in turn
-   trust one or more Attesters to correctly run the attestation
-   procedure with Clients.  This arrangement ensures that tokens which
-   validate for a given Issuer were only issued to a Client that
-   successfully completed attestation with an Attester that the Issuer
-   trusts.  Moreover, this arrangement means that if an Origin accepts
-   tokens issued by an Issuer that trusts multiple Attesters, then a
-   Client can use any one of these Attesters to issue and redeem tokens
-   for the Origin.  Whether or not these different entities in the
-   architecture collude for learning redemption, issuance, or
-   attestation contexts, as well as the necessary preconditions for
-   context unlinkability, depends on the deployment model; see Section 4
-   for more details.
-
-   The mechanisms for establishing trust between each entity in this
-   arrangement are deployment-specific.  For example, in settings where
-   Clients interact with Issuers through an Attester, Attesters and
-   Issuers might use mutually authenticated TLS to authenticate one
-   another.  In settings where Clients do not communicate with Issuers
-   through an Attester, the Attesters might convey this trust via a
-   digital signature that Issuers can verify.
-
-   Clients explicitly trust Attesters to perform attestation correctly
-   and in a way that does not violate their privacy.  In particular,
-   this means that Attesters which may be privy to private information
-   about Clients are trusted to not disclose this information to non-
-   colluding parties.  Colluding parties are assumed to have access to
-   the same information; see Section 4 for more about different
-   deployment models and non-collusion assumptions.  However, Clients
-   assume Issuers and Origins are malicious.
-
-   Given this threat model, the privacy goals of Privacy Pass are
-   oriented around unlinkability based on redemption, issuance, and
-   attestation contexts, as described below.
-
-   1.  Origin-Client unlinkability.  This means that given two
-       redemption contexts, the Origin cannot determine if both
-       redemption contexts correspond to the same Client or two
-       different Clients.  Informally, this means that a Client in a
-       redemption context is indistinguishable from any other Client
-       that might use the same redemption context.  The set of Clients
-       that share the same redemption context is referred to as a
-       redemption anonymity set.
-
-   2.  Issuer-Client unlinkability.  This is similar to Origin-Client
-       unlinkability in that a Client in an issuance context is
-       indistinguishable from any other Client that might use the same
-       issuance context.  The set of Clients that share the same
-       issuance context is referred to as an issuance anonymity set.
-
-   3.  Attester-Origin unlinkability.  This is similar to Origin-Client
-       and Issuer-Client unlinkability.  It means that given two
-       attestation contexts, the Attester cannot determine if both
-       contexts correspond to the same Origin or two different Origins.
-       The set of Origins that share the same attestation context is
-       referred to as an attestation anonymity set.
-
-   4.  Redemption context unlinkability.  Given two redemption contexts,
-       the Origin cannot determine which issuance and attestation
-       contexts each redemption corresponds to, even with the
-       collaboration of the Issuer and Attester (should these be
-       different parties).  This means that any information that may be
-       learned about the Client during the issuance and attestation
-       flows cannot be used by the Origin to compromise Client privacy.
-
-   These unlinkability properties ensure that only the Client is able to
-   correlate information that might be used to identify them with
-   activity on the Origin.  The Attester, Issuer, and Origin only
-   receive the information necessary to perform their respective
-   functions.
-
-   The manner in which these unlinkability properties are achieved
-   depends on the deployment model, type of attestation, and issuance
-   protocol details.  For example, as discussed in Section 4, in some
-   cases it is necessary to use an anonymization service such as Tor
-   [DMS2004] which hides Clients IP addresses.  In general,
-   anonymization services ensures that all Clients which use the service
-   are indistinguishable from one another, though in practice there may
-   be small distinguishing features (TLS fingerprints, HTTP headers,
-   etc).  Moreover, Clients generally trust these services to not
-   disclose private Client information (such as IP addresses) to
-   untrusted parties.  Failure to use an anonymization service when
-   interacting with Attesters, Issuers, or Origins can allow the set of
-   possible Clients to be partitioned by the Client's IP address, and
-   can therefore lead to unlinkability violations.  Similarly, malicious
-   Origins may attempt to link two redemption contexts together by using
-   Client-specific Issuer public keys.  See Section 5 and Section 6 for
-   more information.
-
-   The remainder of this section describes the functional properties and
-   security requirements of the redemption and issuance protocols in
-   more detail.  Section 3.6 describes how information flows between
-   Issuer, Origin, Client, and Attester through these protocols.
-
-3.4.  Redemption Protocol
-
-   The Privacy Pass redemption protocol, described in [AUTHSCHEME], is
-   an authorization protocol wherein Clients present tokens to Origins
-   for authorization.  Normally, redemption is preceded by a challenge,
-   wherein the Origin challenges Clients for a token with a
-   TokenChallenge ([AUTHSCHEME], Section 2.1) and, if possible, Clients
-   present a valid Token ([AUTHSCHEME], Section 2.2) in reaction to the
-   challenge.  This interaction is shown below.
-
-   +--------+            +--------+
-   | Origin |            | Client |
-   +---+----+            +---+----+
-       |                     |
-       |<----- Request ------+
-       +-- TokenChallenge -->|
-       |                     | <== Issuance protocol ==>
-       |<-- Request+Token ---+
-       |                     |
-
-          Figure 2: Challenge and redemption protocol interaction
-
-   Alternatively, when configured to do so, Clients may
-   opportunistically present Token values to Origins without a
-   corresponding TokenChallenge.
-
-   The structure and semantics of the TokenChallenge and Token messages
-   depend on the issuance protocol and token type being used; see
-   [AUTHSCHEME] for more information.
-
-   The challenge provides the client with the information necessary to
-   obtain tokens that the server might subsequently accept in the
-   redemption context.  There are a number of ways in which the token
-   may vary based on this challenge, including:
-
-   *  Issuance protocol.  The challenge identifies the type of issuance
-      protocol required for producing the token.  Different issuance
-      protocols have different security properties, e.g., some issuance
-      protocols may produce tokens that are publicly verifiable, whereas
-      others may not have this property.
-
-   *  Issuer identity.  Token challenges identify which Issuers are
-      trusted for a given issuance protocol.  As described in
-      Section 3.3, the choice of Issuer determines the type of Attesters
-      and attestation procedures possible for a token from the specified
-      Issuer, but the Origin does not learn exactly which Attester was
-      used for a given token issuance event.
-
-   *  Redemption context.  Challenges can be bound to a given redemption
-      context, which influences a client's ability to pre-fetch and
-      cache tokens.  For example, an empty redemption context always
-      allows tokens to be issued and redeemed non-interactively, whereas
-      a fresh and random redemption context means that the redeemed
-      token must be issued only after the client receives the challenge.
-      See Section 2.1.1 of [AUTHSCHEME] for more details.
-
-   *  Per-Origin or cross-Origin.  Challenges can be constrained to the
-      Origin for which the challenge originated (referred to as per-
-      Origin tokens), or can be used across multiple Origins (referred
-      to as cross-Origin tokens).  The set of Origins for which a cross-
-      Origin token is applicable is referred to as the cross-Origin set.
-      Opting into this set is done by explicitly agreeing on the
-      contents of the set.  Every Origin in a cross-Origin set, by
-      opting in, agrees to admit tokens for any other Origin in the set.
-      See Section 2.1.1 of [AUTHSCHEME] for more information on how this
-      set is created.
-
-   Origins that admit cross-Origin tokens bear some risk of allowing
-   tokens issued for one Origin to be spent in an interaction with
-   another Origin.  In particular, cross-Origin tokens issued based on a
-   challenge for one Origin can be redeemed at another Origin in the
-   cross-Origin set, which can make it difficult to regulate token
-   consumption.  Depending on the use case, Origins may need to maintain
-   state to track redeemed tokens.  For example, Origins that accept
-   cross-Origin tokens across shared redemption contexts SHOULD track
-   which tokens have been redeemed already in those redemption contexts,
-   since these tokens can be issued and then spent multiple times for
-   any such challenge.  Note that Clients which redeem the same token to
-   multiple Origins do risk those Origins being able to link Client
-   activity together, which can disincentivize this behavior.  See
-   Section 2.1.1 of [AUTHSCHEME] for discussion.
-
-   How Clients respond to token challenges can have privacy
-   implications.  For example, if an Origin allows the Client to choose
-   an Issuer, then the choice of Issuer can reveal information about the
-   Client used to partition anonymity sets; see Section 6.2 for more
-   information about these privacy considerations.
-
-3.5.  Issuance Protocol
-
-   The Privacy Pass issuance protocol, described in [ISSUANCE], is a
-   two-message protocol that takes as input a TokenChallenge from the
-   redemption protocol ([AUTHSCHEME], Section 2.1) and produces a Token
-   ([AUTHSCHEME], Section 2.2), as shown in Figure 1.
-
-   The structure and semantics of the TokenRequest and TokenResponse
-   messages depend on the issuance protocol and token type being used;
-   see [ISSUANCE] for more information.
-
-   Clients interact with the Attester and Issuer to produce a token for
-   a challenge.  The context in which an Attester vouches for a Client
-   during issuance is referred to as the attestation context.  This
-   context includes all information associated with the issuance event,
-   such as the timestamp of the event and Client-visible information,
-   including the IP address or other information specific to the type of
-   attestation done.
-
-   Each issuance protocol may be different, e.g., in the number and
-   types of participants, underlying cryptographic constructions used
-   when issuing tokens, and even privacy properties.
-
-   Clients initiate the issuance protocol using the token challenge, a
-   randomly generated nonce, and public key for the Issuer, all of which
-   are the Client's private input to the protocol and ultimately bound
-   to an output Token; see Section 2.2 of [AUTHSCHEME] for details.
-   Future specifications may change or extend the Client's input to the
-   issuance protocol to produce Tokens with a different structure.
-
-   Token properties vary based on the issuance protocol.  Important
-   properties supported in this architecture are described below.
-
-   1.  Public verifiability.  This means the Token can be verified using
-       the Issuer public key.  A Token that does not have public
-       verifiability can only be verified using the Issuer secret key.
-
-   2.  Public metadata.  This means that the Token can be
-       cryptographically bound to arbitrary public information.  See
-       Section 6.1 for privacy considerations of public metadata.
-
-   3.  Private metadata.  This means that the Token can be
-       cryptographically bound to arbitrary private information, i.e.,
-       information that the Client does not observe during Token
-       issuance or redemption.  See Section 6.1 for privacy
-       considerations of private metadata.
-
-   The issuance protocol itself can be any interactive protocol between
-   Client, Issuer, or other parties that produces a valid token bound to
-   the Client's private input, subject to the following security
-   requirements.
-
-   1.  Unconditional input secrecy.  The issuance protocol MUST NOT
-       reveal anything about the Client's private input, including the
-       challenge and nonce, to the Attester or Issuer, regardless of the
-       hardness assumptions of the underlying cryptographic protocol(s).
-       This property is sometimes also referred to as blindness.
-
-   2.  One-more forgery security.  The issuance protocol MUST NOT allow
-       malicious Clients or Attesters (acting as Clients) to forge
-       tokens offline or otherwise without interacting with the Issuer
-       directly.
-
-   3.  Concurrent security.  The issuance protocol MUST be safe to run
-       concurrently with arbitrarily many Clients, Attesters and
-       Issuers.
-
-   See Section 3.5.4 for requirements on new issuance protocol variants
-   and related extensions.
-
-   In the sections below, we describe the Attester and Issuer roles in
-   more detail.
-
-3.5.1.  Attester Role
-
-   In Privacy Pass, attestation is the process by which an Attester
-   bears witness to, confirms, or authenticates a Client so as to verify
-   properties about the Client that are required for Issuance.  Issuers
-   trust Attesters to perform attestation correctly, i.e., to implement
-   attestation procedures in a way that are not subverted or bypassed by
-   malicious Clients.
-
-   [RFC9334] describes an architecture for attestation procedures.
-   Using that architecture as a conceptual basis, Clients are RATS
-   attesters that produce attestation evidence, and Attesters are RATS
-   verifiers that appraise the validity of attestation evidence.
-
-   The type of attestation procedure is a deployment-specific option and
-   outside the scope of the issuance protocol.  Example attestation
-   procedures are below.
-
-   *  Solving a CAPTCHA.  Clients that solve CAPTCHA challenges can be
-      attested to have this capability for the purpose of being ruled
-      out as a bot or otherwise automated Client.
-
-   *  Presenting evidence of Client device validity.  Some Clients run
-      on trusted hardware that are capable of producing device-level
-      attestation evidence.
-
-   *  Proving properties about Client state.  Clients can be associated
-      with state and the Attester can verify this state.  Examples of
-      state include the Client's geographic region and whether the
-      Client has a valid application-layer account.
-
-   Attesters may support different types of attestation procedures.
-
-   Each attestation procedure has different security properties.  For
-   example, attesting to having a valid account is different from
-   attesting to running on trusted hardware.  Supporting multiple
-   attestation procedures is an important step towards ensuring
-   equitable access for Clients; see Section 5.1.
-
-   The role of the Attester in the issuance protocol and its impact on
-   privacy depends on the type of attestation procedure, issuance
-   protocol, and deployment model.  For instance, increasing the number
-   of required attestation procedures could decrease the overall
-   anonymity set size.  As an example, the number of Clients that have
-   solved a CAPTCHA in the past day, that have a valid account, and that
-   are running on a trusted device is less than the number of Clients
-   that have solved a CAPTCHA in the past day.  See Section 6.2 for more
-   discussion of how the variety of attestation procedures can
-   negatively impact Client privacy.
-
-   Depending on the issuance protocol, the Issuer might learn
-   information about the Origin.  To ensure Issuer-Client unlinkability,
-   the Issuer should be unable to link that information to a specific
-   Client.  For such issuance protocols where the Attester has access to
-   Client-specific information, such as is the case for attestation
-   procedures that involve Client-specific information (such as
-   application-layer account information) or for deployment models where
-   the Attester learns Client-specific information (such as Client IP
-   addresses), Clients trust the Attester to not share any Client-
-   specific information with the Issuer.  In deployments where the
-   Attester does not learn Client-specific information, or where the
-   Attester and Issuer are operated by the same entity (such as in the
-   Joint Attester and Issuer model described in Section 4.2), the Client
-   does not need to explicitly trust the Attester in this regard.
-
-   Issuers trust Attesters to correctly and reliably perform
-   attestation.  However, certain types of attestation can vary in value
-   over time, e.g., if the attestation procedure is compromised.  Broken
-   attestation procedures are considered exceptional events and require
-   configuration changes to address the underlying cause.  For example,
-   if an attestation procedure is compromised or subverted because of a
-   zero-day exploit on devices that implement the attestation procedure,
-   then the corresponding attestation procedure should be untrusted
-   until the exploit is patched.  Addressing changes in attestation
-   quality is therefore a deployment-specific task.  In Split Attester
-   and Issuer deployments (see Section 4.4), Issuers can choose to
-   remove compromised Attesters from their trusted set until the
-   compromise is patched.
-
-   From the perspective of an Origin, tokens produced by an Issuer with
-   at least one compromised Attester cannot be trusted assuming the
-   Origin does not know which attestation procedure was used for
-   issuance.  This is because the Origin cannot distinguish between
-   tokens that were issued via compromised Attesters and tokens that
-   were issued via uncompromised Attesters absent some distinguishing
-   information in the tokens themselves or from the Issuer.  As a
-   result, until the attestation procedure is fixed, the Issuer cannot
-   be trusted by Origins.  Moreover, as a consequence, any tokens issued
-   by an Issuer with a compromised attester may no longer be trusted by
-   Origins, even if those tokens were issued to Clients interacting with
-   an uncompromised Attester.
-
-3.5.2.  Issuer Role
-
-   In Privacy Pass, the Issuer is responsible for completing the
-   issuance protocol for Clients that complete attestation through a
-   trusted Attester.  As described in Section 3.5.1, Issuers explicitly
-   trust Attesters to correctly and reliably perform attestation.
-   Origins explicitly trust Issuers to only issue tokens from trusted
-   Attesters.  Clients do not explicitly trust Issuers.
-
-   Depending on the deployment model case, issuance may require some
-   form of Client anonymization service, similar to an IP-hiding proxy,
-   so that Issuers cannot learn information about Clients.  This can be
-   provided by an explicit participant in the issuance protocol, or it
-   can be provided via external means, such as through the use of an IP-
-   hiding proxy service like Tor [DMS2004].  In general, Clients SHOULD
-   minimize or remove identifying information where possible when
-   invoking the issuance protocol.
-
-   Issuers are uniquely identifiable by all Clients with a consistent
-   identifier.  In a web context, this identifier might be the Issuer
-   host name.  Issuers maintain one or more configurations, including
-   issuance key pairs, for use in the issuance protocol.  Each
-   configuration is assumed to have a unique and canonical identifier,
-   sometimes referred to as a key identifier or key ID.  Issuers can
-   rotate these configurations as needed to mitigate risk of compromise;
-   see Section 6.2 for more considerations around configuration
-   rotation.  The Issuer public key for each active configuration is
-   made available to Origins and Clients for use in the issuance and
-   redemption protocols.
-
-3.5.3.  Issuance Metadata
-
-   Certain instantiations of the issuance protocol may permit public or
-   private metadata to be cryptographically bound to a token.  As an
-   example, one trivial way to include public metadata is to assign a
-   unique Issuer public key for each value of metadata, such that N keys
-   yields log_2(N) bits of metadata.  Metadata may be public or private.
-
-   Public metadata is that which clients can observe as part of the
-   token issuance flow.  Public metadata can either be transparent or
-   opaque.  For example, transparent public metadata is a value that the
-   client either generates itself, or the Issuer provides during the
-   issuance flow and the client can check for correctness.  Opaque
-   public metadata is metadata the client can see but cannot check for
-   correctness.  As an example, the opaque public metadata might be a
-   "fraud detection signal", computed on behalf of the Issuer, during
-   token issuance.  Generally speaking, Clients cannot determine if this
-   value is generated in a way that permits tracking.
-
-   Private metadata is that which Clients cannot observe as part of the
-   token issuance flow.  Such instantiations can be built on the Private
-   Metadata Bit construction from Kreuter et al.  [KLOR20] or the
-   attribute-based VOPRF from Huang et al.  [HIJK21].
-
-   Metadata can be arbitrarily long or bounded in length.  The amount of
-   permitted metadata may be determined by application or by the
-   underlying cryptographic protocol.  The total amount of metadata bits
-   included in a token is the sum of public and private metadata bits.
-   Every bit of metadata can be used to partition the Client issuance or
-   redemption anonymity sets; see Section 6.1 for more information.
-
-3.5.4.  Future Issuance Protocol Requirements
-
-   The Privacy Pass architecture and ecosystem are both intended to be
-   receptive to extensions that expand the current set of
-   functionalities through new issuance protocols.  Each new issuance
-   protocol and extension MUST adhere to the following requirements:
-
-   1.  Include a detailed analysis of the privacy impacts of the
-       extension, why these impacts are justified, and guidelines on how
-       to use the protocol to mitigate or minimize negative deployment
-       or privacy consequences discussed in Section 5 and Section 6,
-       respectively.
-
-   2.  Adhere to the guidelines specified in Section 3.5.2 for managing
-       Issuer public key data.
-
-   3.  Clearly specify how to interpret and validate TokenChallenge and
-       Token messages that are exchanged during the redemption protocol.
-
-3.6.  Information Flow
-
-   The end-to-end process of redemption and issuance protocols involves
-   information flowing between Issuer, Origin, Client, and Attester.
-   That information can have implications on the privacy goals that
-   Privacy Pass aims to provide as outlined in Section 3.3.  In this
-   section, we describe the flow of information between each party.  How
-   this information affects the privacy goals in particular deployment
-   models is further discussed in Section 4.
-
-3.6.1.  Token Challenge Flow
-
-   To use Privacy Pass, Origins choose an Issuer from which they are
-   willing to accept tokens.  Origins then construct a token challenge
-   using this specified Issuer and information from the redemption
-   context it shares with the Client.  This token challenge is then
-   delivered to a Client.  The token challenge conveys information about
-   the Issuer and the redemption context, such as whether the Origin
-   desires a per-Origin or cross-Origin token.  Any entity that sees the
-   token challenge might learn things about the Client as known to the
-   Origin.  This is why input secrecy is a requirement for issuance
-   protocols, as it ensures that the challenge is not directly available
-   to the Issuer.
-
-3.6.2.  Attestation Flow
-
-   Clients interact with the Attester to prove that they meet some
-   required set of properties.  In doing so, Clients contribute
-   information to the attestation context, which might include sensitive
-   information such as application-layer identities, IP addresses, and
-   so on.  Clients can choose whether or not to contribute this
-   information based on local policy or preference.
-
-3.6.3.  Issuance Flow
-
-   Clients use the issuance protocol to produce a token bound to a token
-   challenge.  In doing so, there are several ways in which the issuance
-   protocol contributes information to the attestation or issuance
-   contexts.  For example, a token request may contribute information to
-   the attestation or issuance contexts as described below.
-
-   *  Issuance protocol.  The type of issuance protocol can contribute
-      information about the Issuer's capabilities to the attestation or
-      issuance contexts, as well as the capabilities of a given Client.
-      For example, if a Client is presented with multiple issuance
-      protocol options, then the choice of which issuance protocol to
-      use can contribute information about the Client's capabilities.
-
-   *  Issuer configuration.  Information about the Issuer configuration,
-      such as its identity or the public key used to validate tokens it
-      creates, can be revealed during issuance and contribute to the
-      attestation or issuance contexts.
-
-   *  Attestation information.  The issuance protocol can contribute
-      information to the attestation or issuance contexts based on what
-      attestation procedure the Issuer uses to trust a token request.
-      In particular, a token request that is validated by a given
-      Attester means that the Client which generated the token request
-      must be capable of the completing the designated attestation
-      procedure.
-
-   *  Origin information.  The issuance protocol can contribute
-      information about the Origin that challenged the Client in
-      Section 3.6.1.  In particular, a token request designated for a
-      specific Issuer might imply that the resulting token is for an
-      Origin that trusts the specified Issuer.  However, this is not
-      always true, as some token requests can correspond to cross-Origin
-      tokens, i.e., they are tokens that would be accepted at any Origin
-      that accepts the cross-Origin token.
-
-   Moreover, a token may contribute information to the issuance
-   attestation or contexts as described below.
-
-   *  Origin information.  The issuance protocol can contribute
-      information about the Origin in how it responds to a token
-      request.  For example, if an Issuer learns the Origin during
-      issuance and is also configured to respond in some way on the
-      basis of that information, and the Client interacts with the
-      Issuer transitively through the Attester, that response can reveal
-      information to the Attester.
-
-   *  Token.  The token produced by the issuance protocol can contain
-      information from the issuance context.  In particular, depending
-      on the issuance protocol, tokens can contain public or private
-      metadata, and Issuers can choose that metadata on the basis of
-      information in the issuance context.
-
-   Exceptional cases in the issuance protocol, such as when either the
-   Attester or Issuer aborts the protocol, can contribute information to
-   the attestation or issuance contexts.  The extent to which
-   information in this context harms the Issuer-Client or Attester-
-   Origin unlinkability goals in Section 3.3 depends on deployment
-   model; see Section 4.  Clients can choose whether or not to
-   contribute information to these contexts based on local policy or
-   preference.
-
-3.6.4.  Token Redemption Flow
-
-   Clients send tokens to Origins during the redemption protocol.  Any
-   information that is added to the token during issuance can therefore
-   be sent to the Origin.  Information can either be explicitly passed
-   in a token, or it can be implicit in the way the Client responds to a
-   token challenge.  For example, if a Client fails to complete
-   issuance, and consequently fails to redeem a token for a token
-   challenge, this can reveal information to the Origin that it might
-   not otherwise have access to.  However, an Origin cannot necessarily
-   distinguish between a Client that fails to complete issuance and one
-   that ignores the token challenge altogether.
-
-4.  Deployment Models
-
-   The Origin, Attester, and Issuer portrayed in Figure 1 can be
-   instantiated and deployed in a number of ways.  The deployment model
-   directly influences the manner in which attestation, issuance, and
-   redemption contexts are separated to achieve Origin-Client, Issuer-
-   Client, and Attester-Origin unlinkability.
-
-   This section covers some expected deployment models and their
-   corresponding security and privacy considerations.  Each deployment
-   model is described in terms of the trust relationships and
-   communication patterns between Client, Attester, Issuer, and Origin.
-   Entities drawn within the same bounding box are assumed to be
-   operated by the same party and are therefore able to collude.
-   Collusion can enable linking of attestation, issuance, and redemption
-   contexts.  Entities not drawn within the same bounding box are
-   assumed to not collude, meaning that entities operated by separate
-   parties that do not collude.  Mechanisms for enforcing non-collusion
-   are out of scope for this architecture.
-
-4.1.  Shared Origin, Attester, Issuer
-
-   In this model, the Origin, Attester, and Issuer are all operated by
-   the same entity, as shown in Figure 3.
-
-                    +---------------------------------------------.
-   +--------+       |  +----------+     +--------+     +--------+  |
-   | Client |       |  | Attester |     | Issuer |     | Origin |  |
-   +---+----+       |  +-----+----+     +----+---+     +---+----+  |
-       |             `-------|---------------|-------------|------'
-       |<-------------------------------- TokenChallenge --+
-       |                     |               |             |
-       |<=== Attestation ===>|               |             |
-       |                     |               |             |
-       +----------- TokenRequest ----------->|             |
-       |<---------- TokenResponse -----------+             |
-       |                                                   |
-       +--------------------- Token ----------------------->
-       |                                                   |
-
-                     Figure 3: Shared Deployment Model
-
-   This model represents the initial deployment of Privacy Pass, as
-   described in [PrivacyPassCloudflare].  In this model, the Attester,
-   Issuer, and Origin share the attestation, issuance, and redemption
-   contexts.  As a result, attestation mechanisms that can uniquely
-   identify a Client, e.g., requiring that Clients authenticate with
-   some type of application-layer account, are not appropriate, as they
-   could lead to unlinkability violations.
-
-   Origin-Client, Issuer-Client, and Attester-Origin unlinkability
-   requires that issuance and redemption events be separated over time,
-   such as through the use of tokens that correspond to token challenges
-   with an empty redemption context (see Section 3.4), or be separated
-   over space, such as through the use of an anonymizing service when
-   connecting to the Origin.
-
-4.2.  Joint Attester and Issuer
-
-   In this model, the Attester and Issuer are operated by the same
-   entity that is separate from the Origin.  The Origin trusts the joint
-   Attester and Issuer to perform attestation and issue Tokens.  Clients
-   interact with the joint Attester and Issuer for attestation and
-   issuance.  This arrangement is shown in Figure 4.
-
-                      +------------------------------.
-   +--------+         |  +----------+     +--------+  |  +--------+
-   | Client |         |  | Attester |     | Issuer |  |  | Origin |
-   +---+----+         |  +-----+----+     +----+---+  |  +---+----+
-       |               `-------|---------------|-----'       |
-       |<---------------------------------- TokenChallenge --+
-       |                       |               |             |
-       |<==== Attestation ====>|               |             |
-       |                       |               |             |
-       +------------- TokenRequest ----------->|             |
-       |<----------- TokenResponse ------------+             |
-       |                                                     |
-       +----------------------- Token ----------------------->
-       |                                                     |
-
-            Figure 4: Joint Attester and Issuer Deployment Model
-
-   This model is useful if an Origin wants to offload attestation and
-   issuance to a trusted entity.  In this model, the Attester and Issuer
-   share an attestation and issuance context for the Client, which is
-   separate from the Origin's redemption context.
-
-   Similar to the Shared Origin, Attester, Issuer model, Issuer-Client
-   and Origin-Client unlinkability in this model requires issuance and
-   redemption events, respectively, be separated over time or space.
-   Attester-Origin unlinkability requires that the Attester and Issuer
-   do not learn the Origin for a particular token request.  For this
-   reason, issuance protocols that require the Issuer to learn
-   information about the Origin, such as that which is described in
-   [RATE-LIMITED], are not appropriate since they could lead to
-   Attester-Origin unlinkability violations through the Origin name.
-
-4.3.  Joint Origin and Issuer
-
-   In this model, the Origin and Issuer are operated by the same entity,
-   separate from the Attester, as shown in the figure below.  The Issuer
-   accepts token requests that come from trusted Attesters.  Since the
-   Attester and Issuer are separate entities, this model requires some
-   mechanism by which Issuers establish trust in the Attester (as
-   described in Section 3.3).  For example, in settings where the
-   Attester is a Client-trusted service that directly communicates with
-   the Issuer, one way to establish this trust is via mutually-
-   authenticated TLS.  However, alternative authentication mechanisms
-   are possible.  This arrangement is shown in Figure 5.
-
-                                     +----------------------------.
-   +--------+          +----------+  |  +--------+     +--------+  |
-   | Client |          | Attester |  |  | Issuer |     | Origin |  |
-   +---+----+          +-----+----+  |  +----+---+     +---+----+  |
-       |                     |        `------|-------------|------'
-       |<-------------------------------- TokenChallenge --+
-       |                     |               |             |
-       |<=== Attestation ===>|               |             |
-       |                     |               |             |
-       +------------ TokenRequest ---------->|             |
-       |<---------- TokenResponse -----------+             |
-       |                                                   |
-       +--------------------- Token ----------------------->
-       |                                                   |
-
-             Figure 5: Joint Origin and Issuer Deployment Model
-
-   This model is useful for Origins that require Client-identifying
-   attestation, e.g., through the use of application-layer account
-   information, but do not otherwise want to learn information about
-   individual Clients beyond what is observed during the token
-   redemption, such as Client IP addresses.
-
-   In this model, attestation contexts are separate from issuer and
-   redemption contexts.  As a result, any type of attestation is
-   suitable in this model.
-
-   Moreover, any type of token challenge is suitable assuming there is
-   more than one Origin involved, since no single party will have access
-   to the identifying Client information and unique Origin information.
-   Issuers that produce tokens for a single Origin are not suitable in
-   this model since an Attester can infer the Origin from a token
-   request, as described in Section 3.6.3.  However, since the issuance
-   protocol provides input secrecy, the Attester does not learn details
-   about the corresponding token challenge, such as whether the token
-   challenge is per-Origin or cross-Origin.
-
-4.4.  Split Origin, Attester, Issuer
-
-   In this model, the Origin, Attester, and Issuer are all operated by
-   different entities.  As with the joint Origin and Issuer model, the
-   Issuer accepts token requests that come from trusted Attesters, and
-   the details of that trust establishment depend on the issuance
-   protocol and relationship between Attester and Issuer; see
-   Section 3.3.  This arrangement is shown in Figure 1.
-
-   This is the most general deployment model, and is necessary for some
-   types of issuance protocols where the Attester plays a role in token
-   issuance; see [RATE-LIMITED] for one such type of issuance protocol.
-
-   In this model, the Attester, Issuer, and Origin have a separate view
-   of the Client: the Attester sees potentially sensitive Client
-   identifying information, such as account identifiers or IP addresses,
-   the Issuer sees only the information necessary for issuance, and the
-   Origin sees token challenges, corresponding tokens, and Client source
-   information, such as their IP address.  As a result, attestation,
-   issuance, and redemption contexts are separate, and therefore any
-   type of token challenge is suitable in this model as long as there is
-   more than a single Origin.
-
-   As in the Joint Origin and Issuer model in Section 4.3, and as
-   described in Section 3.6.3, if the Issuer produces tokens for a
-   single Origin, then per-Origin tokens are not appropriate since the
-   Attester can infer the Origin from a token request.
-
-5.  Deployment Considerations
-
-   Section 4 discusses deployment models that are possible in practice.
-   Beyond possible implications on security and privacy properties of
-   the resulting system, Privacy Pass deployments can impact the overall
-   ecosystem in two important ways: (1) discriminatory treatment of
-   Clients and the gated access to otherwise open services, and (2)
-   centralization.  This section describes considerations relevant to
-   these topics.
-
-5.1.  Discriminatory Treatment
-
-   Origins can use tokens as a signal for distinguishing between Clients
-   that are capable of completing attestation with one Attester trusted
-   by the Origin's chosen Issuer, and Clients that are not capable of
-   doing the same.  A consequence of this is that Privacy Pass could
-   enable discriminatory treatment of Clients based on Attestation
-   support.  For example, an Origin could only authorize Clients that
-   successfully authenticate with a token, prohibiting access to all
-   other Clients.
-
-   The type of attestation procedures supported for a particular
-   deployment depends greatly on the use case.  For example, consider a
-   proprietary deployment of Privacy Pass that authorizes clients to
-   access a resource such as an anonymization service.  In this context,
-   it is reasonable to support specific types of attestation procedures
-   that demonstrate Clients can access the resource, such as with an
-   account or specific type of device.  However, in open deployments of
-   Privacy Pass that are used to safeguard access to otherwise open or
-   publicly accessible resources, diversity in attestation procedures is
-   critically important so as to not discriminate against Clients that
-   choose certain software, hardware, or identity providers.
-
-   In principle, Issuers should strive to mitigate discriminatory
-   behavior by providing equitable access to all Clients.  This can be
-   done by working with a set of Attesters that are suitable for all
-   Clients.  In practice, this may require tradeoffs in what type of
-   attestation Issuers are willing to trust so as to enable more
-   widespread support.  In other words, trusting a variety of Attesters
-   with a diverse set of attestation procedures would presumably
-   increase support among Clients, though most likely at the expense of
-   decreasing the overall value of tokens issued by the Issuer.
-
-   For example, to disallow discriminatory behavior between Clients with
-   and without device attestation support, an Issuer may wish to support
-   Attesters that support CAPTCHA-based attestation.  This means that
-   the overall attestation value of a Privacy Pass token is bound by the
-   difficulty in spoofing or bypassing either one of these attestation
-   procedures.
-
-5.2.  Centralization
-
-   A consequence of limiting the number of participants (Attesters or
-   Issuers) in Privacy Pass deployments for meaningful privacy is that
-   it forces concentrated centralization amongst those participants.
-   [CENTRALIZATION] discusses several ways in which this might be
-   mitigated.  For example, a multi-stakeholder governance model could
-   be established to determine what candidate participants are fit to
-   operate as participants in a Privacy Pass deployment.  This is
-   precisely the system used to control the Web's trust model.
-
-   Alternatively, Privacy Pass deployments might mitigate this problem
-   through implementation.  For example, rather than centralize the role
-   of attestation in one or few entities, attestation could be a
-   distributed function performed by a quorum of many parties, provided
-   that neither Issuers nor Origins learn which Attester implementations
-   were chosen.  As a result, Clients could have more opportunities to
-   switch between attestation participants.
-
-6.  Privacy Considerations
-
-   The previous section discusses the impact of deployment details on
-   Origin-Client, Issuer-Client, and Attester-Origin unlinkability.  The
-   value these properties affords to end users depends on the size of
-   anonymity sets in which Clients or Origins are unlinkable.  For
-   example, consider two different deployments, one wherein there exists
-   a redemption anonymity set of size two and another wherein there
-   redemption anonymity set of size 2^32.  Although Origin-Client
-   unlinkability guarantees that the Origin cannot link any two requests
-   to the same Client based on these contexts, respectively, the
-   probability of determining the "true" Client is higher the smaller
-   these sets become.
-
-   In practice, there are a number of ways in which the size of
-   anonymity sets may be reduced or partitioned, though they all center
-   around the concept of consistency.  In particular, by definition, all
-   Clients in an anonymity set share a consistent view of information
-   needed to run the issuance and redemption protocols.  An example type
-   of information needed to run these protocols is the Issuer public
-   key.  When two Clients have inconsistent information, these Clients
-   effectively have different redemption contexts and therefore belong
-   in different anonymity sets.
-
-   The following sections discuss issues that can influence anonymity
-   set size.  For each issue, we discuss mitigations or safeguards to
-   protect against the underlying problem.
-
-6.1.  Partitioning by Issuance Metadata
-
-   Any public or private metadata bits of information can be used to
-   further segment the size of the Client's anonymity set.  Any Issuer
-   that wanted to track a single Client could add a single metadata bit
-   to Client tokens.  For the tracked Client it would set the bit to 1,
-   and 0 otherwise.  Adding additional bits provides an exponential
-   increase in tracking granularity similarly to introducing more
-   Issuers (though with more potential targeting).
-
-   For this reason, deployments should take the amount of metadata used
-   by an Issuer in creating redemption tokens must into account --
-   together with the bits of information that Issuers may learn about
-   Clients otherwise.  Since this metadata may be useful for practical
-   deployments of Privacy Pass, Issuers must balance this against the
-   reduction in Client privacy.
-
-   The number of permitted metadata values often depends on deployment-
-   specific details.  In general, limiting the amount of metadata
-   permitted helps limit the extent to which metadata can uniquely
-   identify individual Clients.  Failure to bound the number of possible
-   metadata values can therefore lead to reduction in Client privacy.
-   Most token types do not admit any metadata, so this bound is
-   implicitly enforced.
-
-6.2.  Partitioning by Issuance Consistency
-
-   Anonymity sets can be partitioned by information used for the
-   issuance protocol, including: metadata, Issuer configuration (keys),
-   and Issuer selection.
-
-   Any issuance metadata bits of information can be used to partition
-   the Client anonymity set.  For example, any Issuer that wanted to
-   track a single Client could add a single metadata bit to Client
-   tokens.  For the tracked Client it would set the bit to 1, and 0
-   otherwise.  Adding additional bits provides an exponential increase
-   in tracking granularity similarly to introducing more Issuers (though
-   with more potential targeting).
-
-   The number of active Issuer configurations also contributes to
-   anonymity set partitioning.  In particular, when an Issuer updates
-   their configuration and the corresponding key pair, any Client that
-   invokes the issuance protocol with this configuration becomes part of
-   a set of Clients which also ran the issuance protocol using the same
-   configuration.  Issuer configuration updates, e.g., due to key
-   rotation, are an important part of hedging against long-term private
-   key compromise.  In general, key rotations represent a trade-off
-   between Client privacy and Issuer security.  Therefore, it is
-   important that key rotations occur on a regular cycle to reduce the
-   harm of an Issuer key compromise.
-
-   Lastly, if Clients are willing to issue and redeem tokens from a
-   large number of Issuers for a specific Origin, and that Origin
-   accepts tokens from all Issuers, partitioning can occur.  As an
-   example, if a Client obtains tokens from many Issuers and an Origin
-   later challenges that Client for a token from each Issuer, the Origin
-   can learn information about the Client.  This arrangement might
-   happen if Clients request tokens from different Issuers, each of
-   which have different Attester preferences.  Each per-Issuer token
-   that a Client holds essentially corresponds to a bit of information
-   about the Client that Origin learns.  Therefore, there is an
-   exponential loss in privacy relative to the number of Issuers.
-
-   The fundamental problem here is that the number of possible issuance
-   configurations, including the keys in use and the Issuer identities
-   themselves, can partition the Client anonymity set.  To mitigate this
-   problem, Clients SHOULD bound the number of active issuance
-   configurations per Origin as well as across Origins.  Moreover,
-   Clients SHOULD employ some form of consistency mechanism to ensure
-   that they receive the same configuration information and are not
-   being actively partitioned into smaller anonymity sets.  See
-   [CONSISTENCY] for possible consistency mechanisms.  Depending on the
-   deployment, the Attester might assist the Client in applying these
-   consistency checks across clients.  Failure to apply a consistency
-   check can allow Client-specific keys to violate Origin-Client
-   unlinkability.
-
-6.3.  Partitioning by Side-Channels
-
-   Side-channel attacks, such as those based on timing correlation,
-   could be used to reduce anonymity set size.  In particular, for
-   interactive tokens that are bound to a Client-specific redemption
-   context, the anonymity set of Clients during the issuance protocol
-   consists of those Clients that started issuance between the time of
-   the Origin's challenge and the corresponding token redemption.
-   Depending on the number of Clients using a particular Issuer during
-   that time window, the set can be small.  Applications should take
-   such side channels into consideration before choosing a particular
-   deployment model and type of token challenge and redemption context.
-
-7.  Security Considerations
-
-   This document describes security and privacy requirements for the
-   Privacy Pass redemption and issuance protocols.  It also describes
-   deployment models built around non-collusion assumptions and privacy
-   considerations for using Privacy Pass within those models.  Ensuring
-   Client privacy -- separation of attestation and redemption contexts
-   -- requires active work on behalf of the Client, especially in the
-   presence of malicious Issuers and Origins.  Implementing mitigations
-   discussed in Section 4 and Section 6 is therefore necessary to ensure
-   that Privacy Pass offers meaningful privacy improvements to end-
-   users.
-
-7.1.  Token Caching
-
-   Depending on the Origin's token challenge, Clients can request and
-   cache more than one token using an issuance protocol.  Cached tokens
-   help improve privacy by separating the time of token issuance from
-   the time of token redemption, and also allow Clients to reduce the
-   overhead of receiving new tokens via the issuance protocol.
-
-   As a consequence, Origins that send token challenges which are
-   compatible with cached tokens need to take precautions to ensure that
-   tokens are not replayed.  This is typically done via keeping track of
-   tokens that are redeemed for the period of time in which cached
-   tokens would be accepted for particular challenges.
-
-   Moreover, since tokens are not intrinsically bound to Clients, it is
-   possible for malicious Clients to collude and share tokens in a so-
-   called "hoarding attack."  As an example of this attack, many
-   distributed Clients could obtain cacheable tokens and then share them
-   with a single Client to redeem in a way that would violate an
-   Origin's attempt to limit tokens to any one particular Client.  In
-   general, mechanisms for mitigating hoarding attacks depend on the
-   deployment model and use case.  For example, in the Joint Origin and
-   Issuer model, comparing the issuance and redemption contexts can help
-   detect hoarding attacks, i.e., if the distribution of redemption
-   contexts is noticeably different from the distribution of issuance
-   contexts.  Rate limiting issuance, either at the Client, Attester, or
-   Issuer, can also help mitigate these attacks.
-
-8.  IANA Considerations
-
-   This document has no IANA actions.
-
-9.  References
-
-9.1.  Normative References
-
-   [AUTHSCHEME]
-              Pauly, T., Valdez, S., and C. A. Wood, "The Privacy Pass
-              HTTP Authentication Scheme", Work in Progress, Internet-
-              Draft, draft-ietf-privacypass-auth-scheme-14, 25 September
-              2023, <https://datatracker.ietf.org/doc/html/draft-ietf-
-              privacypass-auth-scheme-14>.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119,
-              DOI 10.17487/RFC2119, March 1997,
-              <https://www.rfc-editor.org/rfc/rfc2119>.
-
-   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
-              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
-              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
-
-9.2.  Informative References
-
-   [CENTRALIZATION]
-              Nottingham, M., "Centralization, Decentralization, and
-              Internet Standards", Work in Progress, Internet-Draft,
-              draft-nottingham-avoiding-internet-centralization-14, 14
-              September 2023, <https://datatracker.ietf.org/doc/html/
-              draft-nottingham-avoiding-internet-centralization-14>.
-
-   [CONSISTENCY]
-              Davidson, A., Finkel, M., Thomson, M., and C. A. Wood,
-              "Key Consistency and Discovery", Work in Progress,
-              Internet-Draft, draft-ietf-privacypass-key-consistency-01,
-              10 July 2023, <https://datatracker.ietf.org/doc/html/
-              draft-ietf-privacypass-key-consistency-01>.
-
-   [DMS2004]  Dingledine, R., Mathewson, N., and P. Syverson, "Tor: The
-              Second-Generation Onion Router", August 2004,
-              <https://svn.torproject.org/svn/projects/design-paper/tor-
-              design.html>.
-
-   [HIJK21]   Huang, S., Iyengar, S., Jeyaraman, S., Kushwah, S., Lee,
-              C. K., Luo, Z., Mohassel, P., Raghunathan, A., Shaikh, S.,
-              Sung, Y. C., and A. Zhang, "PrivateStats: De-Identified
-              Authenticated Logging at Scale", January 2021,
-              <https://research.fb.com/privatestats>.
-
-   [ISSUANCE] Celi, S., Davidson, A., Valdez, S., and C. A. Wood,
-              "Privacy Pass Issuance Protocol", Work in Progress,
-              Internet-Draft, draft-ietf-privacypass-protocol-16, 3
-              October 2023, <https://datatracker.ietf.org/doc/html/
-              draft-ietf-privacypass-protocol-16>.
-
-   [KLOR20]   Kreuter, B., Lepoint, T., Orrù, M., and M. Raykova,
-              "Anonymous Tokens with Private Metadata Bit", Springer
-              International Publishing, Advances in Cryptology – CRYPTO
-              2020 pp. 308-336, DOI 10.1007/978-3-030-56784-2_11,
-              ISBN ["9783030567835", "9783030567842"], 2020,
-              <https://doi.org/10.1007/978-3-030-56784-2_11>.
-
-   [OHTTP]    Thomson, M. and C. A. Wood, "Oblivious HTTP", Work in
-              Progress, Internet-Draft, draft-ietf-ohai-ohttp-10, 25
-              August 2023, <https://datatracker.ietf.org/doc/html/draft-
-              ietf-ohai-ohttp-10>.
-
-   [PrivacyPassCloudflare]
-              Sullivan, N., "Cloudflare Supports Privacy Pass", n.d.,
-              <https://blog.cloudflare.com/cloudflare-supports-privacy-
-              pass/>.
-
-   [PrivacyPassExtension]
-              "Privacy Pass Browser Extension", n.d.,
-              <https://github.com/privacypass/challenge-bypass-
-              extension>.
-
-   [RATE-LIMITED]
-              Hendrickson, S., Iyengar, J., Pauly, T., Valdez, S., and
-              C. A. Wood, "Rate-Limited Token Issuance Protocol", Work
-              in Progress, Internet-Draft, draft-privacypass-rate-limit-
-              tokens-03, 6 July 2022,
-              <https://datatracker.ietf.org/doc/html/draft-privacypass-
-              rate-limit-tokens-03>.
-
-   [RFC9334]  Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
-              W. Pan, "Remote ATtestation procedureS (RATS)
-              Architecture", RFC 9334, DOI 10.17487/RFC9334, January
-              2023, <https://www.rfc-editor.org/rfc/rfc9334>.
-
-Appendix A.  Acknowledgements
-
-   The authors would like to thank Eric Kinnear, Scott Hendrickson,
-   Tommy Pauly, Christopher Patton, Benjamin Schwartz, Martin Thomson,
-   Steven Valdez and other contributors of the Privacy Pass Working
-   Group for many helpful contributions to this document.
-
-Authors' Addresses
-
-   Alex Davidson
-   LIP
-   Lisbon
-   Portugal
-   Email: alex.davidson92@gmail.com
-
-
-   Jana Iyengar
-   Fastly
-   Email: jri@fastly.com
-
-
-   Christopher A. Wood
-   Cloudflare
-   101 Townsend St
-   San Francisco,
-   United States of America
-   Email: caw@heapingbits.net
diff --git a/chris-wood-patch-8/draft-ietf-privacypass-auth-scheme.html b/chris-wood-patch-8/draft-ietf-privacypass-auth-scheme.html
deleted file mode 100644
index 1b34dc19..00000000
--- a/chris-wood-patch-8/draft-ietf-privacypass-auth-scheme.html
+++ /dev/null
@@ -1,2670 +0,0 @@
-<!DOCTYPE html>
-<html lang="en" class="Internet-Draft">
-<head>
-<meta charset="utf-8">
-<meta content="Common,Latin" name="scripts">
-<meta content="initial-scale=1.0" name="viewport">
-<title>The Privacy Pass HTTP Authentication Scheme</title>
-<meta content="Tommy Pauly" name="author">
-<meta content="Steven Valdez" name="author">
-<meta content="Christopher A. Wood" name="author">
-<meta content="
-       This document defines an HTTP authentication scheme for Privacy Pass,
-a privacy-preserving authentication mechanism used for authorization.
-The authentication scheme in this document can be used by clients
-to redeem Privacy Pass tokens with an origin. It can also be used by
-origins to challenge clients to present Privacy Pass tokens. 
-    " name="description">
-<meta content="xml2rfc 3.18.1" name="generator">
-<meta content="anonymous" name="keyword">
-<meta content="authorization" name="keyword">
-<meta content="crypto" name="keyword">
-<meta content="draft-ietf-privacypass-auth-scheme-latest" name="ietf.draft">
-<!-- Generator version information:
-  xml2rfc 3.18.1
-    Python 3.11.5
-    ConfigArgParse 1.5.3
-    google-i18n-address 3.1.0
-    intervaltree 3.1.0
-    Jinja2 3.1.2
-    lxml 4.9.3
-    platformdirs 3.11.0
-    pycountry 22.3.5
-    PyYAML 6.0
-    requests 2.31.0
-    setuptools 67.7.2
-    six 1.16.0
-    wcwidth 0.2.8
--->
-<link href="draft-ietf-privacypass-auth-scheme.xml" rel="alternate" type="application/rfc+xml">
-<link href="#copyright" rel="license">
-<style type="text/css">@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic.woff2') format('woff2');
-  unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic.woff2') format('woff2');
-  unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Lora SemiBold'), local('Lora-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-semibold-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-@font-face {
-  font-family: 'Cabin Condensed';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Cabin Condensed';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Cabin Condensed';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-@font-face {
-  font-family: 'Oxygen Mono';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Oxygen Mono';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-:root {
-  color-scheme: light dark;
-  --background-color: #fff;
-  --text-color: #222;
-  --title-color: #191919;
-  --link-color: #2a6496;
-  --highlight-color: #f9f9f9;
-  --line-color: #eee;
-  --pilcrow-weak: #ddd;
-  --pilcrow-strong: #bbb;
-  --small-font-size: 14.5px;
-  --font-mono: 'Oxygen Mono', monospace;
-  scrollbar-color: #bbb #eee;
-}
-body {
-  max-width: 600px;
-  margin: 75px auto;
-  padding: 0 5px;
-  color: var(--text-color);
-  background-color: var(--background-color);
-  font: 16px/22px "Lora", serif;
-  scroll-behavior: smooth;
-}
-
-.ears {
-  display: none;
-}
-
-/* headings */
-h1, h2, h3, h4, h5, h6 {
-  font-family: "Cabin Condensed", sans-serif;
-  font-weight: 600;
-  margin: 0.8em 0 0.3em;
-  font-size-adjust: 0.5;
-  color: var(--title-color);
-}
-h1#title {
-  font-size: 32px;
-  line-height: 40px;
-  clear: both;
-}
-h1#title, h1#rfcnum {
-  margin: 1.5em 0 0.2em;
-}
-h1#rfcnum + h1#title {
-  margin: 0.2em 0;
-}
-
-h1, h2, h3 {
-  font-size: 22px;
-  line-height: 27px;
-}
-h4, h5, h6 {
-  font-size: 20px;
-  line-height: 24px;
-}
-
-/* general structure */
-.author {
-  padding-bottom: 0.3em;
-}
-#abstract+p {
-  font-size: 18px;
-  line-height: 24px;
-}
-#abstract+p code, #abstract+p samp, #abstract+p tt {
-  font-size: 16px;
-  line-height: 0;
-}
-
-p {
-  padding: 0;
-  margin: 0.5em 0;
-  text-align: left;
-}
-div {
-  margin: 0;
-}
-.alignRight.art-text {
-  background-color: var(--highlight-color);
-  border: 1px solid var(--line-color);
-  border-radius: 3px;
-  padding: 0.5em 1em 0;
-  margin-bottom: 0.5em;
-}
-.alignRight.art-text pre {
-  padding: 0;
-  width: auto;
-}
-.alignRight {
-  margin: 1em 0;
-}
-.alignRight > *:first-child {
-  border: none;
-  margin: 0;
-  float: right;
-  clear: both;
-}
-.alignRight > *:nth-child(2) {
-  clear: both;
-  display: block;
-  border: none;
-}
-svg {
-  display: block;
-}
-/* font-family isn't space-separated, but =~ will have to do */
-svg[font-family~="monospace" i], svg [font-family~="monospace" i] {
-  font-family: var(--font-mono);
-}
-.alignCenter.art-text {
-  background-color: var(--highlight-color);
-  border: 1px solid var(--line-color);
-  border-radius: 3px;
-  padding: 0.5em 1em 0;
-  margin-bottom: 0.5em;
-}
-.alignCenter.art-text pre {
-  padding: 0;
-  width: auto;
-}
-.alignCenter {
-  margin: 1em 0;
-}
-.alignCenter > *:first-child {
-  border: none;
-  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
-     support flexbox yet.
-  */
-  display: table;
-  margin: 0 auto;
-}
-
-/* lists */
-ol, ul {
-  padding: 0;
-  margin: 0 0 0.5em 2em;
-}
-:is(ol, ul) :is(ol, ul) {
-  margin-left: 1em;
-}
-li {
-  margin: 0 0 0.25em 0;
-}
-.ulCompact li {
-  margin: 0;
-}
-ul.empty, .ulEmpty {
-  list-style-type: none;
-}
-ul.empty li, .ulEmpty li {
-  margin-top: 0.5em;
-}
-:is(ul, ol).compact, .ulCompact, .olCompact {
-  line-height: 1;
-  margin: 0 0 0 2em;
-}
-
-/* definition lists */
-dl {
-  clear: left;
-  --indent: 3ch;
-  /* --indent: attr(indent ch); not supported in any browser, but we can dream */
-}
-dl.olPercent {
-  --indent: 5ch;
-}
-dl > dt {
-  float: left;
-  margin-right: 2ch;
-  min-width: 8ch;
-}
-dl.dlNewline > dt {
-  float: none;
-}
-dl > dd {
-  margin-bottom: .8em;
-  margin-left: var(--indent) !important; /* stupid element overrides */
-  min-height: 2ex;
-}
-dl.olPercent > dt {
-  min-width: calc(var(--indent) - 2ch);
-}
-:is(dl.compact, .dlCompact) > dd {
-  margin-bottom: 0;
-}
-:is(dl.compact, .dlCompact) > dd > :is(:first-child, .break:first-child + *) {
-  margin-top: 0;
-}
-:is(dl.compact, .dlCompact) > dd > :is(:last-child) {
-  margin-bottom: 0;
-}
-dl > dd > dl {
-  margin-top: 0.5em;
-  margin-bottom: 0;
-}
-:is(dd, span).break {
-  display: none;
-}
-
-/* links */
-a, a[href].selfRef:hover {
-  text-decoration: none;
-}
-a[href] {
-  color: var(--link-color);
-}
-a[href].selfRef, .iref + a[href].internal {
-  color: var(--text-color);
-}
-a[href]:hover {
-  text-decoration: underline;
-}
-a[href].selfRef:hover {
-  background-color: var(--highlight-color);
-}
-a.xref:is(.cite, .auto), :is(#status-of-memo, #copyright) a {
-  white-space: nowrap;
-}
-
-/* Figures */
-tt, code, pre {
-  background-color: var(--highlight-color);
-  font: 14px/22px var(--font-mono);
-}
-tt, code {
-  /* changing the font for inline elements leads to different ascender
-     and descender heights; as we want to retain baseline alignment,
-     remove leading to avoid altering the final height of lines
-     note: this fails if these blocks take an entire line,
-     a different solution would be great */
-  line-height: 0;
-}
-:is(h1, h2, h3, h4, h5, h6) :is(tt, code) {
-  font-size: 84%;
-}
-pre {
-  border: 1px solid var(--line-color);
-  font-size: 13.5px;
-  line-height: 16px;
-  letter-spacing: -0.2px;
-  margin: 5px;
-  padding: 5px;
-}
-img {
-  max-width: 100%;
-}
-figure {
-  margin: 0.5em 0;
-  padding: 0;
-}
-figure blockquote {
-  margin: 0.8em 0.4em 0.4em;
-}
-figcaption, caption {
-  font-style: italic;
-  margin: 0.5em 1.5em;
-  text-align: left;
-}
-@media screen {
-  /* Auto-collapse boilerplate. */
-  :is(#status-of-memo, #copyright) p {
-    margin: -2px 0;
-    max-height: 0;
-    transition: max-height 2s ease, margin 0.5s ease 0.5s;
-    overflow: hidden;
-  }
-  :is(#status-of-memo, #copyright):hover p,
-  :is(#status-of-memo, #copyright) h2:target ~ p {
-    margin: 0.5em 0;
-    max-height: 500px;
-    overflow: auto;
-  }
-  pre, svg {
-    display: inline-block;
-    overflow-x: auto;
-  }
-  pre {
-    max-width: 100%;
-    width: calc(100% - 22px - 1em);
-  }
-  svg {
-    max-width: calc(100% - 22px - 1em);
-  }
-  figure pre {
-    display: block;
-    width: calc(100% - 25px);
-  }
-  :is(pre, svg) + .pilcrow {
-    display: inline-block;
-    vertical-align: text-bottom;
-    padding-bottom: 8px;
-  }
-}
-
-/* aside, blockquote */
-aside, blockquote {
-  margin-left: 0;
-  padding: 0 2em;
-  font-style: italic;
-}
-blockquote {
-  margin: 1em 0;
-}
-cite {
-  display: block;
-  text-align: right;
-  font-style: italic;
-}
-
-/* tables */
-table {
-  max-width: 100%;
-  margin: 0 0 1em;
-  border-collapse: collapse;
-}
-table.right {
-  margin-left: auto;
-}
-table.center {
-  margin-left: auto;
-  margin-right: auto;
-}
-table.left {
-  margin-right: auto;
-}
-thead, tbody {
-  border: 1px solid var(--line-color);
-}
-th, td {
-  text-align: left;
-  vertical-align: top;
-  padding: 5px 10px;
-}
-th {
-  background-color: var(--line-color);
-}
-:is(tr:nth-child(2n), thead+tbody > tr:nth-child(2n+1)) > td {
-  background-color: var(--background-color);
-}
-:is(tr:nth-child(2n+1), thead+tbody > tr:nth-child(2n)) > td {
-  background-color: var(--highlight-color);
-}
-table caption {
-  margin: 0;
-  padding: 3px 0 3px 1em;
-}
-table p {
-  margin: 0;
-}
-
-/* pilcrow */
-a.pilcrow {
-  margin-left: 3px;
-  opacity: 0.2;
-  user-select: none;
-}
-a.pilcrow[href] { color: var(--pilcrow-weak); }
-a.pilcrow[href]:hover { text-decoration: none; }
-@media not print {
-  :hover > a.pilcrow {
-    opacity: 1;
-  }
-  a.pilcrow[href]:hover {
-    color: var(--pilcrow-strong);
-    background-color: transparent;
-  }
-}
-@media print {
-  a.pilcrow {
-    display: none;
-  }
-}
-
-/* misc */
-hr {
-  border: 0;
-  border-top: 1px solid var(--line-color);
-}
-.bcp14 {
-  font-variant: small-caps;
-  font-weight: 600;
-  font-size: var(--small-font-size);
-}
-.role {
-  font-variant: all-small-caps;
-}
-sub, sup {
-  line-height: 1;
-  font-size: 80%;
-}
-
-/* info block */
-#identifiers {
-  margin: 0;
-  font-size: var(--small-font-size);
-  line-height: 18px;
-  --identifier-width: 15ch;
-}
-#identifiers dt {
-  width: var(--identifier-width);
-  min-width: var(--identifier-width);
-  clear: left;
-  float: left;
-  text-align: right;
-  margin-right: 1ch;
-}
-#identifiers dd {
-  margin: 0;
-  margin-left: calc(1em + var(--identifier-width)) !important;
-  min-width: 5em;
-}
-#identifiers .authors .author {
-  display: inline-block;
-  margin-right: 1.5em;
-}
-#identifiers .authors .org {
-  font-style: italic;
-}
-
-/* The prepared/rendered info at the very bottom of the page */
-.docInfo {
-  color: #999;
-  font-size: 0.9em;
-  font-style: italic;
-  margin-top: 2em;
-}
-.docInfo .prepared {
-  float: left;
-}
-.docInfo .prepared {
-  float: right;
-}
-
-/* table of contents */
-#toc {
-  padding: 0.75em 0 2em 0;
-  margin-bottom: 1em;
-}
-#toc nav ul {
-  margin: 0 0.5em 0 0;
-  padding: 0;
-  list-style: none;
-}
-#toc nav li {
-  line-height: 1.3em;
-  margin: 2px 0;
-  padding-left: 1.2em;
-  text-indent: -1.2em;
-}
-#toc a.xref {
-  white-space: normal;
-}
-/* references */
-.references dt {
-  text-align: right;
-  font-weight: bold;
-  min-width: 10ch;
-  margin-right: 1.5ch;
-}
-.references dt:target::before {
-  content: "⇒";
-  width: 15px;
-  margin: 0 10px 0 -25px;
-}
-.references dd {
-  margin-left: 12ch !important;
-  overflow: auto;
-}
-
-.refInstance {
-  margin-bottom: 1.25em;
-}
-
-.references .ascii {
-  margin-bottom: 0.25em;
-}
-
-/* index */
-#rfc\.index\.index + ul {
-  margin-left: 0;
-}
-
-/* authors */
-address.vcard {
-  font-style: normal;
-  margin: 1em 0;
-}
-address.vcard .nameRole {
-  font-weight: 700;
-  margin-left: 0;
-}
-address.vcard .label {
-  margin: 0.5em 0;
-}
-address.vcard .type {
-  display: none;
-}
-.alternative-contact {
-  margin: 1.5em 0 1em;
-}
-hr.addr {
-  border-top: 1px dashed;
-  margin: 0;
-  color: #ddd;
-  max-width: calc(100% - 16px);
-}
-@media (min-width: 500px) {
-  #authors-addresses > section {
-    column-count: 2;
-    column-gap: 20px;
-  }
-  #authors-addresses > section > h2 {
-    column-span: all;
-  }
-  /* hack for break-inside: avoid-column */
-  #authors-addresses address {
-    display: inline-block;
-    break-inside: avoid-column;
-  }
-}
-
-.rfcEditorRemove p:first-of-type {
-  font-style: italic;
-}
-.cref {
-  background-color: rgba(249, 232, 105, 0.3);
-  padding: 2px 4px;
-}
-.crefSource {
-  font-style: italic;
-}
-/* alternative layout for smaller screens */
-@media screen and (max-width: 929px) {
-  #toc {
-    position: fixed;
-    z-index: 2;
-    top: 0;
-    right: 0;
-    padding: 1px 0 0 0;
-    margin: 0;
-    border-bottom: 1px solid #ccc;
-    opacity: 0.6;
-  }
-  #toc.active {
-      opacity: 1;
-  }
-  #toc h2 {
-    margin: 0;
-    padding: 2px 0 2px 6px;
-    padding-right: 1em;
-    font-size: 18px;
-    line-height: 24px;
-    min-width: 190px;
-    text-align: right;
-    background-color: #444;
-    color: white;
-    cursor: pointer;
-  }
-  #toc h2::before { /* css hamburger */
-    float: right;
-    position: relative;
-    width: 1em;
-    height: 1px;
-    left: -164px;
-    margin: 8px 0 0 0;
-    background: white none repeat scroll 0 0;
-    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
-    content: "";
-  }
-  #toc nav {
-    display: none;
-    background-color: var(--background-color);
-    padding: 0.5em 1em 1em;
-    overflow: auto;
-    overscroll-behavior: contain;
-    height: calc(100vh - 48px);
-    border-left: 1px solid #ddd;
-  }
-  #toc.active nav {
-    display: block;
-  }
-  /* Make the collapsed ToC header render white on gray also when it's a link */
-  #toc h2 a,
-  #toc h2 a:link,
-  #toc h2 a:focus,
-  #toc h2 a:hover,
-  #toc a.toplink,
-  #toc a.toplink:hover {
-    color: white;
-    background-color: #444;
-    text-decoration: none;
-  }
-  #toc a.toplink {
-    margin-top: 2px;
-  }
-}
-
-/* alternative layout for wide screens */
-@media screen and (min-width: 930px) {
-  body {
-    padding-right: 360px;
-    padding-right: calc(min(180px + 20%, 500px));
-  }
-  #toc {
-    position: fixed;
-    bottom: 0;
-    right: 0;
-    right: calc(50vw - 480px);
-    width: 312px;
-    margin: 0;
-    padding: 0;
-    z-index: 1;
-  }
-  #toc h2 {
-    margin: 0;
-    padding: 0.25em 1em 1em 0;
-  }
-  #toc nav {
-    display: block;
-    height: calc(90vh - 84px);
-    bottom: 0;
-    padding: 0.5em 0 2em;
-    overflow: auto;
-    overscroll-behavior: contain;
-    scrollbar-width: thin;
-  }
-  #toc nav > ul  {
-    margin-bottom: 2em;
-  }
-  #toc ul {
-    margin: 0 0 0 4px;
-    font-size: var(--small-font-size);
-  }
-  #toc ul :is(p, li) {
-    margin: 2px 0;
-    line-height: 22px;
-  }
-  img { /* future proofing */
-    max-width: 100%;
-    height: auto;
-  }
-}
-
-/* pagination */
-@media print {
-  body {
-    width: 100%;
-  }
-  p {
-    orphans: 3;
-    widows: 3;
-  }
-  #n-copyright-notice {
-    border-bottom: none;
-  }
-  #toc, #n-introduction {
-    page-break-before: always;
-  }
-  #toc {
-    border-top: none;
-    padding-top: 0;
-  }
-  figure, pre, .vcard {
-    page-break-inside: avoid;
-  }
-  h1, h2, h3, h4, h5, h6 {
-    page-break-after: avoid;
-  }
-  :is(h2, h3, h4, h5, h6)+*, dd {
-    page-break-before: avoid;
-  }
-  pre {
-    white-space: pre-wrap;
-    word-wrap: break-word;
-    font-size: 10pt;
-  }
-  table {
-    border: 1px solid #ddd;
-  }
-  td {
-    border-top: 1px solid #ddd;
-  }
-  .toplink {
-    display: none;
-  }
-}
-
-@page :first {
-  padding-top: 0;
-  @top-left {
-    content: normal;
-    border: none;
-  }
-  @top-center {
-    content: normal;
-    border: none;
-  }
-  @top-right {
-    content: normal;
-    border: none;
-  }
-}
-
-@page {
-  size: A4;
-  margin-bottom: 45mm;
-  padding-top: 20px;
-}
-
-/* Changes introduced to fix issues found during implementation */
-
-/* Separate body from document info even without intervening H1 */
-section {
-  clear: both;
-}
-
-/* Top align author divs, to avoid names without organization dropping level with org names */
-.author {
-  vertical-align: top;
-}
-
-/* Style section numbers with more space between number and title */
-.section-number {
-  padding-right: 0.5em;
-}
-
-/* Add styling for a link in the ToC that points to the top of the document */
-a.toplink {
-  float: right;
-  margin: 8px 0.5em 0;
-}
-
-/* Provide styling for table cell text alignment */
-table .text-left {
-  text-align: left;
-}
-table .text-center {
-  text-align: center;
-}
-table .text-right {
-  text-align: right;
-}
-
-/* Make the alternative author contact information look less like just another
-   author, and group it closer with the primary author contact information */
-.alternative-contact {
-  margin: 0.5em 0 0.25em 0;
-}
-address .non-ascii {
-  margin: 0 0 0 2em;
-}
-
-/* With it being possible to set tables with alignment
-  left, center, and right, { width: 100%; } does not make sense */
-table {
-  width: auto;
-}
-
-/* Avoid reference text that sits in a block with very wide left margin,
-   because of a long floating dt label.*/
-.references dd {
-  overflow: visible;
-}
-
-/* Control caption placement */
-caption {
-  caption-side: bottom;
-}
-
-/* Limit the width of the author address vcard, so names in right-to-left
-   script don't end up on the other side of the page. */
-
-address.vcard {
-  max-width: 20em;
-  margin-right: auto;
-}
-
-/* For address alignment dependent on LTR or RTL scripts */
-address div.left {
-  text-align: left;
-}
-address div.right {
-  text-align: right;
-}
-
-/* Dark mode. */
-@media (prefers-color-scheme: dark) {
-:root {
-  --background-color: #121212;
-  --text-color: #f0f0f0;
-  --title-color: #fff;
-  --link-color: #4da4f0;
-  --highlight-color: #282828;
-  --line-color: #444;
-  --pilcrow-weak: #444;
-  --pilcrow-strong: #666;
-  scrollbar-color: #777 #333;
-}
-}
-
-/* SVG Trick: a prefix match works because only black and white are allowed */
-svg :is([stroke="black"], [stroke^="#000"]) {
-  stroke: var(--text-color);
-}
-svg :is([stroke="white"], [stroke^="#fff"]) {
-  stroke: var(--background-color);
-}
-svg :is([fill="black"], [fill^="#000"], :not([fill])) {
-  fill: var(--text-color);
-}
-svg :is([fill="white"], [fill^="#fff"]) {
-  fill: var(--background-color);
-}
-</style>
-
-</head>
-<body class="xml2rfc">
-<table class="ears">
-<thead><tr>
-<td class="left">Internet-Draft</td>
-<td class="center">Privacy Pass Authentication</td>
-<td class="right">October 2023</td>
-</tr></thead>
-<tfoot><tr>
-<td class="left">Pauly, et al.</td>
-<td class="center">Expires 15 April 2024</td>
-<td class="right">[Page]</td>
-</tr></tfoot>
-</table>
-<div id="external-metadata" class="document-information"></div>
-<div id="internal-metadata" class="document-information">
-<dl id="identifiers">
-<dt class="label-workgroup">Workgroup:</dt>
-<dd class="workgroup">Network Working Group</dd>
-<dt class="label-internet-draft">Internet-Draft:</dt>
-<dd class="internet-draft">draft-ietf-privacypass-auth-scheme-latest</dd>
-<dt class="label-published">Published:</dt>
-<dd class="published">
-<time datetime="2023-10-13" class="published">13 October 2023</time>
-    </dd>
-<dt class="label-intended-status">Intended Status:</dt>
-<dd class="intended-status">Standards Track</dd>
-<dt class="label-expires">Expires:</dt>
-<dd class="expires"><time datetime="2024-04-15">15 April 2024</time></dd>
-<dt class="label-authors">Authors:</dt>
-<dd class="authors">
-<div class="author">
-      <div class="author-name">T. Pauly</div>
-<div class="org">Apple Inc.</div>
-</div>
-<div class="author">
-      <div class="author-name">S. Valdez</div>
-<div class="org">Google LLC</div>
-</div>
-<div class="author">
-      <div class="author-name">C. A. Wood</div>
-<div class="org">Cloudflare</div>
-</div>
-</dd>
-</dl>
-</div>
-<h1 id="title">The Privacy Pass HTTP Authentication Scheme</h1>
-<section id="section-abstract">
-      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
-<p id="section-abstract-1">This document defines an HTTP authentication scheme for Privacy Pass,
-a privacy-preserving authentication mechanism used for authorization.
-The authentication scheme in this document can be used by clients
-to redeem Privacy Pass tokens with an origin. It can also be used by
-origins to challenge clients to present Privacy Pass tokens.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
-</section>
-<div id="status-of-memo">
-<section id="section-boilerplate.1">
-        <h2 id="name-status-of-this-memo">
-<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
-        </h2>
-<p id="section-boilerplate.1-1">
-        This Internet-Draft is submitted in full conformance with the
-        provisions of BCP 78 and BCP 79.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.1-2">
-        Internet-Drafts are working documents of the Internet Engineering Task
-        Force (IETF). Note that other groups may also distribute working
-        documents as Internet-Drafts. The list of current Internet-Drafts is
-        at <span><a href="https://datatracker.ietf.org/drafts/current/">https://datatracker.ietf.org/drafts/current/</a></span>.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.1-3">
-        Internet-Drafts are draft documents valid for a maximum of six months
-        and may be updated, replaced, or obsoleted by other documents at any
-        time. It is inappropriate to use Internet-Drafts as reference
-        material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.1-4">
-        This Internet-Draft will expire on 15 April 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="copyright">
-<section id="section-boilerplate.2">
-        <h2 id="name-copyright-notice">
-<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
-        </h2>
-<p id="section-boilerplate.2-1">
-            Copyright (c) 2023 IETF Trust and the persons identified as the
-            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.2-2">
-            This document is subject to BCP 78 and the IETF Trust's Legal
-            Provisions Relating to IETF Documents
-            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
-            publication of this document. Please review these documents
-            carefully, as they describe your rights and restrictions with
-            respect to this document. Code Components extracted from this
-            document must include Revised BSD License text as described in
-            Section 4.e of the Trust Legal Provisions and are provided without
-            warranty as described in the Revised BSD License.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="toc">
-<section id="section-toc.1">
-        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
-<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
-        </h2>
-<nav class="toc"><ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
-            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="auto internal xref">1</a>.  <a href="#name-introduction" class="internal xref">Introduction</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1.2.1">
-                <p id="section-toc.1-1.1.2.1.1" class="keepWithNext"><a href="#section-1.1" class="auto internal xref">1.1</a>.  <a href="#name-terminology" class="internal xref">Terminology</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
-            <p id="section-toc.1-1.2.1"><a href="#section-2" class="auto internal xref">2</a>.  <a href="#name-http-authentication-scheme" class="internal xref">HTTP Authentication Scheme</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.1">
-                <p id="section-toc.1-1.2.2.1.1"><a href="#section-2.1" class="auto internal xref">2.1</a>.  <a href="#name-token-challenge" class="internal xref">Token Challenge</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.1.2.1">
-                    <p id="section-toc.1-1.2.2.1.2.1.1" class="keepWithNext"><a href="#section-2.1.1" class="auto internal xref">2.1.1</a>.  <a href="#name-token-challenge-structure" class="internal xref">Token Challenge Structure</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.1.2.2">
-                    <p id="section-toc.1-1.2.2.1.2.2.1"><a href="#section-2.1.2" class="auto internal xref">2.1.2</a>.  <a href="#name-sending-token-challenges" class="internal xref">Sending Token Challenges</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.1.2.3">
-                    <p id="section-toc.1-1.2.2.1.2.3.1"><a href="#section-2.1.3" class="auto internal xref">2.1.3</a>.  <a href="#name-processing-token-challenges" class="internal xref">Processing Token Challenges</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.1.2.4">
-                    <p id="section-toc.1-1.2.2.1.2.4.1"><a href="#section-2.1.4" class="auto internal xref">2.1.4</a>.  <a href="#name-token-caching" class="internal xref">Token Caching</a></p>
-</li>
-                </ul>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2">
-                <p id="section-toc.1-1.2.2.2.1"><a href="#section-2.2" class="auto internal xref">2.2</a>.  <a href="#name-token-redemption" class="internal xref">Token Redemption</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2.2.1">
-                    <p id="section-toc.1-1.2.2.2.2.1.1"><a href="#section-2.2.1" class="auto internal xref">2.2.1</a>.  <a href="#name-token-structure" class="internal xref">Token Structure</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2.2.2">
-                    <p id="section-toc.1-1.2.2.2.2.2.1"><a href="#section-2.2.2" class="auto internal xref">2.2.2</a>.  <a href="#name-sending-tokens" class="internal xref">Sending Tokens</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2.2.2.2.3">
-                    <p id="section-toc.1-1.2.2.2.2.3.1"><a href="#section-2.2.3" class="auto internal xref">2.2.3</a>.  <a href="#name-token-verification" class="internal xref">Token Verification</a></p>
-</li>
-                </ul>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
-            <p id="section-toc.1-1.3.1"><a href="#section-3" class="auto internal xref">3</a>.  <a href="#name-client-behavior" class="internal xref">Client Behavior</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.1">
-                <p id="section-toc.1-1.3.2.1.1"><a href="#section-3.1" class="auto internal xref">3.1</a>.  <a href="#name-choosing-to-redeem-tokens" class="internal xref">Choosing to Redeem Tokens</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3.2.2">
-                <p id="section-toc.1-1.3.2.2.1"><a href="#section-3.2" class="auto internal xref">3.2</a>.  <a href="#name-choosing-between-multiple-c" class="internal xref">Choosing Between Multiple Challenges</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
-            <p id="section-toc.1-1.4.1"><a href="#section-4" class="auto internal xref">4</a>.  <a href="#name-origin-behavior" class="internal xref">Origin Behavior</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4.2.1">
-                <p id="section-toc.1-1.4.2.1.1"><a href="#section-4.1" class="auto internal xref">4.1</a>.  <a href="#name-greasing" class="internal xref">Greasing</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
-            <p id="section-toc.1-1.5.1"><a href="#section-5" class="auto internal xref">5</a>.  <a href="#name-security-considerations" class="internal xref">Security Considerations</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1">
-                <p id="section-toc.1-1.5.2.1.1"><a href="#section-5.1" class="auto internal xref">5.1</a>.  <a href="#name-randomness-requirements" class="internal xref">Randomness Requirements</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.2">
-                <p id="section-toc.1-1.5.2.2.1"><a href="#section-5.2" class="auto internal xref">5.2</a>.  <a href="#name-replay-attacks" class="internal xref">Replay Attacks</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.3">
-                <p id="section-toc.1-1.5.2.3.1"><a href="#section-5.3" class="auto internal xref">5.3</a>.  <a href="#name-reflection-attacks" class="internal xref">Reflection Attacks</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.4">
-                <p id="section-toc.1-1.5.2.4.1"><a href="#section-5.4" class="auto internal xref">5.4</a>.  <a href="#name-token-exhaustion-attacks" class="internal xref">Token Exhaustion Attacks</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.5">
-                <p id="section-toc.1-1.5.2.5.1"><a href="#section-5.5" class="auto internal xref">5.5</a>.  <a href="#name-timing-correlation-attacks" class="internal xref">Timing Correlation Attacks</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.6">
-                <p id="section-toc.1-1.5.2.6.1"><a href="#section-5.6" class="auto internal xref">5.6</a>.  <a href="#name-cross-context-linkability-a" class="internal xref">Cross-Context Linkability Attacks</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
-            <p id="section-toc.1-1.6.1"><a href="#section-6" class="auto internal xref">6</a>.  <a href="#name-iana-considerations" class="internal xref">IANA Considerations</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.1">
-                <p id="section-toc.1-1.6.2.1.1"><a href="#section-6.1" class="auto internal xref">6.1</a>.  <a href="#name-authentication-scheme" class="internal xref">Authentication Scheme</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2">
-                <p id="section-toc.1-1.6.2.2.1"><a href="#section-6.2" class="auto internal xref">6.2</a>.  <a href="#name-token-type-registry" class="internal xref">Token Type Registry</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2.2.1">
-                    <p id="section-toc.1-1.6.2.2.2.1.1"><a href="#section-6.2.1" class="auto internal xref">6.2.1</a>.  <a href="#name-reserved-values" class="internal xref">Reserved Values</a></p>
-</li>
-                </ul>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
-            <p id="section-toc.1-1.7.1"><a href="#section-7" class="auto internal xref">7</a>.  <a href="#name-references" class="internal xref">References</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.1">
-                <p id="section-toc.1-1.7.2.1.1"><a href="#section-7.1" class="auto internal xref">7.1</a>.  <a href="#name-normative-references" class="internal xref">Normative References</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7.2.2">
-                <p id="section-toc.1-1.7.2.2.1"><a href="#section-7.2" class="auto internal xref">7.2</a>.  <a href="#name-informative-references" class="internal xref">Informative References</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
-            <p id="section-toc.1-1.8.1"><a href="#appendix-A" class="auto internal xref">Appendix A</a>.  <a href="#name-test-vectors" class="internal xref">Test Vectors</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.1">
-                <p id="section-toc.1-1.8.2.1.1"><a href="#appendix-A.1" class="auto internal xref">A.1</a>.  <a href="#name-challenge-and-redemption-st" class="internal xref">Challenge and Redemption Structure Test Vectors</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.2">
-                <p id="section-toc.1-1.8.2.2.1"><a href="#appendix-A.2" class="auto internal xref">A.2</a>.  <a href="#name-http-header-test-vectors" class="internal xref">HTTP Header Test Vectors</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
-            <p id="section-toc.1-1.9.1"><a href="#appendix-B" class="auto internal xref"></a><a href="#name-authors-addresses" class="internal xref">Authors' Addresses</a></p>
-</li>
-        </ul>
-</nav>
-</section>
-</div>
-<div id="introduction">
-<section id="section-1">
-      <h2 id="name-introduction">
-<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
-      </h2>
-<p id="section-1-1">Privacy Pass tokens are unlinkable authenticators that can be used to
-anonymously authorize a client (see
-<span>[<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>).
-Tokens are generated by token issuers, on the basis of authentication,
-attestation, or some previous action such as solving a CAPTCHA. A client
-possessing such a token is able to prove that it was able to get a token
-issued, without allowing the relying party redeeming the client's token
-(the origin) to link it with the issuance flow.<a href="#section-1-1" class="pilcrow">¶</a></p>
-<p id="section-1-2">Different types of authenticators, using different token issuance protocols,
-can be used as Privacy Pass tokens.<a href="#section-1-2" class="pilcrow">¶</a></p>
-<p id="section-1-3">This document defines a common HTTP authentication scheme
-(<span>[<a href="#RFC9110" class="cite xref">RFC9110</a>], <a href="https://rfc-editor.org/rfc/rfc9110#section-11" class="relref">Section 11</a></span>), PrivateToken, that allows clients to redeem various
-kinds of Privacy Pass tokens.<a href="#section-1-3" class="pilcrow">¶</a></p>
-<p id="section-1-4">Clients and relying parties (origins) interact using this scheme to perform the
-token challenge and token redemption flow. In particular, origins challenge
-clients for a token with an HTTP Authentication challenge (using the
-WWW-Authenticate response header field). Clients can then react to that
-challenge by issuing a new request with a corresponding token (using the Authorization
-request header field). Clients generate tokens that match the origin's token
-challenge by running the token issuance protocol
-<span>[<a href="#ISSUANCE" class="cite xref">ISSUANCE</a>]</span>. The act of presenting a token in an
-Authorization request header field is referred to as token redemption. This
-interaction between client and origin is shown below.<a href="#section-1-4" class="pilcrow">¶</a></p>
-<span id="name-challenge-and-redemption-pr"></span><div id="fig-overview">
-<figure id="figure-1">
-        <div id="section-1-5.1">
-          <div class="alignLeft art-svg artwork" id="section-1-5.1.1">
-<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="192" width="456" viewBox="0 0 456 192" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
-              <path d="M 8,32 L 8,64" fill="none" stroke="black"></path>
-              <path d="M 40,64 L 40,176" fill="none" stroke="black"></path>
-              <path d="M 80,32 L 80,64" fill="none" stroke="black"></path>
-              <path d="M 328,32 L 328,64" fill="none" stroke="black"></path>
-              <path d="M 360,64 L 360,112" fill="none" stroke="black"></path>
-              <path d="M 360,144 L 360,176" fill="none" stroke="black"></path>
-              <path d="M 400,32 L 400,64" fill="none" stroke="black"></path>
-              <path d="M 8,32 L 80,32" fill="none" stroke="black"></path>
-              <path d="M 328,32 L 400,32" fill="none" stroke="black"></path>
-              <path d="M 8,64 L 80,64" fill="none" stroke="black"></path>
-              <path d="M 328,64 L 400,64" fill="none" stroke="black"></path>
-              <path d="M 40,96 L 56,96" fill="none" stroke="black"></path>
-              <path d="M 336,96 L 352,96" fill="none" stroke="black"></path>
-              <path d="M 48,160 L 96,160" fill="none" stroke="black"></path>
-              <path d="M 280,160 L 360,160" fill="none" stroke="black"></path>
-              <polygon class="arrowhead" points="360,96 348,90.4 348,101.6" fill="black" transform="rotate(0,352,96)"></polygon>
-              <polygon class="arrowhead" points="56,160 44,154.4 44,165.6" fill="black" transform="rotate(180,48,160)"></polygon>
-              <g class="text">
-                <text x="44" y="52">Origin</text>
-                <text x="364" y="52">Client</text>
-                <text x="136" y="100">WWW-Authenticate:</text>
-                <text x="268" y="100">TokenChallenge</text>
-                <text x="284" y="132">(Run</text>
-                <text x="340" y="132">issuance</text>
-                <text x="416" y="132">protocol)</text>
-                <text x="164" y="164">Authorization:</text>
-                <text x="248" y="164">Token</text>
-              </g>
-            </svg><a href="#section-1-5.1.1" class="pilcrow">¶</a>
-</div>
-</div>
-<figcaption><a href="#figure-1" class="selfRef">Figure 1</a>:
-<a href="#name-challenge-and-redemption-pr" class="selfRef">Challenge and redemption protocol flow</a>
-        </figcaption></figure>
-</div>
-<p id="section-1-6">In addition to working with different token issuance protocols, this scheme
-optionally supports use of tokens that are associated with origin-chosen
-contexts and specific origin names. Relying parties that request and redeem
-tokens can choose a specific kind of token, as appropriate for its use case.
-These options allow for different deployment models to prevent double-spending,
-and allow for both interactive (online challenges) and non-interactive
-(pre-fetched) tokens.<a href="#section-1-6" class="pilcrow">¶</a></p>
-<div id="terminology">
-<section id="section-1.1">
-        <h3 id="name-terminology">
-<a href="#section-1.1" class="section-number selfRef">1.1. </a><a href="#name-terminology" class="section-name selfRef">Terminology</a>
-        </h3>
-<p id="section-1.1-1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
-NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
-"MAY", and "OPTIONAL" in this document are to be interpreted as
-described in BCP 14 <span>[<a href="#RFC2119" class="cite xref">RFC2119</a>]</span> <span>[<a href="#RFC8174" class="cite xref">RFC8174</a>]</span> when, and only when, they
-appear in all capitals, as shown here.<a href="#section-1.1-1" class="pilcrow">¶</a></p>
-<p id="section-1.1-2">Unless otherwise specified, this document encodes protocol messages in TLS
-notation from <span>[<a href="#TLS13" class="cite xref">TLS13</a>]</span>, Section 3.<a href="#section-1.1-2" class="pilcrow">¶</a></p>
-<p id="section-1.1-3">This document uses the terms "Client", "Origin", "Issuer", "Issuance Protocol",
-and "Token" as defined in <span>[<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>. It additionally
-uses the following terms in more specific ways:<a href="#section-1.1-3" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-1.1-4.1">
-            <p id="section-1.1-4.1.1">Issuer key: Keying material that can be used with an issuance protocol
-to create a signed token.<a href="#section-1.1-4.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-1.1-4.2">
-            <p id="section-1.1-4.2.1">Token challenge: A request for tokens sent from an origin to a client, using
-the "WWW-Authenticate" HTTP header field. This challenge identifies a specific
-token issuer and issuance protocol. Token challenges optionally include
-one or both of: a redemption context (see <a href="#context-construction" class="auto internal xref">Section 2.1.1.2</a>), and
-a list of associated origins. These optional values are then
-be bound to the token that is issued.<a href="#section-1.1-4.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-1.1-4.3">
-            <p id="section-1.1-4.3.1">Token redemption: An action by which a client presents a token to an origin
-in an HTTP request, using the "Authorization" HTTP header field.<a href="#section-1.1-4.3.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-</section>
-</div>
-</section>
-</div>
-<div id="challenge-redemption">
-<section id="section-2">
-      <h2 id="name-http-authentication-scheme">
-<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-http-authentication-scheme" class="section-name selfRef">HTTP Authentication Scheme</a>
-      </h2>
-<p id="section-2-1">Token redemption is performed using HTTP Authentication
-(<span>[<a href="#RFC9110" class="cite xref">RFC9110</a>], <a href="https://rfc-editor.org/rfc/rfc9110#section-11" class="relref">Section 11</a></span>), with the scheme "PrivateToken". Origins challenge
-clients to present a token from a specific issuer (<a href="#challenge" class="auto internal xref">Section 2.1</a>). Once a
-client has received a token from that issuer, or already has a valid token
-available, it presents the token to the origin (<a href="#redemption" class="auto internal xref">Section 2.2</a>). The process of
-presenting a token as authentication to an origin is also referred to
-as "spending" a token.<a href="#section-2-1" class="pilcrow">¶</a></p>
-<p id="section-2-2">In order to prevent linkability across different transactions, clients
-will often present a particular "PrivateToken" only once. Origins can link multiple
-transactions to the same client if that client spends the same token value more
-than once. As such, origins ought to expect at most one unique token
-value, carried in one request, for each challenge.<a href="#section-2-2" class="pilcrow">¶</a></p>
-<p id="section-2-3">The rest of this section describes the token challenge and redemption interactions
-in more detail.<a href="#section-2-3" class="pilcrow">¶</a></p>
-<div id="challenge">
-<section id="section-2.1">
-        <h3 id="name-token-challenge">
-<a href="#section-2.1" class="section-number selfRef">2.1. </a><a href="#name-token-challenge" class="section-name selfRef">Token Challenge</a>
-        </h3>
-<p id="section-2.1-1">Origins send a token challenge to clients in an "WWW-Authenticate" header field
-with the "PrivateToken" scheme. This authentication scheme has two mandatory parameters:
-one containing a token challenge and another containing the token-key used for
-producing (and verifying) a corresponding token.<a href="#section-2.1-1" class="pilcrow">¶</a></p>
-<p id="section-2.1-2">Origins that support the "PrivateToken" authentication scheme need to handle
-the following tasks in constructing the WWW-Authenticate header field:<a href="#section-2.1-2" class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal type-1" id="section-2.1-3">
-<li id="section-2.1-3.1">
-            <p id="section-2.1-3.1.1">Select which issuer to use, and configure the issuer name and token-key to
-include in WWW-Authenticate token challenges. The issuer name is included in
-the token challenge, and the issuer token-key is used to populate the
-WWW-Authenticate header parameter.<a href="#section-2.1-3.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-2.1-3.2">
-            <p id="section-2.1-3.2.1">Determine a redemption context construction to include in the
-token challenge, as discussed in <a href="#context-construction" class="auto internal xref">Section 2.1.1.2</a>.<a href="#section-2.1-3.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="section-2.1-3.3">
-            <p id="section-2.1-3.3.1">Select the origin information to include in the token challenge. This can
-be empty to allow fully cross-origin tokens, a single origin name that
-matches the origin itself for per-origin tokens, or a list of origin names
-containing the origin itself. See <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-3.4" class="relref">Section 3.4</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span> for more
-information about the difference between cross-origin and per-origin tokens.<a href="#section-2.1-3.3.1" class="pilcrow">¶</a></p>
-</li>
-        </ol>
-<p id="section-2.1-4">Once these decisions are made, origins construct the WWW-Authenticate header
-by first constructing the token challenge as described in <a href="#challenge-structure" class="auto internal xref">Section 2.1.1</a>.
-Origins send challenges as described in <a href="#send-challenge" class="auto internal xref">Section 2.1.2</a>, and clients process
-them as described in <a href="#process-challenge" class="auto internal xref">Section 2.1.3</a> and <a href="#caching" class="auto internal xref">Section 2.1.4</a>.<a href="#section-2.1-4" class="pilcrow">¶</a></p>
-<div id="challenge-structure">
-<section id="section-2.1.1">
-          <h4 id="name-token-challenge-structure">
-<a href="#section-2.1.1" class="section-number selfRef">2.1.1. </a><a href="#name-token-challenge-structure" class="section-name selfRef">Token Challenge Structure</a>
-          </h4>
-<p id="section-2.1.1-1">This document defines the default challenge structure that can be used across
-token types, although future token types MAY extend or modify the structure
-of the challenge; see <a href="#token-types" class="auto internal xref">Section 6.2</a> for the registry information
-which establishes and defines the relationship between "token_type" and the
-contents of the TokenChallenge message.<a href="#section-2.1.1-1" class="pilcrow">¶</a></p>
-<p id="section-2.1.1-2">All token challenges MUST begin with a 2-octet integer that defines the
-token type, in network byte order. This type indicates the issuance protocol
-used to generate the token and determines the structure and semantics of the rest of
-the structure. Values are registered in an IANA registry, <a href="#token-types" class="auto internal xref">Section 6.2</a>. Client MUST
-ignore challenges with token types they do not support.<a href="#section-2.1.1-2" class="pilcrow">¶</a></p>
-<p id="section-2.1.1-3">Even when a given token type uses the default challenge structure,
-the requirements on the presence or interpretation of the fields can differ
-across token types. For example, some token types might require that "origin_info"
-is non-empty, while others allow it to be empty.<a href="#section-2.1.1-3" class="pilcrow">¶</a></p>
-<p id="section-2.1.1-4">The default TokenChallenge message has the following structure:<a href="#section-2.1.1-4" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-2.1.1-5">
-<pre>
-struct {
-    uint16_t token_type;
-    opaque issuer_name&lt;1..2^16-1&gt;;
-    opaque redemption_context&lt;0..32&gt;;
-    opaque origin_info&lt;0..2^16-1&gt;;
-} TokenChallenge;
-</pre><a href="#section-2.1.1-5" class="pilcrow">¶</a>
-</div>
-<p id="section-2.1.1-6">The structure fields are defined as follows:<a href="#section-2.1.1-6" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-2.1.1-7.1">
-              <p id="section-2.1.1-7.1.1">"token_type" is a 2-octet integer, in network byte order, as described
-above.<a href="#section-2.1.1-7.1.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-2.1.1-7.2">
-              <p id="section-2.1.1-7.2.1">"issuer_name" is an ASCII string that identifies the issuer using the format of a
-server name defined in <a href="#server-name" class="auto internal xref">Section 2.1.1.1</a>. This name identifies the issuer that is allowed to
-issue tokens that can be redeemed by this origin. The field that stores this string in the challenge
-is prefixed with a 2-octet integer indicating the length, in network byte order.<a href="#section-2.1.1-7.2.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-2.1.1-7.3">
-              <p id="section-2.1.1-7.3.1">"redemption_context" is a field that is either 0 or 32 bytes, prefixed with a single
-octet indicating the length (either 0 or 32). If value is non-empty, it is a 32-byte value
-generated by the origin that allows the origin to require that clients fetch tokens
-bound to a specific context, as opposed to reusing tokens that were fetched for other
-contexts. See <a href="#context-construction" class="auto internal xref">Section 2.1.1.2</a> for example contexts that might be useful in
-practice. Challenges with redemption_context values of invalid lengths MUST be ignored.<a href="#section-2.1.1-7.3.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-2.1.1-7.4">
-              <p id="section-2.1.1-7.4.1">"origin_info" is an ASCII string that is either empty, or contains one or more
-origin names that allow a token to be scoped to a specific set of origins. Each
-origin name uses the format of a server name defined in <a href="#server-name" class="auto internal xref">Section 2.1.1.1</a>. The string
-is prefixed with a 2-octet integer indicating the length, in network byte order.
-If empty, any non-origin-specific token can be redeemed. If the string contains
-multiple origin names, they are delimited with commas "," without any whitespace.
-If this field is not empty, the Origin MUST include its own name as one of the
-names in the list.<a href="#section-2.1.1-7.4.1" class="pilcrow">¶</a></p>
-</li>
-          </ul>
-<p id="section-2.1.1-8">If "origin_info" contains multiple origin names, this means the challenge is valid
-for any of the origins in the list, including the origin which issued the challenge
-(which must always be present in the list if it is non-empty; see <a href="#process-challenge" class="auto internal xref">Section 2.1.3</a>).
-This can be useful in settings where clients pre-fetch and cache tokens for a particular
-challenge -- including the "origin_info" field -- and then later redeem these tokens
-with one of the origins in the list. See <a href="#caching" class="auto internal xref">Section 2.1.4</a> for more discussion about
-token caching.<a href="#section-2.1.1-8" class="pilcrow">¶</a></p>
-<div id="server-name">
-<section id="section-2.1.1.1">
-            <h5 id="name-server-name-encoding">
-<a href="#section-2.1.1.1" class="section-number selfRef">2.1.1.1. </a><a href="#name-server-name-encoding" class="section-name selfRef">Server Name Encoding</a>
-            </h5>
-<p id="section-2.1.1.1-1">Server names contained in a token challenge are ASCII strings that contain a hostname
-and optional port, where the port is implied to be "443" if missing. The names use the
-format of the authority portion of a URI as defined in <span><a href="https://rfc-editor.org/rfc/rfc3986#section-3.2" class="relref">Section 3.2</a> of [<a href="#URI" class="cite xref">URI</a>]</span>.
-The names MUST NOT include a "userinfo" portion of an authority. For example, a valid
-server name might be "issuer.example.com" or "issuer.example.com:8443",
-but not "issuer@example.com".<a href="#section-2.1.1.1-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="context-construction">
-<section id="section-2.1.1.2">
-            <h5 id="name-redemption-context-construc">
-<a href="#section-2.1.1.2" class="section-number selfRef">2.1.1.2. </a><a href="#name-redemption-context-construc" class="section-name selfRef">Redemption Context Construction</a>
-            </h5>
-<p id="section-2.1.1.2-1">The TokenChallenge redemption context allows the origin to determine the
-context in which a given token can be redeemed. This value can be a unique
-per-request nonce, constructed from 32 freshly generated random bytes. It
-can also represent state or properties of the client session. Some example
-properties and methods for constructing the corresponding context are below.
-This list is not exhaustive.<a href="#section-2.1.1.2-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-2.1.1.2-2.1">
-                <p id="section-2.1.1.2-2.1.1">Context bound to a given time window: Construct redemption context as
-F(current time window), where F is a pseudorandom function.<a href="#section-2.1.1.2-2.1.1" class="pilcrow">¶</a></p>
-</li>
-              <li class="normal" id="section-2.1.1.2-2.2">
-                <p id="section-2.1.1.2-2.2.1">Context bound to a client network: Construct redemption context as
-F(client ASN), where F is a pseudorandom function.<a href="#section-2.1.1.2-2.2.1" class="pilcrow">¶</a></p>
-</li>
-              <li class="normal" id="section-2.1.1.2-2.3">
-                <p id="section-2.1.1.2-2.3.1">Context bound to a given time window and client network: Construct redemption
-context as F(current time window, client ASN), where F is a pseudorandom function.<a href="#section-2.1.1.2-2.3.1" class="pilcrow">¶</a></p>
-</li>
-            </ul>
-<p id="section-2.1.1.2-3">Preventing double spending on tokens requires the origin to keep state
-associated with the redemption context. An empty redemption context is not
-bound to any property of the client request, so state to prevent double spending
-needs to be stored and shared across all origin servers that can accept tokens until
-token-key expiration or rotation. For a non-empty redemption context, the
-double spend state only needs to be stored across the set of origin servers that will
-accept tokens with that redemption context.<a href="#section-2.1.1.2-3" class="pilcrow">¶</a></p>
-<p id="section-2.1.1.2-4">Origins that share redemption contexts, i.e., by using the same redemption
-context, choosing the same issuer, and providing the same origin_info field in
-the TokenChallenge, must necessarily share state required to enforce double
-spend prevention. Origins should consider the operational complexity of this
-shared state before choosing to share redemption contexts. Failure to
-successfully synchronize this state and use it for double spend prevention can
-allow Clients to redeem tokens to one Origin that were issued after an
-interaction with another Origin that shares the context.<a href="#section-2.1.1.2-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="send-challenge">
-<section id="section-2.1.2">
-          <h4 id="name-sending-token-challenges">
-<a href="#section-2.1.2" class="section-number selfRef">2.1.2. </a><a href="#name-sending-token-challenges" class="section-name selfRef">Sending Token Challenges</a>
-          </h4>
-<p id="section-2.1.2-1">When used in an authentication challenge, the "PrivateToken" scheme uses the
-following parameters:<a href="#section-2.1.2-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-2.1.2-2.1">
-              <p id="section-2.1.2-2.1.1">"challenge", which contains a base64url-encoded <span>[<a href="#RFC4648" class="cite xref">RFC4648</a>]</span> TokenChallenge
-value. This document follows the default padding behavior described in
-<span><a href="https://rfc-editor.org/rfc/rfc4648#section-3.2" class="relref">Section 3.2</a> of [<a href="#RFC4648" class="cite xref">RFC4648</a>]</span>, so the base64url value MUST include padding.
-As an Authentication Parameter (<code>auth-param</code> from <span>[<a href="#RFC9110" class="cite xref">RFC9110</a>], <a href="https://rfc-editor.org/rfc/rfc9110#section-11.2" class="relref">Section 11.2</a></span>),
-the value can be either a token or a quoted-string, and might be required to
-be a quoted-string if the base64url string includes "=" characters. This
-parameter is required for all challenges.<a href="#section-2.1.2-2.1.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-2.1.2-2.2">
-              <p id="section-2.1.2-2.2.1">"token-key", which contains a base64url encoding of the public key for
-use with the issuance protocol indicated by the challenge. See <span>[<a href="#ISSUANCE" class="cite xref">ISSUANCE</a>]</span>
-for more information about how this public key is used by the issuance protocols
-in that specification. The encoding of
-the public key is determined by the token type; see <a href="#token-types" class="auto internal xref">Section 6.2</a>.
-As with "challenge", the base64url value MUST include padding. As an
-Authentication Parameter (<code>auth-param</code> from <span>[<a href="#RFC9110" class="cite xref">RFC9110</a>], <a href="https://rfc-editor.org/rfc/rfc9110#section-11.2" class="relref">Section 11.2</a></span>), the
-value can be either a token or a quoted-string, and might be required to be a
-quoted-string if the base64url string includes "=" characters. This parameter
-MAY be omitted in deployments where clients are able to retrieve the issuer key
-using an out-of-band mechanism.<a href="#section-2.1.2-2.2.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-2.1.2-2.3">
-              <p id="section-2.1.2-2.3.1">"max-age", an optional parameter that consists of the number of seconds for
-which the challenge will be accepted by the origin.<a href="#section-2.1.2-2.3.1" class="pilcrow">¶</a></p>
-</li>
-          </ul>
-<p id="section-2.1.2-3">The header field MAY also include the standard "realm" parameter, if desired.
-Issuance protocols MAY define other parameters, some of which might be required.
-Clients MUST ignore parameters in challenges that are not defined for the issuance
-protocol corresponding to the token type in the challenge.<a href="#section-2.1.2-3" class="pilcrow">¶</a></p>
-<p id="section-2.1.2-4">As an example, the WWW-Authenticate header field could look like this:<a href="#section-2.1.2-4" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-2.1.2-5">
-<pre>
-WWW-Authenticate:
-  PrivateToken challenge="abc...", token-key="123..."
-</pre><a href="#section-2.1.2-5" class="pilcrow">¶</a>
-</div>
-<div id="sending-multiple-token-challenges">
-<section id="section-2.1.2.1">
-            <h5 id="name-sending-multiple-token-chal">
-<a href="#section-2.1.2.1" class="section-number selfRef">2.1.2.1. </a><a href="#name-sending-multiple-token-chal" class="section-name selfRef">Sending Multiple Token Challenges</a>
-            </h5>
-<p id="section-2.1.2.1-1">It is possible for the WWW-Authenticate header field to include multiple
-challenges (<span>[<a href="#RFC9110" class="cite xref">RFC9110</a>], <a href="https://rfc-editor.org/rfc/rfc9110#section-11.6.1" class="relref">Section 11.6.1</a></span>). This allows the origin to indicate
-support for different token types, issuers, or to include multiple redemption
-contexts. For example, the WWW-Authenticate header field could look like this:<a href="#section-2.1.2.1-1" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-2.1.2.1-2">
-<pre>
-WWW-Authenticate:
-  PrivateToken challenge="abc...", token-key="123...",
-  PrivateToken challenge="def...", token-key="234..."
-</pre><a href="#section-2.1.2.1-2" class="pilcrow">¶</a>
-</div>
-<p id="section-2.1.2.1-3">Origins should only include challenges for different types of issuance
-protocols with functionally equivalent properties. For instance, both issuance
-protocols in <span>[<a href="#ISSUANCE" class="cite xref">ISSUANCE</a>]</span> have the same functional properties, albeit with
-different mechanisms for verifying the resulting tokens during redemption.
-Since clients are free to choose which challenge they want to consume when
-presented with options, mixing multiple challenges with different functional
-properties for one use case is nonsensical. If the origin has a preference
-for one challenge over another (for example, if one uses a token type
-that is faster to verify), it can sort it to be first in the list
-of challenges as a hint to the client.<a href="#section-2.1.2.1-3" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="process-challenge">
-<section id="section-2.1.3">
-          <h4 id="name-processing-token-challenges">
-<a href="#section-2.1.3" class="section-number selfRef">2.1.3. </a><a href="#name-processing-token-challenges" class="section-name selfRef">Processing Token Challenges</a>
-          </h4>
-<p id="section-2.1.3-1">Upon receipt of a challenge, a client validates the TokenChallenge structure
-before taking any action, such as fetching a new token or redeeming a token
-in a new request. Validation requirements are as follows:<a href="#section-2.1.3-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-2.1.3-2.1">
-              <p id="section-2.1.3-2.1.1">The token_type is recognized and supported by the client;<a href="#section-2.1.3-2.1.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-2.1.3-2.2">
-              <p id="section-2.1.3-2.2.1">The TokenChallenge structure is well-formed; and<a href="#section-2.1.3-2.2.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-2.1.3-2.3">
-              <p id="section-2.1.3-2.3.1">If the origin_info field is non-empty, the name of the origin that issued the
-authentication challenge is included in the list of origin names. Comparison
-of the origin name that issued the authentication challenge against elements
-in the origin_info list is done via case-insensitive equality checks.<a href="#section-2.1.3-2.3.1" class="pilcrow">¶</a></p>
-</li>
-          </ul>
-<p id="section-2.1.3-3">If validation fails, the client MUST NOT fetch or redeem a token based on the
-challenge. Clients MAY have further restrictions and requirements around
-validating when a challenge is considered acceptable or valid. For example,
-clients can choose to ignore challenges that list origin names for which the
-current connection is not authoritative (according to the TLS certificate).<a href="#section-2.1.3-3" class="pilcrow">¶</a></p>
-<p id="section-2.1.3-4">Caching and pre-fetching of tokens is discussed in <a href="#caching" class="auto internal xref">Section 2.1.4</a>.<a href="#section-2.1.3-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="caching">
-<section id="section-2.1.4">
-          <h4 id="name-token-caching">
-<a href="#section-2.1.4" class="section-number selfRef">2.1.4. </a><a href="#name-token-caching" class="section-name selfRef">Token Caching</a>
-          </h4>
-<p id="section-2.1.4-1">Clients can generate multiple tokens from a single TokenChallenge, and cache
-them for future use. This improves privacy by separating the time of token
-issuance from the time of token redemption, and also allows clients to avoid
-any overhead of receiving new tokens via the issuance protocol.<a href="#section-2.1.4-1" class="pilcrow">¶</a></p>
-<p id="section-2.1.4-2">Cached tokens can only be redeemed when they match all of the fields in the
-TokenChallenge: token_type, issuer_name, redemption_context, and origin_info.
-Clients ought to store cached tokens based on all of these fields, to
-avoid trying to redeem a token that does not match. Note that each token
-has a unique client nonce, which is sent in token redemption (<a href="#redemption" class="auto internal xref">Section 2.2</a>).<a href="#section-2.1.4-2" class="pilcrow">¶</a></p>
-<p id="section-2.1.4-3">If a client fetches a batch of multiple tokens for future use that are bound
-to a specific redemption context (the redemption_context in the TokenChallenge
-was not empty), clients SHOULD discard these tokens upon flushing state such as
-HTTP cookies <span>[<a href="#COOKIES" class="cite xref">COOKIES</a>]</span>, or if there is a network
-change and the client does not have any origin-specific state like HTTP cookies.
-Using these tokens in a context that otherwise would not be linkable to the
-original context could allow the origin to recognize a client.<a href="#section-2.1.4-3" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="redemption">
-<section id="section-2.2">
-        <h3 id="name-token-redemption">
-<a href="#section-2.2" class="section-number selfRef">2.2. </a><a href="#name-token-redemption" class="section-name selfRef">Token Redemption</a>
-        </h3>
-<p id="section-2.2-1">The output of the issuance protocol is a token that corresponds to the origin's
-challenge (see <a href="#challenge" class="auto internal xref">Section 2.1</a>).<a href="#section-2.2-1" class="pilcrow">¶</a></p>
-<div id="token-structure">
-<section id="section-2.2.1">
-          <h4 id="name-token-structure">
-<a href="#section-2.2.1" class="section-number selfRef">2.2.1. </a><a href="#name-token-structure" class="section-name selfRef">Token Structure</a>
-          </h4>
-<p id="section-2.2.1-1">A token is a structure that begins with a two-octet field that indicates a token
-type, which MUST match the token_type in the TokenChallenge structure. This value
-determines the structure and semantics of the rest of token structure.<a href="#section-2.2.1-1" class="pilcrow">¶</a></p>
-<p id="section-2.2.1-2">This document defines the default token structure that can be used across
-token types, although future token types MAY extend or modify the structure
-of the token; see <a href="#token-types" class="auto internal xref">Section 6.2</a> for the registry information which
-establishes and defines the relationship between "token_type" and the contents
-of the Token structure.<a href="#section-2.2.1-2" class="pilcrow">¶</a></p>
-<p id="section-2.2.1-3">The default Token message has the following structure:<a href="#section-2.2.1-3" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-2.2.1-4">
-<pre>
-struct {
-    uint16_t token_type;
-    uint8_t nonce[32];
-    uint8_t challenge_digest[32];
-    uint8_t token_key_id[Nid];
-    uint8_t authenticator[Nk];
-} Token;
-</pre><a href="#section-2.2.1-4" class="pilcrow">¶</a>
-</div>
-<p id="section-2.2.1-5">The structure fields are defined as follows:<a href="#section-2.2.1-5" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-2.2.1-6.1">
-              <p id="section-2.2.1-6.1.1">"token_type" is a 2-octet integer, in network byte order, as described
-above.<a href="#section-2.2.1-6.1.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-2.2.1-6.2">
-              <p id="section-2.2.1-6.2.1">"nonce" is a 32-octet value containing a client-generated random nonce.<a href="#section-2.2.1-6.2.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-2.2.1-6.3">
-              <p id="section-2.2.1-6.3.1">"challenge_digest" is a 32-octet value containing the hash of the
-original TokenChallenge, SHA-256(TokenChallenge), where SHA-256 is as defined
-in <span>[<a href="#SHS" class="cite xref">SHS</a>]</span>. Changing the hash function to something
-other than SHA-256 would require defining a new token type and token structure
-(since the contents of challenge_digest would be computed differently),
-which can be done in a future specification.<a href="#section-2.2.1-6.3.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-2.2.1-6.4">
-              <p id="section-2.2.1-6.4.1">"token_key_id" is a Nid-octet identifier for the token authentication
-key. The value of this field is defined by the token_type and corresponding
-issuance protocol.<a href="#section-2.2.1-6.4.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-2.2.1-6.5">
-              <p id="section-2.2.1-6.5.1">"authenticator" is a Nk-octet authenticator that is cryptographically bound
-to the preceding fields in the token; see <a href="#verification" class="auto internal xref">Section 2.2.3</a> for more information
-about how this field is used in verifying a token. The token_type and corresponding
-issuance protocol determine the value of the authenticator field and how it is computed.
-The value of constant Nk depends on token_type, as defined in <a href="#token-types" class="auto internal xref">Section 6.2</a>.<a href="#section-2.2.1-6.5.1" class="pilcrow">¶</a></p>
-</li>
-          </ul>
-<p id="section-2.2.1-7">The authenticator value in the Token structure is computed over the token_type,
-nonce, challenge_digest, and token_key_id fields. A token is considered a valid
-if token verification using succeeds; see <a href="#verification" class="auto internal xref">Section 2.2.3</a> for details about
-verifying the token and its authenticator value.<a href="#section-2.2.1-7" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="sending-tokens">
-<section id="section-2.2.2">
-          <h4 id="name-sending-tokens">
-<a href="#section-2.2.2" class="section-number selfRef">2.2.2. </a><a href="#name-sending-tokens" class="section-name selfRef">Sending Tokens</a>
-          </h4>
-<p id="section-2.2.2-1">When used for client authorization, the "PrivateToken" authentication
-scheme defines one parameter, "token", which contains the base64url-encoded
-Token struct. As with the challenge parameters (<a href="#challenge" class="auto internal xref">Section 2.1</a>), the base64url
-value MUST include padding. As an Authentication Parameter (<code>auth-param</code> from
-<span>[<a href="#RFC9110" class="cite xref">RFC9110</a>], <a href="https://rfc-editor.org/rfc/rfc9110#section-11.2" class="relref">Section 11.2</a></span>), the value can be either a token or a
-quoted-string, and might be required to be a quoted-string if the base64url
-string includes "=" characters. All unknown or unsupported parameters to
-"PrivateToken" authentication credentials MUST be ignored.<a href="#section-2.2.2-1" class="pilcrow">¶</a></p>
-<p id="section-2.2.2-2">Clients present this Token structure to origins in a new HTTP request using
-the Authorization header field as follows:<a href="#section-2.2.2-2" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-2.2.2-3">
-<pre>
-Authorization: PrivateToken token="abc..."
-</pre><a href="#section-2.2.2-3" class="pilcrow">¶</a>
-</div>
-<p id="section-2.2.2-4">For context-bound tokens, origins store or reconstruct the contexts of previous
-TokenChallenge structures in order to validate the token. A TokenChallenge can
-be bound to a specific TLS session with a client, but origins can also accept
-tokens for valid challenges in new sessions. Origins SHOULD implement some form
-of double-spend prevention that prevents a token with the same nonce from being
-redeemed twice. Double-spend prevention ensures that clients cannot replay tokens
-for previous challenges. See <a href="#replay-attacks" class="auto internal xref">Section 5.2</a> for more information about replay
-attacks. For context-bound tokens, this double-spend prevention can require no state
-or minimal state, since the context can be used to verify token uniqueness.<a href="#section-2.2.2-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="verification">
-<section id="section-2.2.3">
-          <h4 id="name-token-verification">
-<a href="#section-2.2.3" class="section-number selfRef">2.2.3. </a><a href="#name-token-verification" class="section-name selfRef">Token Verification</a>
-          </h4>
-<p id="section-2.2.3-1">A token consists of some input cryptographically bound to an authenticator
-value, such as a digital signature. Verifying a token consists of checking that
-the authenticator value is correct.<a href="#section-2.2.3-1" class="pilcrow">¶</a></p>
-<p id="section-2.2.3-2">The authenticator value is as computed when running and finalizing the issuance
-protocol corresponding to the token type with the following value as the input:<a href="#section-2.2.3-2" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-2.2.3-3">
-<pre>
-struct {
-    uint16_t token_type;
-    uint8_t nonce[32];
-    uint8_t challenge_digest[32];
-    uint8_t token_key_id[Nid];
-} AuthenticatorInput;
-</pre><a href="#section-2.2.3-3" class="pilcrow">¶</a>
-</div>
-<p id="section-2.2.3-4">The value of these fields are as described in <a href="#redemption" class="auto internal xref">Section 2.2</a>. The cryptographic
-verification check depends on the token type; see <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-protocol-16#section-5.4" class="relref">Section 5.4</a> of [<a href="#ISSUANCE" class="cite xref">ISSUANCE</a>]</span>
-and <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-protocol-16#section-6.4" class="relref">Section 6.4</a> of [<a href="#ISSUANCE" class="cite xref">ISSUANCE</a>]</span> for verification instructions for the issuance
-protocols described in <span>[<a href="#ISSUANCE" class="cite xref">ISSUANCE</a>]</span>. As such, the security properties of the
-token, e.g., the probability that one can forge an authenticator value without
-invoking the issuance protocol, depend on the cryptographic algorithm used by
-the issuance protocol as determined by the token type.<a href="#section-2.2.3-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-</section>
-</div>
-<div id="client-behavior">
-<section id="section-3">
-      <h2 id="name-client-behavior">
-<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-client-behavior" class="section-name selfRef">Client Behavior</a>
-      </h2>
-<p id="section-3-1">When a client receives one or more token challenges in response to a request,
-the client has a set of choices to make:<a href="#section-3-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-3-2.1">
-          <p id="section-3-2.1.1">Whether or not to redeem a token via a new request to the origin.<a href="#section-3-2.1.1" class="pilcrow">¶</a></p>
-</li>
-        <li class="normal" id="section-3-2.2">
-          <p id="section-3-2.2.1">Whether to redeem a previously issued and cached token, or redeem a token freshly issued from the issuance protocol.<a href="#section-3-2.2.1" class="pilcrow">¶</a></p>
-</li>
-        <li class="normal" id="section-3-2.3">
-          <p id="section-3-2.3.1">If multiple challenges were sent, which challenge to use for redeeming a
-token on a subsequent request.<a href="#section-3-2.3.1" class="pilcrow">¶</a></p>
-</li>
-      </ul>
-<p id="section-3-3">The approach to these choices depends on the use case of the application, as
-well as the deployment model (see <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-4" class="relref">Section 4</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span> for discussion
-of the different deployment models).<a href="#section-3-3" class="pilcrow">¶</a></p>
-<div id="choosing-to-redeem-tokens">
-<section id="section-3.1">
-        <h3 id="name-choosing-to-redeem-tokens">
-<a href="#section-3.1" class="section-number selfRef">3.1. </a><a href="#name-choosing-to-redeem-tokens" class="section-name selfRef">Choosing to Redeem Tokens</a>
-        </h3>
-<p id="section-3.1-1">Some applications of tokens might require clients to always present a token
-as authentication in order to successfully make requests. For example, a restricted
-service that wants to only allow access to valid users, but do so without learning
-specific user credential information, could use tokens that are based on attesting user
-credentials. In these kinds of use cases, clients will need to always redeem a
-token in order to successfully make a request.<a href="#section-3.1-1" class="pilcrow">¶</a></p>
-<p id="section-3.1-2">Many other use cases for Privacy Pass tokens involve open services that must work
-with any client, including those that either cannot redeem tokens, or can only sometimes redeem
-tokens. For example, a service can use tokens as a way to reduce the incidence of
-presenting CAPTCHAs to users. In such use cases, services will regularly encounter
-clients that cannot redeem a token or choose not to. In order to mitigate the risk
-of these services relying on always receiving tokens, clients that are capable of
-redeeming tokens can ignore token challenges (and instead behave as if they were a client
-that either doesn't support redeeming tokens or is unable to generate a new token, by not
-sending a new request that contains a token to redeem) with some
-non-trivial probability. See <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-5.1" class="relref">Section 5.1</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span> for further considerations
-on avoiding discriminatory behavior across clients when using Privacy Pass tokens.<a href="#section-3.1-2" class="pilcrow">¶</a></p>
-<p id="section-3.1-3">Clients might also choose to not redeem tokens in subsequent requests when the
-token challenges indicate erroneous or malicious behavior on the part of the
-challenging origin. For example, if a client’s ability to generate tokens via an
-attester and issuer is limited to a certain rate, a malicious origin could send
-an excessive number of token challenges with unique redemption contexts
-in order to cause the client to exhaust its ability to generate new tokens, or
-to overwhelm issuance servers. The limits here will vary based on the specific
-deployment, but clients SHOULD have some implementation-specific policy
-to minimize the number of tokens that can be retrieved by origins.<a href="#section-3.1-3" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="choosing-between-multiple-challenges">
-<section id="section-3.2">
-        <h3 id="name-choosing-between-multiple-c">
-<a href="#section-3.2" class="section-number selfRef">3.2. </a><a href="#name-choosing-between-multiple-c" class="section-name selfRef">Choosing Between Multiple Challenges</a>
-        </h3>
-<p id="section-3.2-1">A single response from an origin can include multiple token challenges.
-For example, a set of challenges could include different token types
-and issuers, to allow clients to choose a preferred issuer or type.<a href="#section-3.2-1" class="pilcrow">¶</a></p>
-<p id="section-3.2-2">The choice of which challenge to use for redeeming tokens is up to
-client policy. This can involve which token types are supported or preferred,
-which issuers are supported or preferred, or whether or not the
-client is able to use cached tokens based on the redemption context
-or origin information in the challenge. See <a href="#caching" class="auto internal xref">Section 2.1.4</a> for more discussion
-on token caching. Regardless of how the choice is made, it SHOULD be done in a
-consistent manner to ensure that the choice does not reveal information about the
-specific client; see <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-6.2" class="relref">Section 6.2</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span> for more details on the privacy
-implications of issuance consistency.<a href="#section-3.2-2" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="origin-behavior">
-<section id="section-4">
-      <h2 id="name-origin-behavior">
-<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-origin-behavior" class="section-name selfRef">Origin Behavior</a>
-      </h2>
-<p id="section-4-1">Origins choose what token challenges to send to clients, which will vary
-depending on the use case and deployment model. The origin chooses
-which token types, issuers, redemption contexts, and origin info to include
-in challenges. If an origin sends multiple challenges, each challenge SHOULD
-be equivalent in terms of acceptability for token redemption, since clients
-are free to choose to generate tokens based on any of the challenges.<a href="#section-4-1" class="pilcrow">¶</a></p>
-<p id="section-4-2">Origins ought to consider the time involved in token issuance. Particularly,
-a challenge that includes a unique redemption context will prevent a client
-from using cached tokens, and thus can add more delay before the client
-is able to redeem a token.<a href="#section-4-2" class="pilcrow">¶</a></p>
-<p id="section-4-3">Origins SHOULD minimize the number of challenges sent to a particular client
-context (referred to as the "redemption context" in
-<span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-3.3" class="relref">Section 3.3</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>), to avoid overwhelming clients and issuers
-with token requests that might cause clients to hit rate limits.<a href="#section-4-3" class="pilcrow">¶</a></p>
-<div id="greasing">
-<section id="section-4.1">
-        <h3 id="name-greasing">
-<a href="#section-4.1" class="section-number selfRef">4.1. </a><a href="#name-greasing" class="section-name selfRef">Greasing</a>
-        </h3>
-<p id="section-4.1-1">In order to prevent clients becoming incompatible with new token challenges,
-origins SHOULD include random token types, from the Reserved list of "greased"
-types (defined in <a href="#token-types" class="auto internal xref">Section 6.2</a>), with some non-trivial probability.<a href="#section-4.1-1" class="pilcrow">¶</a></p>
-<p id="section-4.1-2">Additionally, for deployments where tokens are not required (such as when tokens
-are used as a way to avoiding showing CAPTCHAs), origins SHOULD randomly<br>
-choose to not challenge clients for tokens with some non-trivial probability.
-This helps origins ensure that their behavior for handling clients that cannot
-redeem tokens is maintained and exercised consistently.<a href="#section-4.1-2" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="sec-considerations">
-<section id="section-5">
-      <h2 id="name-security-considerations">
-<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
-      </h2>
-<p id="section-5-1">This section contains security considerations for the PrivateToken authentication
-scheme described in this document.<a href="#section-5-1" class="pilcrow">¶</a></p>
-<div id="randomness-requirements">
-<section id="section-5.1">
-        <h3 id="name-randomness-requirements">
-<a href="#section-5.1" class="section-number selfRef">5.1. </a><a href="#name-randomness-requirements" class="section-name selfRef">Randomness Requirements</a>
-        </h3>
-<p id="section-5.1-1">All random values in the challenge and token MUST be
-generated using a cryptographically secure source of randomness (<span>[<a href="#RFC4086" class="cite xref">RFC4086</a>]</span>).<a href="#section-5.1-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="replay-attacks">
-<section id="section-5.2">
-        <h3 id="name-replay-attacks">
-<a href="#section-5.2" class="section-number selfRef">5.2. </a><a href="#name-replay-attacks" class="section-name selfRef">Replay Attacks</a>
-        </h3>
-<p id="section-5.2-1">Applications SHOULD constrain tokens to a single origin unless the use case can
-accommodate replay attacks. Replaying tokens is not necessarily a security
-or privacy problem. As an example, it is reasonable for clients to replay tokens
-in contexts where token redemption does not induce side effects and in which
-client requests are already linkable. One possible setting where this applies
-is where tokens are sent as part of 0-RTT data.<a href="#section-5.2-1" class="pilcrow">¶</a></p>
-<p id="section-5.2-2">If successful token redemption produces side effects, origins SHOULD implement an
-anti-replay mechanism to mitigate the harm of such replays. See <span>[<a href="#TLS13" class="cite xref">TLS13</a>], <a href="https://rfc-editor.org/rfc/rfc8446#section-8" class="relref">Section 8</a></span>
-and <span>[<a href="#RFC9001" class="cite xref">RFC9001</a>], <a href="https://rfc-editor.org/rfc/rfc9001#section-9.2" class="relref">Section 9.2</a></span> for details about anti-replay mechanisms, as well as
-<span>[<a href="#RFC8470" class="cite xref">RFC8470</a>], <a href="https://rfc-editor.org/rfc/rfc8470#section-3" class="relref">Section 3</a></span> for discussion about safety considerations for 0-RTT
-HTTP data.<a href="#section-5.2-2" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="reflection-attacks">
-<section id="section-5.3">
-        <h3 id="name-reflection-attacks">
-<a href="#section-5.3" class="section-number selfRef">5.3. </a><a href="#name-reflection-attacks" class="section-name selfRef">Reflection Attacks</a>
-        </h3>
-<p id="section-5.3-1">The security properties of token challenges vary depending on whether the
-challenge contains a redemption context or not, as well as whether the
-challenge is per-origin or not. For example, cross-origin tokens with empty
-contexts can be reflected from one party by another, as shown below.<a href="#section-5.3-1" class="pilcrow">¶</a></p>
-<span id="name-replay-attack-example"></span><div id="fig-replay">
-<figure id="figure-2">
-          <div id="section-5.3-2.1">
-            <div class="alignLeft art-svg artwork" id="section-5.3-2.1.1">
-<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="472" viewBox="0 0 472 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
-                <path d="M 8,32 L 8,64" fill="none" stroke="black"></path>
-                <path d="M 40,64 L 40,160" fill="none" stroke="black"></path>
-                <path d="M 80,32 L 80,64" fill="none" stroke="black"></path>
-                <path d="M 176,32 L 176,64" fill="none" stroke="black"></path>
-                <path d="M 216,64 L 216,160" fill="none" stroke="black"></path>
-                <path d="M 264,32 L 264,64" fill="none" stroke="black"></path>
-                <path d="M 392,32 L 392,64" fill="none" stroke="black"></path>
-                <path d="M 424,64 L 424,144" fill="none" stroke="black"></path>
-                <path d="M 464,32 L 464,64" fill="none" stroke="black"></path>
-                <path d="M 8,32 L 80,32" fill="none" stroke="black"></path>
-                <path d="M 176,32 L 264,32" fill="none" stroke="black"></path>
-                <path d="M 392,32 L 464,32" fill="none" stroke="black"></path>
-                <path d="M 8,64 L 80,64" fill="none" stroke="black"></path>
-                <path d="M 176,64 L 264,64" fill="none" stroke="black"></path>
-                <path d="M 392,64 L 464,64" fill="none" stroke="black"></path>
-                <path d="M 40,96 L 56,96" fill="none" stroke="black"></path>
-                <path d="M 192,96 L 208,96" fill="none" stroke="black"></path>
-                <path d="M 216,112 L 232,112" fill="none" stroke="black"></path>
-                <path d="M 224,128 L 288,128" fill="none" stroke="black"></path>
-                <path d="M 352,128 L 424,128" fill="none" stroke="black"></path>
-                <path d="M 48,144 L 64,144" fill="none" stroke="black"></path>
-                <polygon class="arrowhead" points="232,128 220,122.4 220,133.6" fill="black" transform="rotate(180,224,128)"></polygon>
-                <polygon class="arrowhead" points="216,96 204,90.4 204,101.6" fill="black" transform="rotate(0,208,96)"></polygon>
-                <polygon class="arrowhead" points="56,144 44,138.4 44,149.6" fill="black" transform="rotate(180,48,144)"></polygon>
-                <g class="text">
-                  <text x="44" y="52">Origin</text>
-                  <text x="220" y="52">Attacker</text>
-                  <text x="428" y="52">Client</text>
-                  <text x="124" y="100">TokenChallenge</text>
-                  <text x="276" y="116">(reflect</text>
-                  <text x="356" y="116">challenge)</text>
-                  <text x="412" y="116">-&gt;</text>
-                  <text x="320" y="132">Token</text>
-                  <text x="108" y="148">(reflect</text>
-                  <text x="172" y="148">token)</text>
-                  <text x="208" y="148">-</text>
-                </g>
-              </svg><a href="#section-5.3-2.1.1" class="pilcrow">¶</a>
-</div>
-</div>
-<figcaption><a href="#figure-2" class="selfRef">Figure 2</a>:
-<a href="#name-replay-attack-example" class="selfRef">Replay attack example</a>
-          </figcaption></figure>
-</div>
-</section>
-</div>
-<div id="token-exhaustion-attacks">
-<section id="section-5.4">
-        <h3 id="name-token-exhaustion-attacks">
-<a href="#section-5.4" class="section-number selfRef">5.4. </a><a href="#name-token-exhaustion-attacks" class="section-name selfRef">Token Exhaustion Attacks</a>
-        </h3>
-<p id="section-5.4-1">When a Client holds cross-origin tokens with empty contexts, it
-is possible for any Origin in the cross-origin set to deplete that Client
-set of tokens. To prevent this from happening, tokens can be scoped to single
-Origins (with non-empty origin_info) such that they can only be redeemed for
-a single Origin. Alternatively, if tokens are cross-Origin, Clients can use
-alternate methods to prevent many tokens from being redeemed at once. For
-example, if the Origin requests an excess of tokens, the Client could choose to
-not present any tokens for verification if a redemption had already
-occurred in a given time window.<a href="#section-5.4-1" class="pilcrow">¶</a></p>
-<p id="section-5.4-2">Token challenges that include non-empty origin_info bind tokens to one or more
-specific origins. As described in <a href="#challenge" class="auto internal xref">Section 2.1</a>, clients only accept such
-challenges from origin names listed in the origin_info string. Even if multiple
-origins are listed, a token can only be redeemed for an origin if the challenge
-has a match for the origin_info. For example, if "a.example.com" issues
-a challenge with an origin_info string of "a.example.com,b.example.com", a
-client could redeem a token fetched for this challenge if and only if
-"b.example.com" also included an origin_info string of
-"a.example.com,b.example.com". On the other hand, if "b.example.com" had an
-origin_info string of "b.example.com" or "b.example.com,a.example.com" or
-"a.example.com,b.example.com,c.example.com", the string would not match and the
-client would need to use a different token.<a href="#section-5.4-2" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="timing-correlation-attacks">
-<section id="section-5.5">
-        <h3 id="name-timing-correlation-attacks">
-<a href="#section-5.5" class="section-number selfRef">5.5. </a><a href="#name-timing-correlation-attacks" class="section-name selfRef">Timing Correlation Attacks</a>
-        </h3>
-<p id="section-5.5-1">Context-bound token challenges require clients to obtain matching tokens when
-challenged, rather than presenting a token that was obtained from a different
-context in the past. This can make it more likely that issuance and redemption
-events will occur at approximately the same time. For example, if a client is
-challenged for a token with a unique context at time T1 and then subsequently
-obtains a token at time T2, a colluding issuer and origin can link this to the
-same client if T2 is unique to the client. This linkability is less feasible as
-the number of issuance events at time T2 increases. Depending on the "max-age"
-token challenge parameter, clients MAY try to add delay to the time between
-being challenged and redeeming a token to make this sort of linkability more
-difficult. For more discussion on correlation risks between token issuance and
-redemption, see <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-6.3" class="relref">Section 6.3</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>.<a href="#section-5.5-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="cross-context-linkability-attacks">
-<section id="section-5.6">
-        <h3 id="name-cross-context-linkability-a">
-<a href="#section-5.6" class="section-number selfRef">5.6. </a><a href="#name-cross-context-linkability-a" class="section-name selfRef">Cross-Context Linkability Attacks</a>
-        </h3>
-<p id="section-5.6-1">As discussed in <a href="#challenge" class="auto internal xref">Section 2.1</a>, clients SHOULD discard any context-bound tokens
-upon flushing cookies or changing networks, to prevent an origin using the
-redemption context state as a cookie to recognize clients.<a href="#section-5.6-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="iana">
-<section id="section-6">
-      <h2 id="name-iana-considerations">
-<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
-      </h2>
-<div id="authentication-scheme">
-<section id="section-6.1">
-        <h3 id="name-authentication-scheme">
-<a href="#section-6.1" class="section-number selfRef">6.1. </a><a href="#name-authentication-scheme" class="section-name selfRef">Authentication Scheme</a>
-        </h3>
-<p id="section-6.1-1">This document registers the "PrivateToken" authentication scheme in the
-"Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" defined
-in <span>[<a href="#RFC9110" class="cite xref">RFC9110</a>], <a href="https://rfc-editor.org/rfc/rfc9110#section-16.4" class="relref">Section 16.4</a></span>.<a href="#section-6.1-1" class="pilcrow">¶</a></p>
-<span class="break"></span><dl class="dlParallel" id="section-6.1-2">
-          <dt id="section-6.1-2.1">Authentication Scheme Name:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.1-2.2">
-            <p id="section-6.1-2.2.1">PrivateToken<a href="#section-6.1-2.2.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.1-2.3">Pointer to specification text:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.1-2.4">
-            <p id="section-6.1-2.4.1"><a href="#challenge-redemption" class="auto internal xref">Section 2</a> of this document<a href="#section-6.1-2.4.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-</dl>
-</section>
-</div>
-<div id="token-types">
-<section id="section-6.2">
-        <h3 id="name-token-type-registry">
-<a href="#section-6.2" class="section-number selfRef">6.2. </a><a href="#name-token-type-registry" class="section-name selfRef">Token Type Registry</a>
-        </h3>
-<p id="section-6.2-1">IANA is requested to create a new "Privacy Pass Token Type" registry in a new
-"Privacy Pass Parameters" page to list identifiers for issuance protocols
-defined for use with the Privacy Pass token authentication scheme. These
-identifiers are two-byte values, so the maximum possible value is
-0xFFFF = 65535.<a href="#section-6.2-1" class="pilcrow">¶</a></p>
-<p id="section-6.2-2">New registrations need to list the following attributes:<a href="#section-6.2-2" class="pilcrow">¶</a></p>
-<span class="break"></span><dl class="dlCompact dlParallel" id="section-6.2-3">
-          <dt id="section-6.2-3.1">Value:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.2">
-            <p id="section-6.2-3.2.1">The two-byte identifier for the algorithm<a href="#section-6.2-3.2.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.2-3.3">Name:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.4">
-            <p id="section-6.2-3.4.1">Name of the issuance protocol<a href="#section-6.2-3.4.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.2-3.5">Token Structure:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.6">
-            <p id="section-6.2-3.6.1">The contents of the Token structure in <a href="#redemption" class="auto internal xref">Section 2.2</a><a href="#section-6.2-3.6.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.2-3.7">Token Key Encoding:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.8">
-            <p id="section-6.2-3.8.1">The encoding of the "token-key" parameter in <a href="#redemption" class="auto internal xref">Section 2.2</a><a href="#section-6.2-3.8.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.2-3.9">TokenChallenge Structure:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.10">
-            <p id="section-6.2-3.10.1">The contents of the TokenChallenge structure in <a href="#challenge" class="auto internal xref">Section 2.1</a><a href="#section-6.2-3.10.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.2-3.11">Public Verifiability:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.12">
-            <p id="section-6.2-3.12.1">A Y/N value indicating if the output tokens have the
-public verifiability property; see <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-3.5" class="relref">Section 3.5</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>
-for more details about this property.<a href="#section-6.2-3.12.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.2-3.13">Public Metadata:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.14">
-            <p id="section-6.2-3.14.1">A Y/N value indicating if the output tokens can contain
-public metadata; see <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-3.5" class="relref">Section 3.5</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>
-for more details about this property.<a href="#section-6.2-3.14.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.2-3.15">Private Metadata:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.16">
-            <p id="section-6.2-3.16.1">A Y/N value indicating if the output tokens can contain
-private metadata; see <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-3.5" class="relref">Section 3.5</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>
-for more details about this property.<a href="#section-6.2-3.16.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.2-3.17">Nk:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.18">
-            <p id="section-6.2-3.18.1">The length in bytes of an output authenticator<a href="#section-6.2-3.18.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.2-3.19">Nid:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.20">
-            <p id="section-6.2-3.20.1">The length of the token key identifier<a href="#section-6.2-3.20.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.2-3.21">Reference:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.22">
-            <p id="section-6.2-3.22.1">Where this algorithm is defined<a href="#section-6.2-3.22.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-<dt id="section-6.2-3.23">Notes:</dt>
-          <dd style="margin-left: 1.5em" id="section-6.2-3.24">
-            <p id="section-6.2-3.24.1">Any notes associated with the entry<a href="#section-6.2-3.24.1" class="pilcrow">¶</a></p>
-</dd>
-        <dd class="break"></dd>
-</dl>
-<p id="section-6.2-4">New entries in this registry are subject to the Specification Required
-registration policy (<span>[<a href="#RFC8126" class="cite xref">RFC8126</a>], <a href="https://rfc-editor.org/rfc/rfc8126#section-4.6" class="relref">Section 4.6</a></span>). Designated experts need to
-ensure that the token type is defined to be used for both token issuance and
-redemption. Additionally, the experts can reject registrations on the basis
-that they do not meet the security and privacy requirements for issuance
-protocols defined in <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-3.2" class="relref">Section 3.2</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>.<a href="#section-6.2-4" class="pilcrow">¶</a></p>
-<p id="section-6.2-5"><span>[<a href="#ISSUANCE" class="cite xref">ISSUANCE</a>]</span> defines entries for this registry.<a href="#section-6.2-5" class="pilcrow">¶</a></p>
-<div id="reserved-values">
-<section id="section-6.2.1">
-          <h4 id="name-reserved-values">
-<a href="#section-6.2.1" class="section-number selfRef">6.2.1. </a><a href="#name-reserved-values" class="section-name selfRef">Reserved Values</a>
-          </h4>
-<p id="section-6.2.1-1">This document defines several Reserved values, which can be used by clients
-and servers to send "greased" values in token challenges and redemptions to
-ensure that implementations remain able to handle unknown token types
-gracefully (this technique is inspired by <span>[<a href="#RFC8701" class="cite xref">RFC8701</a>]</span>). Implementations SHOULD
-select reserved values at random when including them in greased messages.
-Servers can include these in TokenChallenge structures, either as the only
-challenge when no real token type is desired, or as one challenge in a list of
-challenges that include real values. Clients can include these in Token
-structures when they are not able to present a real token. The
-contents of the Token structure SHOULD be filled with random bytes when
-using greased values.<a href="#section-6.2.1-1" class="pilcrow">¶</a></p>
-<p id="section-6.2.1-2">The initial contents for this registry consists of multiple reserved values,
-with the following attributes, which are repeated for each registration:<a href="#section-6.2.1-2" class="pilcrow">¶</a></p>
-<span class="break"></span><dl class="dlCompact dlParallel" id="section-6.2.1-3">
-            <dt id="section-6.2.1-3.1">Value:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.2">
-              <p id="section-6.2.1-3.2.1">0x0000, 0x02AA, 0x1132, 0x2E96, 0x3CD3, 0x4473, 0x5A63, 0x6D32, 0x7F3F,
-0x8D07, 0x916B, 0xA6A4, 0xBEAB, 0xC3F3, 0xDA42, 0xE944, 0xF057<a href="#section-6.2.1-3.2.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-6.2.1-3.3">Name:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.4">
-              <p id="section-6.2.1-3.4.1">RESERVED<a href="#section-6.2.1-3.4.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-6.2.1-3.5">Token Structure:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.6">
-              <p id="section-6.2.1-3.6.1">Random bytes<a href="#section-6.2.1-3.6.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-6.2.1-3.7">Token Key Encoding:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.8">
-              <p id="section-6.2.1-3.8.1">Random bytes<a href="#section-6.2.1-3.8.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-6.2.1-3.9">TokenChallenge Structure:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.10">
-              <p id="section-6.2.1-3.10.1">Random bytes<a href="#section-6.2.1-3.10.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-6.2.1-3.11">Publicly Verifiable:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.12">
-              <p id="section-6.2.1-3.12.1">N/A<a href="#section-6.2.1-3.12.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-6.2.1-3.13">Public Metadata:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.14">
-              <p id="section-6.2.1-3.14.1">N/A<a href="#section-6.2.1-3.14.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-6.2.1-3.15">Private Metadata:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.16">
-              <p id="section-6.2.1-3.16.1">N/A<a href="#section-6.2.1-3.16.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-6.2.1-3.17">Nk:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.18">
-              <p id="section-6.2.1-3.18.1">N/A<a href="#section-6.2.1-3.18.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-6.2.1-3.19">Nid:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.20">
-              <p id="section-6.2.1-3.20.1">N/A<a href="#section-6.2.1-3.20.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-6.2.1-3.21">Reference:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.22">
-              <p id="section-6.2.1-3.22.1">This document<a href="#section-6.2.1-3.22.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-6.2.1-3.23">Notes:</dt>
-            <dd style="margin-left: 1.5em" id="section-6.2.1-3.24">
-              <p id="section-6.2.1-3.24.1">None<a href="#section-6.2.1-3.24.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-</dl>
-</section>
-</div>
-</section>
-</div>
-</section>
-</div>
-<section id="section-7">
-      <h2 id="name-references">
-<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-references" class="section-name selfRef">References</a>
-      </h2>
-<div id="sec-normative-references">
-<section id="section-7.1">
-        <h3 id="name-normative-references">
-<a href="#section-7.1" class="section-number selfRef">7.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
-        </h3>
-<dl class="references">
-<dt id="ARCHITECTURE">[ARCHITECTURE]</dt>
-        <dd>
-<span class="refAuthor">Davidson, A.</span>, <span class="refAuthor">Iyengar, J.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"The Privacy Pass Architecture"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-privacypass-architecture-16</span>, <time datetime="2023-09-25" class="refDate">25 September 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16">https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC2119">[RFC2119]</dt>
-        <dd>
-<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc2119">https://www.rfc-editor.org/rfc/rfc2119</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC4648">[RFC4648]</dt>
-        <dd>
-<span class="refAuthor">Josefsson, S.</span>, <span class="refTitle">"The Base16, Base32, and Base64 Data Encodings"</span>, <span class="seriesInfo">RFC 4648</span>, <span class="seriesInfo">DOI 10.17487/RFC4648</span>, <time datetime="2006-10" class="refDate">October 2006</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc4648">https://www.rfc-editor.org/rfc/rfc4648</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC8126">[RFC8126]</dt>
-        <dd>
-<span class="refAuthor">Cotton, M.</span>, <span class="refAuthor">Leiba, B.</span>, and <span class="refAuthor">T. Narten</span>, <span class="refTitle">"Guidelines for Writing an IANA Considerations Section in RFCs"</span>, <span class="seriesInfo">BCP 26</span>, <span class="seriesInfo">RFC 8126</span>, <span class="seriesInfo">DOI 10.17487/RFC8126</span>, <time datetime="2017-06" class="refDate">June 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8126">https://www.rfc-editor.org/rfc/rfc8126</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC8174">[RFC8174]</dt>
-        <dd>
-<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8174">https://www.rfc-editor.org/rfc/rfc8174</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC9110">[RFC9110]</dt>
-        <dd>
-<span class="refAuthor">Fielding, R., Ed.</span>, <span class="refAuthor">Nottingham, M., Ed.</span>, and <span class="refAuthor">J. Reschke, Ed.</span>, <span class="refTitle">"HTTP Semantics"</span>, <span class="seriesInfo">STD 97</span>, <span class="seriesInfo">RFC 9110</span>, <span class="seriesInfo">DOI 10.17487/RFC9110</span>, <time datetime="2022-06" class="refDate">June 2022</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc9110">https://www.rfc-editor.org/rfc/rfc9110</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="SHS">[SHS]</dt>
-        <dd>
-<span class="refAuthor">Dang, Q.</span>, <span class="refTitle">"Secure Hash Standard"</span>, <span class="refContent">National Institute of Standards and Technology</span>, <span class="seriesInfo">DOI 10.6028/nist.fips.180-4</span>, <time datetime="2015-07" class="refDate">July 2015</time>, <span>&lt;<a href="https://doi.org/10.6028/nist.fips.180-4">https://doi.org/10.6028/nist.fips.180-4</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="TLS13">[TLS13]</dt>
-        <dd>
-<span class="refAuthor">Rescorla, E.</span>, <span class="refTitle">"The Transport Layer Security (TLS) Protocol Version 1.3"</span>, <span class="seriesInfo">RFC 8446</span>, <span class="seriesInfo">DOI 10.17487/RFC8446</span>, <time datetime="2018-08" class="refDate">August 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8446">https://www.rfc-editor.org/rfc/rfc8446</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="URI">[URI]</dt>
-      <dd>
-<span class="refAuthor">Berners-Lee, T.</span>, <span class="refAuthor">Fielding, R.</span>, and <span class="refAuthor">L. Masinter</span>, <span class="refTitle">"Uniform Resource Identifier (URI): Generic Syntax"</span>, <span class="seriesInfo">STD 66</span>, <span class="seriesInfo">RFC 3986</span>, <span class="seriesInfo">DOI 10.17487/RFC3986</span>, <time datetime="2005-01" class="refDate">January 2005</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc3986">https://www.rfc-editor.org/rfc/rfc3986</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-</dl>
-</section>
-</div>
-<div id="sec-informative-references">
-<section id="section-7.2">
-        <h3 id="name-informative-references">
-<a href="#section-7.2" class="section-number selfRef">7.2. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
-        </h3>
-<dl class="references">
-<dt id="COOKIES">[COOKIES]</dt>
-        <dd>
-<span class="refAuthor">Bingler, S.</span>, <span class="refAuthor">West, M.</span>, and <span class="refAuthor">J. Wilander</span>, <span class="refTitle">"Cookies: HTTP State Management Mechanism"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-httpbis-rfc6265bis-12</span>, <time datetime="2023-05-10" class="refDate">10 May 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12">https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="ISSUANCE">[ISSUANCE]</dt>
-        <dd>
-<span class="refAuthor">Celi, S.</span>, <span class="refAuthor">Davidson, A.</span>, <span class="refAuthor">Valdez, S.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"Privacy Pass Issuance Protocol"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-privacypass-protocol-16</span>, <time datetime="2023-10-03" class="refDate">3 October 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-protocol-16">https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-protocol-16</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC4086">[RFC4086]</dt>
-        <dd>
-<span class="refAuthor">Eastlake 3rd, D.</span>, <span class="refAuthor">Schiller, J.</span>, and <span class="refAuthor">S. Crocker</span>, <span class="refTitle">"Randomness Requirements for Security"</span>, <span class="seriesInfo">BCP 106</span>, <span class="seriesInfo">RFC 4086</span>, <span class="seriesInfo">DOI 10.17487/RFC4086</span>, <time datetime="2005-06" class="refDate">June 2005</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc4086">https://www.rfc-editor.org/rfc/rfc4086</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC8470">[RFC8470]</dt>
-        <dd>
-<span class="refAuthor">Thomson, M.</span>, <span class="refAuthor">Nottingham, M.</span>, and <span class="refAuthor">W. Tarreau</span>, <span class="refTitle">"Using Early Data in HTTP"</span>, <span class="seriesInfo">RFC 8470</span>, <span class="seriesInfo">DOI 10.17487/RFC8470</span>, <time datetime="2018-09" class="refDate">September 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8470">https://www.rfc-editor.org/rfc/rfc8470</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC8701">[RFC8701]</dt>
-        <dd>
-<span class="refAuthor">Benjamin, D.</span>, <span class="refTitle">"Applying Generate Random Extensions And Sustain Extensibility (GREASE) to TLS Extensibility"</span>, <span class="seriesInfo">RFC 8701</span>, <span class="seriesInfo">DOI 10.17487/RFC8701</span>, <time datetime="2020-01" class="refDate">January 2020</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8701">https://www.rfc-editor.org/rfc/rfc8701</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC9001">[RFC9001]</dt>
-      <dd>
-<span class="refAuthor">Thomson, M., Ed.</span> and <span class="refAuthor">S. Turner, Ed.</span>, <span class="refTitle">"Using TLS to Secure QUIC"</span>, <span class="seriesInfo">RFC 9001</span>, <span class="seriesInfo">DOI 10.17487/RFC9001</span>, <time datetime="2021-05" class="refDate">May 2021</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc9001">https://www.rfc-editor.org/rfc/rfc9001</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-</dl>
-</section>
-</div>
-</section>
-<div id="test-vectors">
-<section id="appendix-A">
-      <h2 id="name-test-vectors">
-<a href="#appendix-A" class="section-number selfRef">Appendix A. </a><a href="#name-test-vectors" class="section-name selfRef">Test Vectors</a>
-      </h2>
-<p id="appendix-A-1">This section includes test vectors for the HTTP authentication scheme specified
-in this document. It consists of the following types of test vectors:<a href="#appendix-A-1" class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal type-1" id="appendix-A-2">
-<li id="appendix-A-2.1">
-          <p id="appendix-A-2.1.1">Test vectors for the challenge and redemption protocols. Implementations can
-use these test vectors for verifying code that builds and encodes
-TokenChallenge structures, as well as code that produces a well-formed Token
-bound to a TokenChallenge.<a href="#appendix-A-2.1.1" class="pilcrow">¶</a></p>
-</li>
-        <li id="appendix-A-2.2">
-          <p id="appendix-A-2.2.1">Test vectors for the HTTP headers used for authentication. Implementations
-can use these test vectors for validating whether they parse HTTP
-authentication headers correctly to produce TokenChallenge structures and the
-other associated parameters, such as the token-key and max-age values.<a href="#appendix-A-2.2.1" class="pilcrow">¶</a></p>
-</li>
-      </ol>
-<div id="challenge-and-redemption-structure-test-vectors">
-<section id="appendix-A.1">
-        <h3 id="name-challenge-and-redemption-st">
-<a href="#appendix-A.1" class="section-number selfRef">A.1. </a><a href="#name-challenge-and-redemption-st" class="section-name selfRef">Challenge and Redemption Structure Test Vectors</a>
-        </h3>
-<p id="appendix-A.1-1">This section includes test vectors for the challenge and redemption
-functionalities described in <a href="#challenge" class="auto internal xref">Section 2.1</a> and <a href="#redemption" class="auto internal xref">Section 2.2</a>. Each test vector
-lists the following values:<a href="#appendix-A.1-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="appendix-A.1-2.1">
-            <p id="appendix-A.1-2.1.1">token_type: The type of token issuance protocol, a value from
-<a href="#token-types" class="auto internal xref">Section 6.2</a>. For these test vectors, token_type is 0x0002, corresponding
-to the issuance protocol in <span>[<a href="#ISSUANCE" class="cite xref">ISSUANCE</a>]</span>.<a href="#appendix-A.1-2.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-A.1-2.2">
-            <p id="appendix-A.1-2.2.1">issuer_name: The name of the issuer in the TokenChallenge structure,
-represented as a hexadecimal string.<a href="#appendix-A.1-2.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-A.1-2.3">
-            <p id="appendix-A.1-2.3.1">redemption_context: The redemption context in the TokenChallenge structure,
-represented as a hexadecimal string.<a href="#appendix-A.1-2.3.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-A.1-2.4">
-            <p id="appendix-A.1-2.4.1">origin_info: The origin info in the TokenChallenge structure, represented as
-a hexadecimal string.<a href="#appendix-A.1-2.4.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-A.1-2.5">
-            <p id="appendix-A.1-2.5.1">nonce: The nonce in the Token structure, represented as a hexadecimal string.<a href="#appendix-A.1-2.5.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-A.1-2.6">
-            <p id="appendix-A.1-2.6.1">token_key: The public token-key, encoded based on the corresponding token
-type, represented as a hexadecimal string.<a href="#appendix-A.1-2.6.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-A.1-2.7">
-            <p id="appendix-A.1-2.7.1">token_authenticator_input: The values in the Token structure used to compute
-the Token authenticator value, represented as a hexadecimal string.<a href="#appendix-A.1-2.7.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-<p id="appendix-A.1-3">Test vectors are provided for each of the following TokenChallenge
-configurations:<a href="#appendix-A.1-3" class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal type-1" id="appendix-A.1-4">
-<li id="appendix-A.1-4.1">
-            <p id="appendix-A.1-4.1.1">TokenChallenge with a single origin and non-empty redemption context<a href="#appendix-A.1-4.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="appendix-A.1-4.2">
-            <p id="appendix-A.1-4.2.1">TokenChallenge with a single origin and empty redemption context<a href="#appendix-A.1-4.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="appendix-A.1-4.3">
-            <p id="appendix-A.1-4.3.1">TokenChallenge with an empty origin and redemption context<a href="#appendix-A.1-4.3.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="appendix-A.1-4.4">
-            <p id="appendix-A.1-4.4.1">TokenChallenge with an empty origin and non-empty redemption context<a href="#appendix-A.1-4.4.1" class="pilcrow">¶</a></p>
-</li>
-          <li id="appendix-A.1-4.5">
-            <p id="appendix-A.1-4.5.1">TokenChallenge with a multiple origins and non-empty redemption context<a href="#appendix-A.1-4.5.1" class="pilcrow">¶</a></p>
-</li>
-        </ol>
-<p id="appendix-A.1-5">These test vectors are below.<a href="#appendix-A.1-5" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="appendix-A.1-6">
-<pre>
-// Test vector 1:
-//   token_type(0002), issuer_name(issuer.example),
-//   origin_info(origin.example), redemption_context(non-empty)
-token_type: 0002
-issuer_name: 6973737565722e6578616d706c65
-redemption_context:
-476ac2c935f458e9b2d7af32dacfbd22dd6023ef5887a789f1abe004e79bb5bb
-origin_info: 6f726967696e2e6578616d706c65
-nonce:
-e01978182c469e5e026d66558ee186568614f235e41ef7e2378e6f202688abab
-token_key_id:
-ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd2708
-token_authenticator_input: 0002e01978182c469e5e026d66558ee1865686
-14f235e41ef7e2378e6f202688abab8e1d5518ec82964255526efd8f9db88205a
-8ddd3ffb1db298fcc3ad36c42388fca572f8982a9ca248a3056186322d93ca147
-266121ddeb5632c07f1f71cd2708
-
-// Test vector 2:
-//   token_type(0002), issuer_name(issuer.example),
-//   origin_info(origin.example), redemption_context(empty)
-token_type: 0002
-issuer_name: 6973737565722e6578616d706c65
-redemption_context:
-origin_info: 6f726967696e2e6578616d706c65
-nonce:
-e01978182c469e5e026d66558ee186568614f235e41ef7e2378e6f202688abab
-token_key_id:
-ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd2708
-token_authenticator_input: 0002e01978182c469e5e026d66558ee1865686
-14f235e41ef7e2378e6f202688abab11e15c91a7c2ad02abd66645802373db1d8
-23bea80f08d452541fb2b62b5898bca572f8982a9ca248a3056186322d93ca147
-266121ddeb5632c07f1f71cd2708
-
-// Test vector 3:
-//   token_type(0002), issuer_name(issuer.example),
-//   origin_info(), redemption_context(empty)
-token_type: 0002
-issuer_name: 6973737565722e6578616d706c65
-redemption_context:
-origin_info:
-nonce:
-e01978182c469e5e026d66558ee186568614f235e41ef7e2378e6f202688abab
-token_key_id:
-ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd2708
-token_authenticator_input: 0002e01978182c469e5e026d66558ee1865686
-14f235e41ef7e2378e6f202688ababb741ec1b6fd05f1e95f8982906aec161289
-6d9ca97d53eef94ad3c9fe023f7a4ca572f8982a9ca248a3056186322d93ca147
-266121ddeb5632c07f1f71cd2708
-
-// Test vector 4:
-//   token_type(0002), issuer_name(issuer.example),
-//   origin_info(), redemption_context(non-empty)
-token_type: 0002
-issuer_name: 6973737565722e6578616d706c65
-redemption_context:
-476ac2c935f458e9b2d7af32dacfbd22dd6023ef5887a789f1abe004e79bb5bb
-origin_info:
-nonce:
-e01978182c469e5e026d66558ee186568614f235e41ef7e2378e6f202688abab
-token_key_id:
-ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd2708
-token_authenticator_input: 0002e01978182c469e5e026d66558ee1865686
-14f235e41ef7e2378e6f202688ababb85fb5bc06edeb0e8e8bdb5b3bea8c4fa40
-837c82e8bcaf5882c81e14817ea18ca572f8982a9ca248a3056186322d93ca147
-266121ddeb5632c07f1f71cd2708
-
-// Test vector 5:
-//   token_type(0002), issuer_name(issuer.example),
-//   origin_info(foo.example,bar.example),
-//   redemption_context(non-empty)
-token_type: 0002
-issuer_name: 6973737565722e6578616d706c65
-redemption_context:
-476ac2c935f458e9b2d7af32dacfbd22dd6023ef5887a789f1abe004e79bb5bb
-origin_info: 666f6f2e6578616d706c652c6261722e6578616d706c65
-nonce:
-e01978182c469e5e026d66558ee186568614f235e41ef7e2378e6f202688abab
-token_key_id:
-ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd2708
-token_authenticator_input: 0002e01978182c469e5e026d66558ee1865686
-14f235e41ef7e2378e6f202688ababa2a775866b6ae0f98944910c8f48728d8a2
-735b9157762ddbf803f70e2e8ba3eca572f8982a9ca248a3056186322d93ca147
-266121ddeb5632c07f1f71cd2708
-</pre><a href="#appendix-A.1-6" class="pilcrow">¶</a>
-</div>
-</section>
-</div>
-<div id="http-header-test-vectors">
-<section id="appendix-A.2">
-        <h3 id="name-http-header-test-vectors">
-<a href="#appendix-A.2" class="section-number selfRef">A.2. </a><a href="#name-http-header-test-vectors" class="section-name selfRef">HTTP Header Test Vectors</a>
-        </h3>
-<p id="appendix-A.2-1">This section includes test vectors the contents of the HTTP authentication
-headers. Each test vector consists of one or more challenges that comprise
-a WWW-Authenticate header. For each challenge, the token-type, token-key,
-max-age, and token-challenge parameters are listed. Each challenge also
-includes an unknown (not specified) parameter that implementations are meant
-to ignore.<a href="#appendix-A.2-1" class="pilcrow">¶</a></p>
-<p id="appendix-A.2-2">The parameters for each challenge are indexed by their position
-in the WWW-Authentication challenge list. For example, token-key-0 denotes
-the token-key parameter for the first challenge in the list, whereas
-token-key-1 denotes the token-key for the second challenge in the list.<a href="#appendix-A.2-2" class="pilcrow">¶</a></p>
-<p id="appendix-A.2-3">The resulting wire-encoded WWW-Authentication header based on this
-list of challenges is then listed at the end. Line folding is only
-used to fit the document formatting constraints and not supported
-in actual requests.<a href="#appendix-A.2-3" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="appendix-A.2-4">
-<pre>
-token-type-0: 0x0002
-token-key-0: 30820152303d06092a864886f70d01010a3030a00d300b060960864
-8016503040202a11a301806092a864886f70d010108300b060960864801650304020
-2a2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab2
-5b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4b6c9
-ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c500a78a2f
-67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce453b526ef9b
-f6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c732db68a181c6c
-bbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b1dba9e828bbd81e2
-91317144e7ff89f55619709b096cbb9ea474cead264c2073fe49740c01f00e109106
-066983d21e5f83f086e2e823c879cd43cef700d2a352a9babd612d03cad02db134b7
-e225a5f0203010001
-max-age-0: 10
-token-challenge-0: 0002000e6973737565722e6578616d706c65208a3e83a33d9
-8005d2f30bef419fa6bf4cd5c6005e36b1285bbb4ccd40fa4b383000e6f726967696
-e2e6578616d706c65
-
-WWW-Authenticate: PrivateToken challenge="AAIADmlzc3Vlci5leGFtcGxlII
-o-g6M9mABdLzC-9Bn6a_TNXGAF42sShbu0zNQPpLODAA5vcmlnaW4uZXhhbXBsZQ==",
- token-key="MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAqEaMBgGCSqG
-SIb3DQEBCDALBglghkgBZQMEAgKiAwIBMAOCAQ8AMIIBCgKCAQEAyxrta2qV9bHOATpM
-_KsluUsuZKIwNOQlCn6rQ8DfOowSmTrxKxEZCNS0cb7DHUtsmtnN2pBhKi7pA1I-beWi
-JNawLwnlw3TQz-Adj1KcUAp4ovZ5CPpoK1orQwyB6vGvcte155T8mKMTknaHl1fORTtS
-bvm_bOuZl5uEI7kPRGGiKvN6qwz1cz91l6vkTTHHMttooYHGy75gfYwOUuBlX9mZbcWE
-7KC-h6-814ozfRex26noKLvYHikTFxROf_ifVWGXCbCWy7nqR0zq0mTCBz_kl0DAHwDh
-CRBgZpg9IeX4PwhuLoI8h5zUPO9wDSo1Kpur1hLQPK0C2xNLfiJaXwIDAQAB",unknow
-nChallengeAttribute="ignore-me", max-age="10"
-
-token-type-0: 0x0002
-token-key-0: 30820152303d06092a864886f70d01010a3030a00d300b060960864
-8016503040202a11a301806092a864886f70d010108300b060960864801650304020
-2a2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab2
-5b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4b6c9
-ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c500a78a2f
-67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce453b526ef9b
-f6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c732db68a181c6c
-bbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b1dba9e828bbd81e2
-91317144e7ff89f55619709b096cbb9ea474cead264c2073fe49740c01f00e109106
-066983d21e5f83f086e2e823c879cd43cef700d2a352a9babd612d03cad02db134b7
-e225a5f0203010001
-max-age-0: 10
-token-challenge-0: 0002000e6973737565722e6578616d706c65208a3e83a33d9
-8005d2f30bef419fa6bf4cd5c6005e36b1285bbb4ccd40fa4b383000e6f726967696
-e2e6578616d706c65
-token-type-1: 0x0001
-token-key-1: ebb1fed338310361c08d0c7576969671296e05e99a17d7926dfc28a
-53fabd489fac0f82bca86249a668f3a5bfab374c9
-max-age-1: 10
-token-challenge-1: 0001000e6973737565722e6578616d706c65208a3e83a33d9
-8005d2f30bef419fa6bf4cd5c6005e36b1285bbb4ccd40fa4b383000e6f726967696
-e2e6578616d706c65
-
-WWW-Authenticate: PrivateToken challenge="AAIADmlzc3Vlci5leGFtcGxlII
-o-g6M9mABdLzC-9Bn6a_TNXGAF42sShbu0zNQPpLODAA5vcmlnaW4uZXhhbXBsZQ==",
- token-key="MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAqEaMBgGCSqG
-SIb3DQEBCDALBglghkgBZQMEAgKiAwIBMAOCAQ8AMIIBCgKCAQEAyxrta2qV9bHOATpM
-_KsluUsuZKIwNOQlCn6rQ8DfOowSmTrxKxEZCNS0cb7DHUtsmtnN2pBhKi7pA1I-beWi
-JNawLwnlw3TQz-Adj1KcUAp4ovZ5CPpoK1orQwyB6vGvcte155T8mKMTknaHl1fORTtS
-bvm_bOuZl5uEI7kPRGGiKvN6qwz1cz91l6vkTTHHMttooYHGy75gfYwOUuBlX9mZbcWE
-7KC-h6-814ozfRex26noKLvYHikTFxROf_ifVWGXCbCWy7nqR0zq0mTCBz_kl0DAHwDh
-CRBgZpg9IeX4PwhuLoI8h5zUPO9wDSo1Kpur1hLQPK0C2xNLfiJaXwIDAQAB",unknow
-nChallengeAttribute="ignore-me", max-age="10", PrivateToken challeng
-e="AAEADmlzc3Vlci5leGFtcGxlIIo-g6M9mABdLzC-9Bn6a_TNXGAF42sShbu0zNQPp
-LODAA5vcmlnaW4uZXhhbXBsZQ==", token-key="67H-0zgxA2HAjQx1dpaWcSluBem
-aF9eSbfwopT-r1In6wPgryoYkmmaPOlv6s3TJ",unknownChallengeAttribute="ig
-nore-me", max-age="10"
-</pre><a href="#appendix-A.2-4" class="pilcrow">¶</a>
-</div>
-</section>
-</div>
-</section>
-</div>
-<div id="authors-addresses">
-<section id="appendix-B">
-      <h2 id="name-authors-addresses">
-<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
-      </h2>
-<address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">Tommy Pauly</span></div>
-<div dir="auto" class="left"><span class="org">Apple Inc.</span></div>
-<div dir="auto" class="left"><span class="street-address">One Apple Park Way</span></div>
-<div dir="auto" class="left">
-<span class="locality">Cupertino, California 95014</span>,  </div>
-<div dir="auto" class="left"><span class="country-name">United States of America</span></div>
-<div class="email">
-<span>Email:</span>
-<a href="mailto:tpauly@apple.com" class="email">tpauly@apple.com</a>
-</div>
-</address>
-<address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">Steven Valdez</span></div>
-<div dir="auto" class="left"><span class="org">Google LLC</span></div>
-<div class="email">
-<span>Email:</span>
-<a href="mailto:svaldez@chromium.org" class="email">svaldez@chromium.org</a>
-</div>
-</address>
-<address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">Christopher A. Wood</span></div>
-<div dir="auto" class="left"><span class="org">Cloudflare</span></div>
-<div class="email">
-<span>Email:</span>
-<a href="mailto:caw@heapingbits.net" class="email">caw@heapingbits.net</a>
-</div>
-</address>
-</section>
-</div>
-<script>const toc = document.getElementById("toc");
-toc.querySelector("h2").addEventListener("click", e => {
-  toc.classList.toggle("active");
-});
-toc.querySelector("nav").addEventListener("click", e => {
-  toc.classList.remove("active");
-});
-</script>
-</body>
-</html>
diff --git a/chris-wood-patch-8/draft-ietf-privacypass-auth-scheme.txt b/chris-wood-patch-8/draft-ietf-privacypass-auth-scheme.txt
deleted file mode 100644
index 8d53df8c..00000000
--- a/chris-wood-patch-8/draft-ietf-privacypass-auth-scheme.txt
+++ /dev/null
@@ -1,1205 +0,0 @@
-
-
-
-
-Network Working Group                                           T. Pauly
-Internet-Draft                                                Apple Inc.
-Intended status: Standards Track                               S. Valdez
-Expires: 15 April 2024                                        Google LLC
-                                                              C. A. Wood
-                                                              Cloudflare
-                                                         13 October 2023
-
-
-              The Privacy Pass HTTP Authentication Scheme
-               draft-ietf-privacypass-auth-scheme-latest
-
-Abstract
-
-   This document defines an HTTP authentication scheme for Privacy Pass,
-   a privacy-preserving authentication mechanism used for authorization.
-   The authentication scheme in this document can be used by clients to
-   redeem Privacy Pass tokens with an origin.  It can also be used by
-   origins to challenge clients to present Privacy Pass tokens.
-
-Status of This Memo
-
-   This Internet-Draft is submitted in full conformance with the
-   provisions of BCP 78 and BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF).  Note that other groups may also distribute
-   working documents as Internet-Drafts.  The list of current Internet-
-   Drafts is at https://datatracker.ietf.org/drafts/current/.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   This Internet-Draft will expire on 15 April 2024.
-
-Copyright Notice
-
-   Copyright (c) 2023 IETF Trust and the persons identified as the
-   document authors.  All rights reserved.
-
-   This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents (https://trustee.ietf.org/
-   license-info) in effect on the date of publication of this document.
-   Please review these documents carefully, as they describe your rights
-   and restrictions with respect to this document.  Code Components
-   extracted from this document must include Revised BSD License text as
-   described in Section 4.e of the Trust Legal Provisions and are
-   provided without warranty as described in the Revised BSD License.
-
-Table of Contents
-
-   1.  Introduction
-     1.1.  Terminology
-   2.  HTTP Authentication Scheme
-     2.1.  Token Challenge
-       2.1.1.  Token Challenge Structure
-       2.1.2.  Sending Token Challenges
-       2.1.3.  Processing Token Challenges
-       2.1.4.  Token Caching
-     2.2.  Token Redemption
-       2.2.1.  Token Structure
-       2.2.2.  Sending Tokens
-       2.2.3.  Token Verification
-   3.  Client Behavior
-     3.1.  Choosing to Redeem Tokens
-     3.2.  Choosing Between Multiple Challenges
-   4.  Origin Behavior
-     4.1.  Greasing
-   5.  Security Considerations
-     5.1.  Randomness Requirements
-     5.2.  Replay Attacks
-     5.3.  Reflection Attacks
-     5.4.  Token Exhaustion Attacks
-     5.5.  Timing Correlation Attacks
-     5.6.  Cross-Context Linkability Attacks
-   6.  IANA Considerations
-     6.1.  Authentication Scheme
-     6.2.  Token Type Registry
-       6.2.1.  Reserved Values
-   7.  References
-     7.1.  Normative References
-     7.2.  Informative References
-   Appendix A.  Test Vectors
-     A.1.  Challenge and Redemption Structure Test Vectors
-     A.2.  HTTP Header Test Vectors
-   Authors' Addresses
-
-1.  Introduction
-
-   Privacy Pass tokens are unlinkable authenticators that can be used to
-   anonymously authorize a client (see [ARCHITECTURE]).  Tokens are
-   generated by token issuers, on the basis of authentication,
-   attestation, or some previous action such as solving a CAPTCHA.  A
-   client possessing such a token is able to prove that it was able to
-   get a token issued, without allowing the relying party redeeming the
-   client's token (the origin) to link it with the issuance flow.
-
-   Different types of authenticators, using different token issuance
-   protocols, can be used as Privacy Pass tokens.
-
-   This document defines a common HTTP authentication scheme ([RFC9110],
-   Section 11), PrivateToken, that allows clients to redeem various
-   kinds of Privacy Pass tokens.
-
-   Clients and relying parties (origins) interact using this scheme to
-   perform the token challenge and token redemption flow.  In
-   particular, origins challenge clients for a token with an HTTP
-   Authentication challenge (using the WWW-Authenticate response header
-   field).  Clients can then react to that challenge by issuing a new
-   request with a corresponding token (using the Authorization request
-   header field).  Clients generate tokens that match the origin's token
-   challenge by running the token issuance protocol [ISSUANCE].  The act
-   of presenting a token in an Authorization request header field is
-   referred to as token redemption.  This interaction between client and
-   origin is shown below.
-
-   +--------+                              +--------+
-   | Origin |                              | Client |
-   +---+----+                              +---+----+
-       |                                       |
-       +-- WWW-Authenticate: TokenChallenge -->|
-       |                                       |
-       |                            (Run issuance protocol)
-       |                                       |
-       |<------ Authorization: Token ----------+
-       |                                       |
-
-              Figure 1: Challenge and redemption protocol flow
-
-   In addition to working with different token issuance protocols, this
-   scheme optionally supports use of tokens that are associated with
-   origin-chosen contexts and specific origin names.  Relying parties
-   that request and redeem tokens can choose a specific kind of token,
-   as appropriate for its use case.  These options allow for different
-   deployment models to prevent double-spending, and allow for both
-   interactive (online challenges) and non-interactive (pre-fetched)
-   tokens.
-
-1.1.  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
-   "OPTIONAL" in this document are to be interpreted as described in
-   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
-   capitals, as shown here.
-
-   Unless otherwise specified, this document encodes protocol messages
-   in TLS notation from [TLS13], Section 3.
-
-   This document uses the terms "Client", "Origin", "Issuer", "Issuance
-   Protocol", and "Token" as defined in [ARCHITECTURE].  It additionally
-   uses the following terms in more specific ways:
-
-   *  Issuer key: Keying material that can be used with an issuance
-      protocol to create a signed token.
-
-   *  Token challenge: A request for tokens sent from an origin to a
-      client, using the "WWW-Authenticate" HTTP header field.  This
-      challenge identifies a specific token issuer and issuance
-      protocol.  Token challenges optionally include one or both of: a
-      redemption context (see Section 2.1.1.2), and a list of associated
-      origins.  These optional values are then be bound to the token
-      that is issued.
-
-   *  Token redemption: An action by which a client presents a token to
-      an origin in an HTTP request, using the "Authorization" HTTP
-      header field.
-
-2.  HTTP Authentication Scheme
-
-   Token redemption is performed using HTTP Authentication ([RFC9110],
-   Section 11), with the scheme "PrivateToken".  Origins challenge
-   clients to present a token from a specific issuer (Section 2.1).
-   Once a client has received a token from that issuer, or already has a
-   valid token available, it presents the token to the origin
-   (Section 2.2).  The process of presenting a token as authentication
-   to an origin is also referred to as "spending" a token.
-
-   In order to prevent linkability across different transactions,
-   clients will often present a particular "PrivateToken" only once.
-   Origins can link multiple transactions to the same client if that
-   client spends the same token value more than once.  As such, origins
-   ought to expect at most one unique token value, carried in one
-   request, for each challenge.
-
-   The rest of this section describes the token challenge and redemption
-   interactions in more detail.
-
-2.1.  Token Challenge
-
-   Origins send a token challenge to clients in an "WWW-Authenticate"
-   header field with the "PrivateToken" scheme.  This authentication
-   scheme has two mandatory parameters: one containing a token challenge
-   and another containing the token-key used for producing (and
-   verifying) a corresponding token.
-
-   Origins that support the "PrivateToken" authentication scheme need to
-   handle the following tasks in constructing the WWW-Authenticate
-   header field:
-
-   1.  Select which issuer to use, and configure the issuer name and
-       token-key to include in WWW-Authenticate token challenges.  The
-       issuer name is included in the token challenge, and the issuer
-       token-key is used to populate the WWW-Authenticate header
-       parameter.
-
-   2.  Determine a redemption context construction to include in the
-       token challenge, as discussed in Section 2.1.1.2.
-
-   3.  Select the origin information to include in the token challenge.
-       This can be empty to allow fully cross-origin tokens, a single
-       origin name that matches the origin itself for per-origin tokens,
-       or a list of origin names containing the origin itself.  See
-       Section 3.4 of [ARCHITECTURE] for more information about the
-       difference between cross-origin and per-origin tokens.
-
-   Once these decisions are made, origins construct the WWW-Authenticate
-   header by first constructing the token challenge as described in
-   Section 2.1.1.  Origins send challenges as described in
-   Section 2.1.2, and clients process them as described in Section 2.1.3
-   and Section 2.1.4.
-
-2.1.1.  Token Challenge Structure
-
-   This document defines the default challenge structure that can be
-   used across token types, although future token types MAY extend or
-   modify the structure of the challenge; see Section 6.2 for the
-   registry information which establishes and defines the relationship
-   between "token_type" and the contents of the TokenChallenge message.
-
-   All token challenges MUST begin with a 2-octet integer that defines
-   the token type, in network byte order.  This type indicates the
-   issuance protocol used to generate the token and determines the
-   structure and semantics of the rest of the structure.  Values are
-   registered in an IANA registry, Section 6.2.  Client MUST ignore
-   challenges with token types they do not support.
-
-   Even when a given token type uses the default challenge structure,
-   the requirements on the presence or interpretation of the fields can
-   differ across token types.  For example, some token types might
-   require that "origin_info" is non-empty, while others allow it to be
-   empty.
-
-   The default TokenChallenge message has the following structure:
-
-   struct {
-       uint16_t token_type;
-       opaque issuer_name<1..2^16-1>;
-       opaque redemption_context<0..32>;
-       opaque origin_info<0..2^16-1>;
-   } TokenChallenge;
-
-   The structure fields are defined as follows:
-
-   *  "token_type" is a 2-octet integer, in network byte order, as
-      described above.
-
-   *  "issuer_name" is an ASCII string that identifies the issuer using
-      the format of a server name defined in Section 2.1.1.1.  This name
-      identifies the issuer that is allowed to issue tokens that can be
-      redeemed by this origin.  The field that stores this string in the
-      challenge is prefixed with a 2-octet integer indicating the
-      length, in network byte order.
-
-   *  "redemption_context" is a field that is either 0 or 32 bytes,
-      prefixed with a single octet indicating the length (either 0 or
-      32).  If value is non-empty, it is a 32-byte value generated by
-      the origin that allows the origin to require that clients fetch
-      tokens bound to a specific context, as opposed to reusing tokens
-      that were fetched for other contexts.  See Section 2.1.1.2 for
-      example contexts that might be useful in practice.  Challenges
-      with redemption_context values of invalid lengths MUST be ignored.
-
-   *  "origin_info" is an ASCII string that is either empty, or contains
-      one or more origin names that allow a token to be scoped to a
-      specific set of origins.  Each origin name uses the format of a
-      server name defined in Section 2.1.1.1.  The string is prefixed
-      with a 2-octet integer indicating the length, in network byte
-      order.  If empty, any non-origin-specific token can be redeemed.
-      If the string contains multiple origin names, they are delimited
-      with commas "," without any whitespace.  If this field is not
-      empty, the Origin MUST include its own name as one of the names in
-      the list.
-
-   If "origin_info" contains multiple origin names, this means the
-   challenge is valid for any of the origins in the list, including the
-   origin which issued the challenge (which must always be present in
-   the list if it is non-empty; see Section 2.1.3).  This can be useful
-   in settings where clients pre-fetch and cache tokens for a particular
-   challenge -- including the "origin_info" field -- and then later
-   redeem these tokens with one of the origins in the list.  See
-   Section 2.1.4 for more discussion about token caching.
-
-2.1.1.1.  Server Name Encoding
-
-   Server names contained in a token challenge are ASCII strings that
-   contain a hostname and optional port, where the port is implied to be
-   "443" if missing.  The names use the format of the authority portion
-   of a URI as defined in Section 3.2 of [URI].  The names MUST NOT
-   include a "userinfo" portion of an authority.  For example, a valid
-   server name might be "issuer.example.com" or
-   "issuer.example.com:8443", but not "issuer@example.com".
-
-2.1.1.2.  Redemption Context Construction
-
-   The TokenChallenge redemption context allows the origin to determine
-   the context in which a given token can be redeemed.  This value can
-   be a unique per-request nonce, constructed from 32 freshly generated
-   random bytes.  It can also represent state or properties of the
-   client session.  Some example properties and methods for constructing
-   the corresponding context are below.  This list is not exhaustive.
-
-   *  Context bound to a given time window: Construct redemption context
-      as F(current time window), where F is a pseudorandom function.
-
-   *  Context bound to a client network: Construct redemption context as
-      F(client ASN), where F is a pseudorandom function.
-
-   *  Context bound to a given time window and client network: Construct
-      redemption context as F(current time window, client ASN), where F
-      is a pseudorandom function.
-
-   Preventing double spending on tokens requires the origin to keep
-   state associated with the redemption context.  An empty redemption
-   context is not bound to any property of the client request, so state
-   to prevent double spending needs to be stored and shared across all
-   origin servers that can accept tokens until token-key expiration or
-   rotation.  For a non-empty redemption context, the double spend state
-   only needs to be stored across the set of origin servers that will
-   accept tokens with that redemption context.
-
-   Origins that share redemption contexts, i.e., by using the same
-   redemption context, choosing the same issuer, and providing the same
-   origin_info field in the TokenChallenge, must necessarily share state
-   required to enforce double spend prevention.  Origins should consider
-   the operational complexity of this shared state before choosing to
-   share redemption contexts.  Failure to successfully synchronize this
-   state and use it for double spend prevention can allow Clients to
-   redeem tokens to one Origin that were issued after an interaction
-   with another Origin that shares the context.
-
-2.1.2.  Sending Token Challenges
-
-   When used in an authentication challenge, the "PrivateToken" scheme
-   uses the following parameters:
-
-   *  "challenge", which contains a base64url-encoded [RFC4648]
-      TokenChallenge value.  This document follows the default padding
-      behavior described in Section 3.2 of [RFC4648], so the base64url
-      value MUST include padding.  As an Authentication Parameter (auth-
-      param from [RFC9110], Section 11.2), the value can be either a
-      token or a quoted-string, and might be required to be a quoted-
-      string if the base64url string includes "=" characters.  This
-      parameter is required for all challenges.
-
-   *  "token-key", which contains a base64url encoding of the public key
-      for use with the issuance protocol indicated by the challenge.
-      See [ISSUANCE] for more information about how this public key is
-      used by the issuance protocols in that specification.  The
-      encoding of the public key is determined by the token type; see
-      Section 6.2.  As with "challenge", the base64url value MUST
-      include padding.  As an Authentication Parameter (auth-param from
-      [RFC9110], Section 11.2), the value can be either a token or a
-      quoted-string, and might be required to be a quoted-string if the
-      base64url string includes "=" characters.  This parameter MAY be
-      omitted in deployments where clients are able to retrieve the
-      issuer key using an out-of-band mechanism.
-
-   *  "max-age", an optional parameter that consists of the number of
-      seconds for which the challenge will be accepted by the origin.
-
-   The header field MAY also include the standard "realm" parameter, if
-   desired.  Issuance protocols MAY define other parameters, some of
-   which might be required.  Clients MUST ignore parameters in
-   challenges that are not defined for the issuance protocol
-   corresponding to the token type in the challenge.
-
-   As an example, the WWW-Authenticate header field could look like
-   this:
-
-   WWW-Authenticate:
-     PrivateToken challenge="abc...", token-key="123..."
-
-2.1.2.1.  Sending Multiple Token Challenges
-
-   It is possible for the WWW-Authenticate header field to include
-   multiple challenges ([RFC9110], Section 11.6.1).  This allows the
-   origin to indicate support for different token types, issuers, or to
-   include multiple redemption contexts.  For example, the WWW-
-   Authenticate header field could look like this:
-
-   WWW-Authenticate:
-     PrivateToken challenge="abc...", token-key="123...",
-     PrivateToken challenge="def...", token-key="234..."
-
-   Origins should only include challenges for different types of
-   issuance protocols with functionally equivalent properties.  For
-   instance, both issuance protocols in [ISSUANCE] have the same
-   functional properties, albeit with different mechanisms for verifying
-   the resulting tokens during redemption.  Since clients are free to
-   choose which challenge they want to consume when presented with
-   options, mixing multiple challenges with different functional
-   properties for one use case is nonsensical.  If the origin has a
-   preference for one challenge over another (for example, if one uses a
-   token type that is faster to verify), it can sort it to be first in
-   the list of challenges as a hint to the client.
-
-2.1.3.  Processing Token Challenges
-
-   Upon receipt of a challenge, a client validates the TokenChallenge
-   structure before taking any action, such as fetching a new token or
-   redeeming a token in a new request.  Validation requirements are as
-   follows:
-
-   *  The token_type is recognized and supported by the client;
-
-   *  The TokenChallenge structure is well-formed; and
-
-   *  If the origin_info field is non-empty, the name of the origin that
-      issued the authentication challenge is included in the list of
-      origin names.  Comparison of the origin name that issued the
-      authentication challenge against elements in the origin_info list
-      is done via case-insensitive equality checks.
-
-   If validation fails, the client MUST NOT fetch or redeem a token
-   based on the challenge.  Clients MAY have further restrictions and
-   requirements around validating when a challenge is considered
-   acceptable or valid.  For example, clients can choose to ignore
-   challenges that list origin names for which the current connection is
-   not authoritative (according to the TLS certificate).
-
-   Caching and pre-fetching of tokens is discussed in Section 2.1.4.
-
-2.1.4.  Token Caching
-
-   Clients can generate multiple tokens from a single TokenChallenge,
-   and cache them for future use.  This improves privacy by separating
-   the time of token issuance from the time of token redemption, and
-   also allows clients to avoid any overhead of receiving new tokens via
-   the issuance protocol.
-
-   Cached tokens can only be redeemed when they match all of the fields
-   in the TokenChallenge: token_type, issuer_name, redemption_context,
-   and origin_info.  Clients ought to store cached tokens based on all
-   of these fields, to avoid trying to redeem a token that does not
-   match.  Note that each token has a unique client nonce, which is sent
-   in token redemption (Section 2.2).
-
-   If a client fetches a batch of multiple tokens for future use that
-   are bound to a specific redemption context (the redemption_context in
-   the TokenChallenge was not empty), clients SHOULD discard these
-   tokens upon flushing state such as HTTP cookies [COOKIES], or if
-   there is a network change and the client does not have any origin-
-   specific state like HTTP cookies.  Using these tokens in a context
-   that otherwise would not be linkable to the original context could
-   allow the origin to recognize a client.
-
-2.2.  Token Redemption
-
-   The output of the issuance protocol is a token that corresponds to
-   the origin's challenge (see Section 2.1).
-
-2.2.1.  Token Structure
-
-   A token is a structure that begins with a two-octet field that
-   indicates a token type, which MUST match the token_type in the
-   TokenChallenge structure.  This value determines the structure and
-   semantics of the rest of token structure.
-
-   This document defines the default token structure that can be used
-   across token types, although future token types MAY extend or modify
-   the structure of the token; see Section 6.2 for the registry
-   information which establishes and defines the relationship between
-   "token_type" and the contents of the Token structure.
-
-   The default Token message has the following structure:
-
-   struct {
-       uint16_t token_type;
-       uint8_t nonce[32];
-       uint8_t challenge_digest[32];
-       uint8_t token_key_id[Nid];
-       uint8_t authenticator[Nk];
-   } Token;
-
-   The structure fields are defined as follows:
-
-   *  "token_type" is a 2-octet integer, in network byte order, as
-      described above.
-
-   *  "nonce" is a 32-octet value containing a client-generated random
-      nonce.
-
-   *  "challenge_digest" is a 32-octet value containing the hash of the
-      original TokenChallenge, SHA-256(TokenChallenge), where SHA-256 is
-      as defined in [SHS].  Changing the hash function to something
-      other than SHA-256 would require defining a new token type and
-      token structure (since the contents of challenge_digest would be
-      computed differently), which can be done in a future
-      specification.
-
-   *  "token_key_id" is a Nid-octet identifier for the token
-      authentication key.  The value of this field is defined by the
-      token_type and corresponding issuance protocol.
-
-   *  "authenticator" is a Nk-octet authenticator that is
-      cryptographically bound to the preceding fields in the token; see
-      Section 2.2.3 for more information about how this field is used in
-      verifying a token.  The token_type and corresponding issuance
-      protocol determine the value of the authenticator field and how it
-      is computed.  The value of constant Nk depends on token_type, as
-      defined in Section 6.2.
-
-   The authenticator value in the Token structure is computed over the
-   token_type, nonce, challenge_digest, and token_key_id fields.  A
-   token is considered a valid if token verification using succeeds; see
-   Section 2.2.3 for details about verifying the token and its
-   authenticator value.
-
-2.2.2.  Sending Tokens
-
-   When used for client authorization, the "PrivateToken" authentication
-   scheme defines one parameter, "token", which contains the base64url-
-   encoded Token struct.  As with the challenge parameters
-   (Section 2.1), the base64url value MUST include padding.  As an
-   Authentication Parameter (auth-param from [RFC9110], Section 11.2),
-   the value can be either a token or a quoted-string, and might be
-   required to be a quoted-string if the base64url string includes "="
-   characters.  All unknown or unsupported parameters to "PrivateToken"
-   authentication credentials MUST be ignored.
-
-   Clients present this Token structure to origins in a new HTTP request
-   using the Authorization header field as follows:
-
-   Authorization: PrivateToken token="abc..."
-
-   For context-bound tokens, origins store or reconstruct the contexts
-   of previous TokenChallenge structures in order to validate the token.
-   A TokenChallenge can be bound to a specific TLS session with a
-   client, but origins can also accept tokens for valid challenges in
-   new sessions.  Origins SHOULD implement some form of double-spend
-   prevention that prevents a token with the same nonce from being
-   redeemed twice.  Double-spend prevention ensures that clients cannot
-   replay tokens for previous challenges.  See Section 5.2 for more
-   information about replay attacks.  For context-bound tokens, this
-   double-spend prevention can require no state or minimal state, since
-   the context can be used to verify token uniqueness.
-
-2.2.3.  Token Verification
-
-   A token consists of some input cryptographically bound to an
-   authenticator value, such as a digital signature.  Verifying a token
-   consists of checking that the authenticator value is correct.
-
-   The authenticator value is as computed when running and finalizing
-   the issuance protocol corresponding to the token type with the
-   following value as the input:
-
-   struct {
-       uint16_t token_type;
-       uint8_t nonce[32];
-       uint8_t challenge_digest[32];
-       uint8_t token_key_id[Nid];
-   } AuthenticatorInput;
-
-   The value of these fields are as described in Section 2.2.  The
-   cryptographic verification check depends on the token type; see
-   Section 5.4 of [ISSUANCE] and Section 6.4 of [ISSUANCE] for
-   verification instructions for the issuance protocols described in
-   [ISSUANCE].  As such, the security properties of the token, e.g., the
-   probability that one can forge an authenticator value without
-   invoking the issuance protocol, depend on the cryptographic algorithm
-   used by the issuance protocol as determined by the token type.
-
-3.  Client Behavior
-
-   When a client receives one or more token challenges in response to a
-   request, the client has a set of choices to make:
-
-   *  Whether or not to redeem a token via a new request to the origin.
-
-   *  Whether to redeem a previously issued and cached token, or redeem
-      a token freshly issued from the issuance protocol.
-
-   *  If multiple challenges were sent, which challenge to use for
-      redeeming a token on a subsequent request.
-
-   The approach to these choices depends on the use case of the
-   application, as well as the deployment model (see Section 4 of
-   [ARCHITECTURE] for discussion of the different deployment models).
-
-3.1.  Choosing to Redeem Tokens
-
-   Some applications of tokens might require clients to always present a
-   token as authentication in order to successfully make requests.  For
-   example, a restricted service that wants to only allow access to
-   valid users, but do so without learning specific user credential
-   information, could use tokens that are based on attesting user
-   credentials.  In these kinds of use cases, clients will need to
-   always redeem a token in order to successfully make a request.
-
-   Many other use cases for Privacy Pass tokens involve open services
-   that must work with any client, including those that either cannot
-   redeem tokens, or can only sometimes redeem tokens.  For example, a
-   service can use tokens as a way to reduce the incidence of presenting
-   CAPTCHAs to users.  In such use cases, services will regularly
-   encounter clients that cannot redeem a token or choose not to.  In
-   order to mitigate the risk of these services relying on always
-   receiving tokens, clients that are capable of redeeming tokens can
-   ignore token challenges (and instead behave as if they were a client
-   that either doesn't support redeeming tokens or is unable to generate
-   a new token, by not sending a new request that contains a token to
-   redeem) with some non-trivial probability.  See Section 5.1 of
-   [ARCHITECTURE] for further considerations on avoiding discriminatory
-   behavior across clients when using Privacy Pass tokens.
-
-   Clients might also choose to not redeem tokens in subsequent requests
-   when the token challenges indicate erroneous or malicious behavior on
-   the part of the challenging origin.  For example, if a client’s
-   ability to generate tokens via an attester and issuer is limited to a
-   certain rate, a malicious origin could send an excessive number of
-   token challenges with unique redemption contexts in order to cause
-   the client to exhaust its ability to generate new tokens, or to
-   overwhelm issuance servers.  The limits here will vary based on the
-   specific deployment, but clients SHOULD have some implementation-
-   specific policy to minimize the number of tokens that can be
-   retrieved by origins.
-
-3.2.  Choosing Between Multiple Challenges
-
-   A single response from an origin can include multiple token
-   challenges.  For example, a set of challenges could include different
-   token types and issuers, to allow clients to choose a preferred
-   issuer or type.
-
-   The choice of which challenge to use for redeeming tokens is up to
-   client policy.  This can involve which token types are supported or
-   preferred, which issuers are supported or preferred, or whether or
-   not the client is able to use cached tokens based on the redemption
-   context or origin information in the challenge.  See Section 2.1.4
-   for more discussion on token caching.  Regardless of how the choice
-   is made, it SHOULD be done in a consistent manner to ensure that the
-   choice does not reveal information about the specific client; see
-   Section 6.2 of [ARCHITECTURE] for more details on the privacy
-   implications of issuance consistency.
-
-4.  Origin Behavior
-
-   Origins choose what token challenges to send to clients, which will
-   vary depending on the use case and deployment model.  The origin
-   chooses which token types, issuers, redemption contexts, and origin
-   info to include in challenges.  If an origin sends multiple
-   challenges, each challenge SHOULD be equivalent in terms of
-   acceptability for token redemption, since clients are free to choose
-   to generate tokens based on any of the challenges.
-
-   Origins ought to consider the time involved in token issuance.
-   Particularly, a challenge that includes a unique redemption context
-   will prevent a client from using cached tokens, and thus can add more
-   delay before the client is able to redeem a token.
-
-   Origins SHOULD minimize the number of challenges sent to a particular
-   client context (referred to as the "redemption context" in
-   Section 3.3 of [ARCHITECTURE]), to avoid overwhelming clients and
-   issuers with token requests that might cause clients to hit rate
-   limits.
-
-4.1.  Greasing
-
-   In order to prevent clients becoming incompatible with new token
-   challenges, origins SHOULD include random token types, from the
-   Reserved list of "greased" types (defined in Section 6.2), with some
-   non-trivial probability.
-
-   Additionally, for deployments where tokens are not required (such as
-   when tokens are used as a way to avoiding showing CAPTCHAs), origins
-   SHOULD randomly
-   choose to not challenge clients for tokens with some non-trivial
-   probability.  This helps origins ensure that their behavior for
-   handling clients that cannot redeem tokens is maintained and
-   exercised consistently.
-
-5.  Security Considerations
-
-   This section contains security considerations for the PrivateToken
-   authentication scheme described in this document.
-
-5.1.  Randomness Requirements
-
-   All random values in the challenge and token MUST be generated using
-   a cryptographically secure source of randomness ([RFC4086]).
-
-5.2.  Replay Attacks
-
-   Applications SHOULD constrain tokens to a single origin unless the
-   use case can accommodate replay attacks.  Replaying tokens is not
-   necessarily a security or privacy problem.  As an example, it is
-   reasonable for clients to replay tokens in contexts where token
-   redemption does not induce side effects and in which client requests
-   are already linkable.  One possible setting where this applies is
-   where tokens are sent as part of 0-RTT data.
-
-   If successful token redemption produces side effects, origins SHOULD
-   implement an anti-replay mechanism to mitigate the harm of such
-   replays.  See [TLS13], Section 8 and [RFC9001], Section 9.2 for
-   details about anti-replay mechanisms, as well as [RFC8470], Section 3
-   for discussion about safety considerations for 0-RTT HTTP data.
-
-5.3.  Reflection Attacks
-
-   The security properties of token challenges vary depending on whether
-   the challenge contains a redemption context or not, as well as
-   whether the challenge is per-origin or not.  For example, cross-
-   origin tokens with empty contexts can be reflected from one party by
-   another, as shown below.
-
-   +--------+           +----------+               +--------+
-   | Origin |           | Attacker |               | Client |
-   +---+----+           +----+-----+               +---+----+
-       |                     |                         |
-       +-- TokenChallenge -->|                         |
-       |                     +-- (reflect challenge) ->|
-       |                     |<-------- Token ---------+
-       |<-- (reflect token) -+                         |
-       |                     |
-
-                      Figure 2: Replay attack example
-
-5.4.  Token Exhaustion Attacks
-
-   When a Client holds cross-origin tokens with empty contexts, it is
-   possible for any Origin in the cross-origin set to deplete that
-   Client set of tokens.  To prevent this from happening, tokens can be
-   scoped to single Origins (with non-empty origin_info) such that they
-   can only be redeemed for a single Origin.  Alternatively, if tokens
-   are cross-Origin, Clients can use alternate methods to prevent many
-   tokens from being redeemed at once.  For example, if the Origin
-   requests an excess of tokens, the Client could choose to not present
-   any tokens for verification if a redemption had already occurred in a
-   given time window.
-
-   Token challenges that include non-empty origin_info bind tokens to
-   one or more specific origins.  As described in Section 2.1, clients
-   only accept such challenges from origin names listed in the
-   origin_info string.  Even if multiple origins are listed, a token can
-   only be redeemed for an origin if the challenge has a match for the
-   origin_info.  For example, if "a.example.com" issues a challenge with
-   an origin_info string of "a.example.com,b.example.com", a client
-   could redeem a token fetched for this challenge if and only if
-   "b.example.com" also included an origin_info string of
-   "a.example.com,b.example.com".  On the other hand, if "b.example.com"
-   had an origin_info string of "b.example.com" or
-   "b.example.com,a.example.com" or
-   "a.example.com,b.example.com,c.example.com", the string would not
-   match and the client would need to use a different token.
-
-5.5.  Timing Correlation Attacks
-
-   Context-bound token challenges require clients to obtain matching
-   tokens when challenged, rather than presenting a token that was
-   obtained from a different context in the past.  This can make it more
-   likely that issuance and redemption events will occur at
-   approximately the same time.  For example, if a client is challenged
-   for a token with a unique context at time T1 and then subsequently
-   obtains a token at time T2, a colluding issuer and origin can link
-   this to the same client if T2 is unique to the client.  This
-   linkability is less feasible as the number of issuance events at time
-   T2 increases.  Depending on the "max-age" token challenge parameter,
-   clients MAY try to add delay to the time between being challenged and
-   redeeming a token to make this sort of linkability more difficult.
-   For more discussion on correlation risks between token issuance and
-   redemption, see Section 6.3 of [ARCHITECTURE].
-
-5.6.  Cross-Context Linkability Attacks
-
-   As discussed in Section 2.1, clients SHOULD discard any context-bound
-   tokens upon flushing cookies or changing networks, to prevent an
-   origin using the redemption context state as a cookie to recognize
-   clients.
-
-6.  IANA Considerations
-
-6.1.  Authentication Scheme
-
-   This document registers the "PrivateToken" authentication scheme in
-   the "Hypertext Transfer Protocol (HTTP) Authentication Scheme
-   Registry" defined in [RFC9110], Section 16.4.
-
-   Authentication Scheme Name:  PrivateToken
-
-   Pointer to specification text:  Section 2 of this document
-
-6.2.  Token Type Registry
-
-   IANA is requested to create a new "Privacy Pass Token Type" registry
-   in a new "Privacy Pass Parameters" page to list identifiers for
-   issuance protocols defined for use with the Privacy Pass token
-   authentication scheme.  These identifiers are two-byte values, so the
-   maximum possible value is 0xFFFF = 65535.
-
-   New registrations need to list the following attributes:
-
-   Value:  The two-byte identifier for the algorithm
-   Name:  Name of the issuance protocol
-   Token Structure:  The contents of the Token structure in Section 2.2
-   Token Key Encoding:  The encoding of the "token-key" parameter in
-      Section 2.2
-   TokenChallenge Structure:  The contents of the TokenChallenge
-      structure in Section 2.1
-   Public Verifiability:  A Y/N value indicating if the output tokens
-      have the public verifiability property; see Section 3.5 of
-      [ARCHITECTURE] for more details about this property.
-   Public Metadata:  A Y/N value indicating if the output tokens can
-      contain public metadata; see Section 3.5 of [ARCHITECTURE] for
-      more details about this property.
-   Private Metadata:  A Y/N value indicating if the output tokens can
-      contain private metadata; see Section 3.5 of [ARCHITECTURE] for
-      more details about this property.
-   Nk:  The length in bytes of an output authenticator
-   Nid:  The length of the token key identifier
-   Reference:  Where this algorithm is defined
-   Notes:  Any notes associated with the entry
-
-   New entries in this registry are subject to the Specification
-   Required registration policy ([RFC8126], Section 4.6).  Designated
-   experts need to ensure that the token type is defined to be used for
-   both token issuance and redemption.  Additionally, the experts can
-   reject registrations on the basis that they do not meet the security
-   and privacy requirements for issuance protocols defined in
-   Section 3.2 of [ARCHITECTURE].
-
-   [ISSUANCE] defines entries for this registry.
-
-6.2.1.  Reserved Values
-
-   This document defines several Reserved values, which can be used by
-   clients and servers to send "greased" values in token challenges and
-   redemptions to ensure that implementations remain able to handle
-   unknown token types gracefully (this technique is inspired by
-   [RFC8701]).  Implementations SHOULD select reserved values at random
-   when including them in greased messages.  Servers can include these
-   in TokenChallenge structures, either as the only challenge when no
-   real token type is desired, or as one challenge in a list of
-   challenges that include real values.  Clients can include these in
-   Token structures when they are not able to present a real token.  The
-   contents of the Token structure SHOULD be filled with random bytes
-   when using greased values.
-
-   The initial contents for this registry consists of multiple reserved
-   values, with the following attributes, which are repeated for each
-   registration:
-
-   Value:  0x0000, 0x02AA, 0x1132, 0x2E96, 0x3CD3, 0x4473, 0x5A63,
-      0x6D32, 0x7F3F, 0x8D07, 0x916B, 0xA6A4, 0xBEAB, 0xC3F3, 0xDA42,
-      0xE944, 0xF057
-   Name:  RESERVED
-   Token Structure:  Random bytes
-   Token Key Encoding:  Random bytes
-   TokenChallenge Structure:  Random bytes
-   Publicly Verifiable:  N/A
-   Public Metadata:  N/A
-   Private Metadata:  N/A
-   Nk:  N/A
-   Nid:  N/A
-   Reference:  This document
-   Notes:  None
-
-7.  References
-
-7.1.  Normative References
-
-   [ARCHITECTURE]
-              Davidson, A., Iyengar, J., and C. A. Wood, "The Privacy
-              Pass Architecture", Work in Progress, Internet-Draft,
-              draft-ietf-privacypass-architecture-16, 25 September 2023,
-              <https://datatracker.ietf.org/doc/html/draft-ietf-
-              privacypass-architecture-16>.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119,
-              DOI 10.17487/RFC2119, March 1997,
-              <https://www.rfc-editor.org/rfc/rfc2119>.
-
-   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
-              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
-              <https://www.rfc-editor.org/rfc/rfc4648>.
-
-   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
-              Writing an IANA Considerations Section in RFCs", BCP 26,
-              RFC 8126, DOI 10.17487/RFC8126, June 2017,
-              <https://www.rfc-editor.org/rfc/rfc8126>.
-
-   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
-              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
-              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
-
-   [RFC9110]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
-              Ed., "HTTP Semantics", STD 97, RFC 9110,
-              DOI 10.17487/RFC9110, June 2022,
-              <https://www.rfc-editor.org/rfc/rfc9110>.
-
-   [SHS]      Dang, Q., "Secure Hash Standard", National Institute of
-              Standards and Technology, DOI 10.6028/nist.fips.180-4,
-              July 2015, <https://doi.org/10.6028/nist.fips.180-4>.
-
-   [TLS13]    Rescorla, E., "The Transport Layer Security (TLS) Protocol
-              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
-              <https://www.rfc-editor.org/rfc/rfc8446>.
-
-   [URI]      Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
-              Resource Identifier (URI): Generic Syntax", STD 66,
-              RFC 3986, DOI 10.17487/RFC3986, January 2005,
-              <https://www.rfc-editor.org/rfc/rfc3986>.
-
-7.2.  Informative References
-
-   [COOKIES]  Bingler, S., West, M., and J. Wilander, "Cookies: HTTP
-              State Management Mechanism", Work in Progress, Internet-
-              Draft, draft-ietf-httpbis-rfc6265bis-12, 10 May 2023,
-              <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-
-              rfc6265bis-12>.
-
-   [ISSUANCE] Celi, S., Davidson, A., Valdez, S., and C. A. Wood,
-              "Privacy Pass Issuance Protocol", Work in Progress,
-              Internet-Draft, draft-ietf-privacypass-protocol-16, 3
-              October 2023, <https://datatracker.ietf.org/doc/html/
-              draft-ietf-privacypass-protocol-16>.
-
-   [RFC4086]  Eastlake 3rd, D., Schiller, J., and S. Crocker,
-              "Randomness Requirements for Security", BCP 106, RFC 4086,
-              DOI 10.17487/RFC4086, June 2005,
-              <https://www.rfc-editor.org/rfc/rfc4086>.
-
-   [RFC8470]  Thomson, M., Nottingham, M., and W. Tarreau, "Using Early
-              Data in HTTP", RFC 8470, DOI 10.17487/RFC8470, September
-              2018, <https://www.rfc-editor.org/rfc/rfc8470>.
-
-   [RFC8701]  Benjamin, D., "Applying Generate Random Extensions And
-              Sustain Extensibility (GREASE) to TLS Extensibility",
-              RFC 8701, DOI 10.17487/RFC8701, January 2020,
-              <https://www.rfc-editor.org/rfc/rfc8701>.
-
-   [RFC9001]  Thomson, M., Ed. and S. Turner, Ed., "Using TLS to Secure
-              QUIC", RFC 9001, DOI 10.17487/RFC9001, May 2021,
-              <https://www.rfc-editor.org/rfc/rfc9001>.
-
-Appendix A.  Test Vectors
-
-   This section includes test vectors for the HTTP authentication scheme
-   specified in this document.  It consists of the following types of
-   test vectors:
-
-   1.  Test vectors for the challenge and redemption protocols.
-       Implementations can use these test vectors for verifying code
-       that builds and encodes TokenChallenge structures, as well as
-       code that produces a well-formed Token bound to a TokenChallenge.
-
-   2.  Test vectors for the HTTP headers used for authentication.
-       Implementations can use these test vectors for validating whether
-       they parse HTTP authentication headers correctly to produce
-       TokenChallenge structures and the other associated parameters,
-       such as the token-key and max-age values.
-
-A.1.  Challenge and Redemption Structure Test Vectors
-
-   This section includes test vectors for the challenge and redemption
-   functionalities described in Section 2.1 and Section 2.2.  Each test
-   vector lists the following values:
-
-   *  token_type: The type of token issuance protocol, a value from
-      Section 6.2.  For these test vectors, token_type is 0x0002,
-      corresponding to the issuance protocol in [ISSUANCE].
-
-   *  issuer_name: The name of the issuer in the TokenChallenge
-      structure, represented as a hexadecimal string.
-
-   *  redemption_context: The redemption context in the TokenChallenge
-      structure, represented as a hexadecimal string.
-
-   *  origin_info: The origin info in the TokenChallenge structure,
-      represented as a hexadecimal string.
-
-   *  nonce: The nonce in the Token structure, represented as a
-      hexadecimal string.
-
-   *  token_key: The public token-key, encoded based on the
-      corresponding token type, represented as a hexadecimal string.
-
-   *  token_authenticator_input: The values in the Token structure used
-      to compute the Token authenticator value, represented as a
-      hexadecimal string.
-
-   Test vectors are provided for each of the following TokenChallenge
-   configurations:
-
-   1.  TokenChallenge with a single origin and non-empty redemption
-       context
-
-   2.  TokenChallenge with a single origin and empty redemption context
-
-   3.  TokenChallenge with an empty origin and redemption context
-
-   4.  TokenChallenge with an empty origin and non-empty redemption
-       context
-
-   5.  TokenChallenge with a multiple origins and non-empty redemption
-       context
-
-   These test vectors are below.
-
-   // Test vector 1:
-   //   token_type(0002), issuer_name(issuer.example),
-   //   origin_info(origin.example), redemption_context(non-empty)
-   token_type: 0002
-   issuer_name: 6973737565722e6578616d706c65
-   redemption_context:
-   476ac2c935f458e9b2d7af32dacfbd22dd6023ef5887a789f1abe004e79bb5bb
-   origin_info: 6f726967696e2e6578616d706c65
-   nonce:
-   e01978182c469e5e026d66558ee186568614f235e41ef7e2378e6f202688abab
-   token_key_id:
-   ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd2708
-   token_authenticator_input: 0002e01978182c469e5e026d66558ee1865686
-   14f235e41ef7e2378e6f202688abab8e1d5518ec82964255526efd8f9db88205a
-   8ddd3ffb1db298fcc3ad36c42388fca572f8982a9ca248a3056186322d93ca147
-   266121ddeb5632c07f1f71cd2708
-
-   // Test vector 2:
-   //   token_type(0002), issuer_name(issuer.example),
-   //   origin_info(origin.example), redemption_context(empty)
-   token_type: 0002
-   issuer_name: 6973737565722e6578616d706c65
-   redemption_context:
-   origin_info: 6f726967696e2e6578616d706c65
-   nonce:
-   e01978182c469e5e026d66558ee186568614f235e41ef7e2378e6f202688abab
-   token_key_id:
-   ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd2708
-   token_authenticator_input: 0002e01978182c469e5e026d66558ee1865686
-   14f235e41ef7e2378e6f202688abab11e15c91a7c2ad02abd66645802373db1d8
-   23bea80f08d452541fb2b62b5898bca572f8982a9ca248a3056186322d93ca147
-   266121ddeb5632c07f1f71cd2708
-
-   // Test vector 3:
-   //   token_type(0002), issuer_name(issuer.example),
-   //   origin_info(), redemption_context(empty)
-   token_type: 0002
-   issuer_name: 6973737565722e6578616d706c65
-   redemption_context:
-   origin_info:
-   nonce:
-   e01978182c469e5e026d66558ee186568614f235e41ef7e2378e6f202688abab
-   token_key_id:
-   ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd2708
-   token_authenticator_input: 0002e01978182c469e5e026d66558ee1865686
-   14f235e41ef7e2378e6f202688ababb741ec1b6fd05f1e95f8982906aec161289
-   6d9ca97d53eef94ad3c9fe023f7a4ca572f8982a9ca248a3056186322d93ca147
-   266121ddeb5632c07f1f71cd2708
-
-   // Test vector 4:
-   //   token_type(0002), issuer_name(issuer.example),
-   //   origin_info(), redemption_context(non-empty)
-   token_type: 0002
-   issuer_name: 6973737565722e6578616d706c65
-   redemption_context:
-   476ac2c935f458e9b2d7af32dacfbd22dd6023ef5887a789f1abe004e79bb5bb
-   origin_info:
-   nonce:
-   e01978182c469e5e026d66558ee186568614f235e41ef7e2378e6f202688abab
-   token_key_id:
-   ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd2708
-   token_authenticator_input: 0002e01978182c469e5e026d66558ee1865686
-   14f235e41ef7e2378e6f202688ababb85fb5bc06edeb0e8e8bdb5b3bea8c4fa40
-   837c82e8bcaf5882c81e14817ea18ca572f8982a9ca248a3056186322d93ca147
-   266121ddeb5632c07f1f71cd2708
-
-   // Test vector 5:
-   //   token_type(0002), issuer_name(issuer.example),
-   //   origin_info(foo.example,bar.example),
-   //   redemption_context(non-empty)
-   token_type: 0002
-   issuer_name: 6973737565722e6578616d706c65
-   redemption_context:
-   476ac2c935f458e9b2d7af32dacfbd22dd6023ef5887a789f1abe004e79bb5bb
-   origin_info: 666f6f2e6578616d706c652c6261722e6578616d706c65
-   nonce:
-   e01978182c469e5e026d66558ee186568614f235e41ef7e2378e6f202688abab
-   token_key_id:
-   ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f71cd2708
-   token_authenticator_input: 0002e01978182c469e5e026d66558ee1865686
-   14f235e41ef7e2378e6f202688ababa2a775866b6ae0f98944910c8f48728d8a2
-   735b9157762ddbf803f70e2e8ba3eca572f8982a9ca248a3056186322d93ca147
-   266121ddeb5632c07f1f71cd2708
-
-A.2.  HTTP Header Test Vectors
-
-   This section includes test vectors the contents of the HTTP
-   authentication headers.  Each test vector consists of one or more
-   challenges that comprise a WWW-Authenticate header.  For each
-   challenge, the token-type, token-key, max-age, and token-challenge
-   parameters are listed.  Each challenge also includes an unknown (not
-   specified) parameter that implementations are meant to ignore.
-
-   The parameters for each challenge are indexed by their position in
-   the WWW-Authentication challenge list.  For example, token-key-0
-   denotes the token-key parameter for the first challenge in the list,
-   whereas token-key-1 denotes the token-key for the second challenge in
-   the list.
-
-   The resulting wire-encoded WWW-Authentication header based on this
-   list of challenges is then listed at the end.  Line folding is only
-   used to fit the document formatting constraints and not supported in
-   actual requests.
-
-   token-type-0: 0x0002
-   token-key-0: 30820152303d06092a864886f70d01010a3030a00d300b060960864
-   8016503040202a11a301806092a864886f70d010108300b060960864801650304020
-   2a2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab2
-   5b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4b6c9
-   ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c500a78a2f
-   67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce453b526ef9b
-   f6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c732db68a181c6c
-   bbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b1dba9e828bbd81e2
-   91317144e7ff89f55619709b096cbb9ea474cead264c2073fe49740c01f00e109106
-   066983d21e5f83f086e2e823c879cd43cef700d2a352a9babd612d03cad02db134b7
-   e225a5f0203010001
-   max-age-0: 10
-   token-challenge-0: 0002000e6973737565722e6578616d706c65208a3e83a33d9
-   8005d2f30bef419fa6bf4cd5c6005e36b1285bbb4ccd40fa4b383000e6f726967696
-   e2e6578616d706c65
-
-   WWW-Authenticate: PrivateToken challenge="AAIADmlzc3Vlci5leGFtcGxlII
-   o-g6M9mABdLzC-9Bn6a_TNXGAF42sShbu0zNQPpLODAA5vcmlnaW4uZXhhbXBsZQ==",
-    token-key="MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAqEaMBgGCSqG
-   SIb3DQEBCDALBglghkgBZQMEAgKiAwIBMAOCAQ8AMIIBCgKCAQEAyxrta2qV9bHOATpM
-   _KsluUsuZKIwNOQlCn6rQ8DfOowSmTrxKxEZCNS0cb7DHUtsmtnN2pBhKi7pA1I-beWi
-   JNawLwnlw3TQz-Adj1KcUAp4ovZ5CPpoK1orQwyB6vGvcte155T8mKMTknaHl1fORTtS
-   bvm_bOuZl5uEI7kPRGGiKvN6qwz1cz91l6vkTTHHMttooYHGy75gfYwOUuBlX9mZbcWE
-   7KC-h6-814ozfRex26noKLvYHikTFxROf_ifVWGXCbCWy7nqR0zq0mTCBz_kl0DAHwDh
-   CRBgZpg9IeX4PwhuLoI8h5zUPO9wDSo1Kpur1hLQPK0C2xNLfiJaXwIDAQAB",unknow
-   nChallengeAttribute="ignore-me", max-age="10"
-
-   token-type-0: 0x0002
-   token-key-0: 30820152303d06092a864886f70d01010a3030a00d300b060960864
-   8016503040202a11a301806092a864886f70d010108300b060960864801650304020
-   2a2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab2
-   5b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4b6c9
-   ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c500a78a2f
-   67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce453b526ef9b
-   f6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c732db68a181c6c
-   bbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b1dba9e828bbd81e2
-   91317144e7ff89f55619709b096cbb9ea474cead264c2073fe49740c01f00e109106
-   066983d21e5f83f086e2e823c879cd43cef700d2a352a9babd612d03cad02db134b7
-   e225a5f0203010001
-   max-age-0: 10
-   token-challenge-0: 0002000e6973737565722e6578616d706c65208a3e83a33d9
-   8005d2f30bef419fa6bf4cd5c6005e36b1285bbb4ccd40fa4b383000e6f726967696
-   e2e6578616d706c65
-   token-type-1: 0x0001
-   token-key-1: ebb1fed338310361c08d0c7576969671296e05e99a17d7926dfc28a
-   53fabd489fac0f82bca86249a668f3a5bfab374c9
-   max-age-1: 10
-   token-challenge-1: 0001000e6973737565722e6578616d706c65208a3e83a33d9
-   8005d2f30bef419fa6bf4cd5c6005e36b1285bbb4ccd40fa4b383000e6f726967696
-   e2e6578616d706c65
-
-   WWW-Authenticate: PrivateToken challenge="AAIADmlzc3Vlci5leGFtcGxlII
-   o-g6M9mABdLzC-9Bn6a_TNXGAF42sShbu0zNQPpLODAA5vcmlnaW4uZXhhbXBsZQ==",
-    token-key="MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAqEaMBgGCSqG
-   SIb3DQEBCDALBglghkgBZQMEAgKiAwIBMAOCAQ8AMIIBCgKCAQEAyxrta2qV9bHOATpM
-   _KsluUsuZKIwNOQlCn6rQ8DfOowSmTrxKxEZCNS0cb7DHUtsmtnN2pBhKi7pA1I-beWi
-   JNawLwnlw3TQz-Adj1KcUAp4ovZ5CPpoK1orQwyB6vGvcte155T8mKMTknaHl1fORTtS
-   bvm_bOuZl5uEI7kPRGGiKvN6qwz1cz91l6vkTTHHMttooYHGy75gfYwOUuBlX9mZbcWE
-   7KC-h6-814ozfRex26noKLvYHikTFxROf_ifVWGXCbCWy7nqR0zq0mTCBz_kl0DAHwDh
-   CRBgZpg9IeX4PwhuLoI8h5zUPO9wDSo1Kpur1hLQPK0C2xNLfiJaXwIDAQAB",unknow
-   nChallengeAttribute="ignore-me", max-age="10", PrivateToken challeng
-   e="AAEADmlzc3Vlci5leGFtcGxlIIo-g6M9mABdLzC-9Bn6a_TNXGAF42sShbu0zNQPp
-   LODAA5vcmlnaW4uZXhhbXBsZQ==", token-key="67H-0zgxA2HAjQx1dpaWcSluBem
-   aF9eSbfwopT-r1In6wPgryoYkmmaPOlv6s3TJ",unknownChallengeAttribute="ig
-   nore-me", max-age="10"
-
-Authors' Addresses
-
-   Tommy Pauly
-   Apple Inc.
-   One Apple Park Way
-   Cupertino, California 95014,
-   United States of America
-   Email: tpauly@apple.com
-
-
-   Steven Valdez
-   Google LLC
-   Email: svaldez@chromium.org
-
-
-   Christopher A. Wood
-   Cloudflare
-   Email: caw@heapingbits.net
diff --git a/chris-wood-patch-8/draft-ietf-privacypass-protocol.html b/chris-wood-patch-8/draft-ietf-privacypass-protocol.html
deleted file mode 100644
index 945a52d8..00000000
--- a/chris-wood-patch-8/draft-ietf-privacypass-protocol.html
+++ /dev/null
@@ -1,3569 +0,0 @@
-<!DOCTYPE html>
-<html lang="en" class="Internet-Draft">
-<head>
-<meta charset="utf-8">
-<meta content="Common,Latin" name="scripts">
-<meta content="initial-scale=1.0" name="viewport">
-<title>Privacy Pass Issuance Protocol</title>
-<meta content="Sofía Celi" name="author">
-<meta content="Alex Davidson" name="author">
-<meta content="Steven Valdez" name="author">
-<meta content="Christopher A. Wood" name="author">
-<meta content="
-       This document specifies two variants of the two-message issuance protocol
-for Privacy Pass tokens: one that produces tokens that are privately
-verifiable using the issuance private key, and another that produces tokens
-that are publicly verifiable using the issuance public key. 
-    " name="description">
-<meta content="xml2rfc 3.18.1" name="generator">
-<meta content="Internet-Draft" name="keyword">
-<meta content="draft-ietf-privacypass-protocol-latest" name="ietf.draft">
-<!-- Generator version information:
-  xml2rfc 3.18.1
-    Python 3.11.5
-    ConfigArgParse 1.5.3
-    google-i18n-address 3.1.0
-    intervaltree 3.1.0
-    Jinja2 3.1.2
-    lxml 4.9.3
-    platformdirs 3.11.0
-    pycountry 22.3.5
-    PyYAML 6.0
-    requests 2.31.0
-    setuptools 67.7.2
-    six 1.16.0
-    wcwidth 0.2.8
--->
-<link href="draft-ietf-privacypass-protocol.xml" rel="alternate" type="application/rfc+xml">
-<link href="#copyright" rel="license">
-<style type="text/css">@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-
-@font-face {
-  font-family: 'Lora';
-  font-style: italic;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Italic'), local('Lora-Italic'), url('https://martinthomson.github.io/rfc-css/fonts/lora-italic-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-cyrillic.woff2') format('woff2');
-  unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Lora Regular'), local('Lora-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/lora-regular-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic-ext.woff2') format('woff2');
-  unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-cyrillic.woff2') format('woff2');
-  unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 700;
-  font-display: swap;
-  src: local('Lora Bold'), local('Lora-Bold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-bold-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-@font-face {
-  font-family: 'Lora';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Lora SemiBold'), local('Lora-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/lora-semibold-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-@font-face {
-  font-family: 'Cabin Condensed';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-vietnamese.woff2') format('woff2');
-  unicode-range: U+0102-0103, U+0110-0111, U+1EA0-1EF9, U+20AB;
-}
-@font-face {
-  font-family: 'Cabin Condensed';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Cabin Condensed';
-  font-style: normal;
-  font-weight: 600;
-  font-display: swap;
-  src: local('Cabin Condensed SemiBold'), local('CabinCondensed-SemiBold'), url('https://martinthomson.github.io/rfc-css/fonts/cabincondensed-semibold-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-@font-face {
-  font-family: 'Oxygen Mono';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin-ext.woff2') format('woff2');
-  unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-@font-face {
-  font-family: 'Oxygen Mono';
-  font-style: normal;
-  font-weight: 400;
-  font-display: swap;
-  src: local('Oxygen Mono'), local('OxygenMono-Regular'), url('https://martinthomson.github.io/rfc-css/fonts/oxygenmono-regular-latin.woff2') format('woff2');
-  unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
-
-:root {
-  color-scheme: light dark;
-  --background-color: #fff;
-  --text-color: #222;
-  --title-color: #191919;
-  --link-color: #2a6496;
-  --highlight-color: #f9f9f9;
-  --line-color: #eee;
-  --pilcrow-weak: #ddd;
-  --pilcrow-strong: #bbb;
-  --small-font-size: 14.5px;
-  --font-mono: 'Oxygen Mono', monospace;
-  scrollbar-color: #bbb #eee;
-}
-body {
-  max-width: 600px;
-  margin: 75px auto;
-  padding: 0 5px;
-  color: var(--text-color);
-  background-color: var(--background-color);
-  font: 16px/22px "Lora", serif;
-  scroll-behavior: smooth;
-}
-
-.ears {
-  display: none;
-}
-
-/* headings */
-h1, h2, h3, h4, h5, h6 {
-  font-family: "Cabin Condensed", sans-serif;
-  font-weight: 600;
-  margin: 0.8em 0 0.3em;
-  font-size-adjust: 0.5;
-  color: var(--title-color);
-}
-h1#title {
-  font-size: 32px;
-  line-height: 40px;
-  clear: both;
-}
-h1#title, h1#rfcnum {
-  margin: 1.5em 0 0.2em;
-}
-h1#rfcnum + h1#title {
-  margin: 0.2em 0;
-}
-
-h1, h2, h3 {
-  font-size: 22px;
-  line-height: 27px;
-}
-h4, h5, h6 {
-  font-size: 20px;
-  line-height: 24px;
-}
-
-/* general structure */
-.author {
-  padding-bottom: 0.3em;
-}
-#abstract+p {
-  font-size: 18px;
-  line-height: 24px;
-}
-#abstract+p code, #abstract+p samp, #abstract+p tt {
-  font-size: 16px;
-  line-height: 0;
-}
-
-p {
-  padding: 0;
-  margin: 0.5em 0;
-  text-align: left;
-}
-div {
-  margin: 0;
-}
-.alignRight.art-text {
-  background-color: var(--highlight-color);
-  border: 1px solid var(--line-color);
-  border-radius: 3px;
-  padding: 0.5em 1em 0;
-  margin-bottom: 0.5em;
-}
-.alignRight.art-text pre {
-  padding: 0;
-  width: auto;
-}
-.alignRight {
-  margin: 1em 0;
-}
-.alignRight > *:first-child {
-  border: none;
-  margin: 0;
-  float: right;
-  clear: both;
-}
-.alignRight > *:nth-child(2) {
-  clear: both;
-  display: block;
-  border: none;
-}
-svg {
-  display: block;
-}
-/* font-family isn't space-separated, but =~ will have to do */
-svg[font-family~="monospace" i], svg [font-family~="monospace" i] {
-  font-family: var(--font-mono);
-}
-.alignCenter.art-text {
-  background-color: var(--highlight-color);
-  border: 1px solid var(--line-color);
-  border-radius: 3px;
-  padding: 0.5em 1em 0;
-  margin-bottom: 0.5em;
-}
-.alignCenter.art-text pre {
-  padding: 0;
-  width: auto;
-}
-.alignCenter {
-  margin: 1em 0;
-}
-.alignCenter > *:first-child {
-  border: none;
-  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
-     support flexbox yet.
-  */
-  display: table;
-  margin: 0 auto;
-}
-
-/* lists */
-ol, ul {
-  padding: 0;
-  margin: 0 0 0.5em 2em;
-}
-:is(ol, ul) :is(ol, ul) {
-  margin-left: 1em;
-}
-li {
-  margin: 0 0 0.25em 0;
-}
-.ulCompact li {
-  margin: 0;
-}
-ul.empty, .ulEmpty {
-  list-style-type: none;
-}
-ul.empty li, .ulEmpty li {
-  margin-top: 0.5em;
-}
-:is(ul, ol).compact, .ulCompact, .olCompact {
-  line-height: 1;
-  margin: 0 0 0 2em;
-}
-
-/* definition lists */
-dl {
-  clear: left;
-  --indent: 3ch;
-  /* --indent: attr(indent ch); not supported in any browser, but we can dream */
-}
-dl.olPercent {
-  --indent: 5ch;
-}
-dl > dt {
-  float: left;
-  margin-right: 2ch;
-  min-width: 8ch;
-}
-dl.dlNewline > dt {
-  float: none;
-}
-dl > dd {
-  margin-bottom: .8em;
-  margin-left: var(--indent) !important; /* stupid element overrides */
-  min-height: 2ex;
-}
-dl.olPercent > dt {
-  min-width: calc(var(--indent) - 2ch);
-}
-:is(dl.compact, .dlCompact) > dd {
-  margin-bottom: 0;
-}
-:is(dl.compact, .dlCompact) > dd > :is(:first-child, .break:first-child + *) {
-  margin-top: 0;
-}
-:is(dl.compact, .dlCompact) > dd > :is(:last-child) {
-  margin-bottom: 0;
-}
-dl > dd > dl {
-  margin-top: 0.5em;
-  margin-bottom: 0;
-}
-:is(dd, span).break {
-  display: none;
-}
-
-/* links */
-a, a[href].selfRef:hover {
-  text-decoration: none;
-}
-a[href] {
-  color: var(--link-color);
-}
-a[href].selfRef, .iref + a[href].internal {
-  color: var(--text-color);
-}
-a[href]:hover {
-  text-decoration: underline;
-}
-a[href].selfRef:hover {
-  background-color: var(--highlight-color);
-}
-a.xref:is(.cite, .auto), :is(#status-of-memo, #copyright) a {
-  white-space: nowrap;
-}
-
-/* Figures */
-tt, code, pre {
-  background-color: var(--highlight-color);
-  font: 14px/22px var(--font-mono);
-}
-tt, code {
-  /* changing the font for inline elements leads to different ascender
-     and descender heights; as we want to retain baseline alignment,
-     remove leading to avoid altering the final height of lines
-     note: this fails if these blocks take an entire line,
-     a different solution would be great */
-  line-height: 0;
-}
-:is(h1, h2, h3, h4, h5, h6) :is(tt, code) {
-  font-size: 84%;
-}
-pre {
-  border: 1px solid var(--line-color);
-  font-size: 13.5px;
-  line-height: 16px;
-  letter-spacing: -0.2px;
-  margin: 5px;
-  padding: 5px;
-}
-img {
-  max-width: 100%;
-}
-figure {
-  margin: 0.5em 0;
-  padding: 0;
-}
-figure blockquote {
-  margin: 0.8em 0.4em 0.4em;
-}
-figcaption, caption {
-  font-style: italic;
-  margin: 0.5em 1.5em;
-  text-align: left;
-}
-@media screen {
-  /* Auto-collapse boilerplate. */
-  :is(#status-of-memo, #copyright) p {
-    margin: -2px 0;
-    max-height: 0;
-    transition: max-height 2s ease, margin 0.5s ease 0.5s;
-    overflow: hidden;
-  }
-  :is(#status-of-memo, #copyright):hover p,
-  :is(#status-of-memo, #copyright) h2:target ~ p {
-    margin: 0.5em 0;
-    max-height: 500px;
-    overflow: auto;
-  }
-  pre, svg {
-    display: inline-block;
-    overflow-x: auto;
-  }
-  pre {
-    max-width: 100%;
-    width: calc(100% - 22px - 1em);
-  }
-  svg {
-    max-width: calc(100% - 22px - 1em);
-  }
-  figure pre {
-    display: block;
-    width: calc(100% - 25px);
-  }
-  :is(pre, svg) + .pilcrow {
-    display: inline-block;
-    vertical-align: text-bottom;
-    padding-bottom: 8px;
-  }
-}
-
-/* aside, blockquote */
-aside, blockquote {
-  margin-left: 0;
-  padding: 0 2em;
-  font-style: italic;
-}
-blockquote {
-  margin: 1em 0;
-}
-cite {
-  display: block;
-  text-align: right;
-  font-style: italic;
-}
-
-/* tables */
-table {
-  max-width: 100%;
-  margin: 0 0 1em;
-  border-collapse: collapse;
-}
-table.right {
-  margin-left: auto;
-}
-table.center {
-  margin-left: auto;
-  margin-right: auto;
-}
-table.left {
-  margin-right: auto;
-}
-thead, tbody {
-  border: 1px solid var(--line-color);
-}
-th, td {
-  text-align: left;
-  vertical-align: top;
-  padding: 5px 10px;
-}
-th {
-  background-color: var(--line-color);
-}
-:is(tr:nth-child(2n), thead+tbody > tr:nth-child(2n+1)) > td {
-  background-color: var(--background-color);
-}
-:is(tr:nth-child(2n+1), thead+tbody > tr:nth-child(2n)) > td {
-  background-color: var(--highlight-color);
-}
-table caption {
-  margin: 0;
-  padding: 3px 0 3px 1em;
-}
-table p {
-  margin: 0;
-}
-
-/* pilcrow */
-a.pilcrow {
-  margin-left: 3px;
-  opacity: 0.2;
-  user-select: none;
-}
-a.pilcrow[href] { color: var(--pilcrow-weak); }
-a.pilcrow[href]:hover { text-decoration: none; }
-@media not print {
-  :hover > a.pilcrow {
-    opacity: 1;
-  }
-  a.pilcrow[href]:hover {
-    color: var(--pilcrow-strong);
-    background-color: transparent;
-  }
-}
-@media print {
-  a.pilcrow {
-    display: none;
-  }
-}
-
-/* misc */
-hr {
-  border: 0;
-  border-top: 1px solid var(--line-color);
-}
-.bcp14 {
-  font-variant: small-caps;
-  font-weight: 600;
-  font-size: var(--small-font-size);
-}
-.role {
-  font-variant: all-small-caps;
-}
-sub, sup {
-  line-height: 1;
-  font-size: 80%;
-}
-
-/* info block */
-#identifiers {
-  margin: 0;
-  font-size: var(--small-font-size);
-  line-height: 18px;
-  --identifier-width: 15ch;
-}
-#identifiers dt {
-  width: var(--identifier-width);
-  min-width: var(--identifier-width);
-  clear: left;
-  float: left;
-  text-align: right;
-  margin-right: 1ch;
-}
-#identifiers dd {
-  margin: 0;
-  margin-left: calc(1em + var(--identifier-width)) !important;
-  min-width: 5em;
-}
-#identifiers .authors .author {
-  display: inline-block;
-  margin-right: 1.5em;
-}
-#identifiers .authors .org {
-  font-style: italic;
-}
-
-/* The prepared/rendered info at the very bottom of the page */
-.docInfo {
-  color: #999;
-  font-size: 0.9em;
-  font-style: italic;
-  margin-top: 2em;
-}
-.docInfo .prepared {
-  float: left;
-}
-.docInfo .prepared {
-  float: right;
-}
-
-/* table of contents */
-#toc {
-  padding: 0.75em 0 2em 0;
-  margin-bottom: 1em;
-}
-#toc nav ul {
-  margin: 0 0.5em 0 0;
-  padding: 0;
-  list-style: none;
-}
-#toc nav li {
-  line-height: 1.3em;
-  margin: 2px 0;
-  padding-left: 1.2em;
-  text-indent: -1.2em;
-}
-#toc a.xref {
-  white-space: normal;
-}
-/* references */
-.references dt {
-  text-align: right;
-  font-weight: bold;
-  min-width: 10ch;
-  margin-right: 1.5ch;
-}
-.references dt:target::before {
-  content: "⇒";
-  width: 15px;
-  margin: 0 10px 0 -25px;
-}
-.references dd {
-  margin-left: 12ch !important;
-  overflow: auto;
-}
-
-.refInstance {
-  margin-bottom: 1.25em;
-}
-
-.references .ascii {
-  margin-bottom: 0.25em;
-}
-
-/* index */
-#rfc\.index\.index + ul {
-  margin-left: 0;
-}
-
-/* authors */
-address.vcard {
-  font-style: normal;
-  margin: 1em 0;
-}
-address.vcard .nameRole {
-  font-weight: 700;
-  margin-left: 0;
-}
-address.vcard .label {
-  margin: 0.5em 0;
-}
-address.vcard .type {
-  display: none;
-}
-.alternative-contact {
-  margin: 1.5em 0 1em;
-}
-hr.addr {
-  border-top: 1px dashed;
-  margin: 0;
-  color: #ddd;
-  max-width: calc(100% - 16px);
-}
-@media (min-width: 500px) {
-  #authors-addresses > section {
-    column-count: 2;
-    column-gap: 20px;
-  }
-  #authors-addresses > section > h2 {
-    column-span: all;
-  }
-  /* hack for break-inside: avoid-column */
-  #authors-addresses address {
-    display: inline-block;
-    break-inside: avoid-column;
-  }
-}
-
-.rfcEditorRemove p:first-of-type {
-  font-style: italic;
-}
-.cref {
-  background-color: rgba(249, 232, 105, 0.3);
-  padding: 2px 4px;
-}
-.crefSource {
-  font-style: italic;
-}
-/* alternative layout for smaller screens */
-@media screen and (max-width: 929px) {
-  #toc {
-    position: fixed;
-    z-index: 2;
-    top: 0;
-    right: 0;
-    padding: 1px 0 0 0;
-    margin: 0;
-    border-bottom: 1px solid #ccc;
-    opacity: 0.6;
-  }
-  #toc.active {
-      opacity: 1;
-  }
-  #toc h2 {
-    margin: 0;
-    padding: 2px 0 2px 6px;
-    padding-right: 1em;
-    font-size: 18px;
-    line-height: 24px;
-    min-width: 190px;
-    text-align: right;
-    background-color: #444;
-    color: white;
-    cursor: pointer;
-  }
-  #toc h2::before { /* css hamburger */
-    float: right;
-    position: relative;
-    width: 1em;
-    height: 1px;
-    left: -164px;
-    margin: 8px 0 0 0;
-    background: white none repeat scroll 0 0;
-    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
-    content: "";
-  }
-  #toc nav {
-    display: none;
-    background-color: var(--background-color);
-    padding: 0.5em 1em 1em;
-    overflow: auto;
-    overscroll-behavior: contain;
-    height: calc(100vh - 48px);
-    border-left: 1px solid #ddd;
-  }
-  #toc.active nav {
-    display: block;
-  }
-  /* Make the collapsed ToC header render white on gray also when it's a link */
-  #toc h2 a,
-  #toc h2 a:link,
-  #toc h2 a:focus,
-  #toc h2 a:hover,
-  #toc a.toplink,
-  #toc a.toplink:hover {
-    color: white;
-    background-color: #444;
-    text-decoration: none;
-  }
-  #toc a.toplink {
-    margin-top: 2px;
-  }
-}
-
-/* alternative layout for wide screens */
-@media screen and (min-width: 930px) {
-  body {
-    padding-right: 360px;
-    padding-right: calc(min(180px + 20%, 500px));
-  }
-  #toc {
-    position: fixed;
-    bottom: 0;
-    right: 0;
-    right: calc(50vw - 480px);
-    width: 312px;
-    margin: 0;
-    padding: 0;
-    z-index: 1;
-  }
-  #toc h2 {
-    margin: 0;
-    padding: 0.25em 1em 1em 0;
-  }
-  #toc nav {
-    display: block;
-    height: calc(90vh - 84px);
-    bottom: 0;
-    padding: 0.5em 0 2em;
-    overflow: auto;
-    overscroll-behavior: contain;
-    scrollbar-width: thin;
-  }
-  #toc nav > ul  {
-    margin-bottom: 2em;
-  }
-  #toc ul {
-    margin: 0 0 0 4px;
-    font-size: var(--small-font-size);
-  }
-  #toc ul :is(p, li) {
-    margin: 2px 0;
-    line-height: 22px;
-  }
-  img { /* future proofing */
-    max-width: 100%;
-    height: auto;
-  }
-}
-
-/* pagination */
-@media print {
-  body {
-    width: 100%;
-  }
-  p {
-    orphans: 3;
-    widows: 3;
-  }
-  #n-copyright-notice {
-    border-bottom: none;
-  }
-  #toc, #n-introduction {
-    page-break-before: always;
-  }
-  #toc {
-    border-top: none;
-    padding-top: 0;
-  }
-  figure, pre, .vcard {
-    page-break-inside: avoid;
-  }
-  h1, h2, h3, h4, h5, h6 {
-    page-break-after: avoid;
-  }
-  :is(h2, h3, h4, h5, h6)+*, dd {
-    page-break-before: avoid;
-  }
-  pre {
-    white-space: pre-wrap;
-    word-wrap: break-word;
-    font-size: 10pt;
-  }
-  table {
-    border: 1px solid #ddd;
-  }
-  td {
-    border-top: 1px solid #ddd;
-  }
-  .toplink {
-    display: none;
-  }
-}
-
-@page :first {
-  padding-top: 0;
-  @top-left {
-    content: normal;
-    border: none;
-  }
-  @top-center {
-    content: normal;
-    border: none;
-  }
-  @top-right {
-    content: normal;
-    border: none;
-  }
-}
-
-@page {
-  size: A4;
-  margin-bottom: 45mm;
-  padding-top: 20px;
-}
-
-/* Changes introduced to fix issues found during implementation */
-
-/* Separate body from document info even without intervening H1 */
-section {
-  clear: both;
-}
-
-/* Top align author divs, to avoid names without organization dropping level with org names */
-.author {
-  vertical-align: top;
-}
-
-/* Style section numbers with more space between number and title */
-.section-number {
-  padding-right: 0.5em;
-}
-
-/* Add styling for a link in the ToC that points to the top of the document */
-a.toplink {
-  float: right;
-  margin: 8px 0.5em 0;
-}
-
-/* Provide styling for table cell text alignment */
-table .text-left {
-  text-align: left;
-}
-table .text-center {
-  text-align: center;
-}
-table .text-right {
-  text-align: right;
-}
-
-/* Make the alternative author contact information look less like just another
-   author, and group it closer with the primary author contact information */
-.alternative-contact {
-  margin: 0.5em 0 0.25em 0;
-}
-address .non-ascii {
-  margin: 0 0 0 2em;
-}
-
-/* With it being possible to set tables with alignment
-  left, center, and right, { width: 100%; } does not make sense */
-table {
-  width: auto;
-}
-
-/* Avoid reference text that sits in a block with very wide left margin,
-   because of a long floating dt label.*/
-.references dd {
-  overflow: visible;
-}
-
-/* Control caption placement */
-caption {
-  caption-side: bottom;
-}
-
-/* Limit the width of the author address vcard, so names in right-to-left
-   script don't end up on the other side of the page. */
-
-address.vcard {
-  max-width: 20em;
-  margin-right: auto;
-}
-
-/* For address alignment dependent on LTR or RTL scripts */
-address div.left {
-  text-align: left;
-}
-address div.right {
-  text-align: right;
-}
-
-/* Dark mode. */
-@media (prefers-color-scheme: dark) {
-:root {
-  --background-color: #121212;
-  --text-color: #f0f0f0;
-  --title-color: #fff;
-  --link-color: #4da4f0;
-  --highlight-color: #282828;
-  --line-color: #444;
-  --pilcrow-weak: #444;
-  --pilcrow-strong: #666;
-  scrollbar-color: #777 #333;
-}
-}
-
-/* SVG Trick: a prefix match works because only black and white are allowed */
-svg :is([stroke="black"], [stroke^="#000"]) {
-  stroke: var(--text-color);
-}
-svg :is([stroke="white"], [stroke^="#fff"]) {
-  stroke: var(--background-color);
-}
-svg :is([fill="black"], [fill^="#000"], :not([fill])) {
-  fill: var(--text-color);
-}
-svg :is([fill="white"], [fill^="#fff"]) {
-  fill: var(--background-color);
-}
-</style>
-
-</head>
-<body class="xml2rfc">
-<table class="ears">
-<thead><tr>
-<td class="left">Internet-Draft</td>
-<td class="center">Privacy Pass Issuance</td>
-<td class="right">October 2023</td>
-</tr></thead>
-<tfoot><tr>
-<td class="left">Celi, et al.</td>
-<td class="center">Expires 15 April 2024</td>
-<td class="right">[Page]</td>
-</tr></tfoot>
-</table>
-<div id="external-metadata" class="document-information"></div>
-<div id="internal-metadata" class="document-information">
-<dl id="identifiers">
-<dt class="label-workgroup">Workgroup:</dt>
-<dd class="workgroup">Network Working Group</dd>
-<dt class="label-internet-draft">Internet-Draft:</dt>
-<dd class="internet-draft">draft-ietf-privacypass-protocol-latest</dd>
-<dt class="label-published">Published:</dt>
-<dd class="published">
-<time datetime="2023-10-13" class="published">13 October 2023</time>
-    </dd>
-<dt class="label-intended-status">Intended Status:</dt>
-<dd class="intended-status">Standards Track</dd>
-<dt class="label-expires">Expires:</dt>
-<dd class="expires"><time datetime="2024-04-15">15 April 2024</time></dd>
-<dt class="label-authors">Authors:</dt>
-<dd class="authors">
-<div class="author">
-      <div class="author-name">S. Celi</div>
-<div class="org">Brave Software</div>
-</div>
-<div class="author">
-      <div class="author-name">A. Davidson</div>
-<div class="org">Brave Software</div>
-</div>
-<div class="author">
-      <div class="author-name">S. Valdez</div>
-<div class="org">Google LLC</div>
-</div>
-<div class="author">
-      <div class="author-name">C. A. Wood</div>
-<div class="org">Cloudflare</div>
-</div>
-</dd>
-</dl>
-</div>
-<h1 id="title">Privacy Pass Issuance Protocol</h1>
-<section id="section-abstract">
-      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
-<p id="section-abstract-1">This document specifies two variants of the two-message issuance protocol
-for Privacy Pass tokens: one that produces tokens that are privately
-verifiable using the issuance private key, and another that produces tokens
-that are publicly verifiable using the issuance public key.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
-</section>
-<div id="status-of-memo">
-<section id="section-boilerplate.1">
-        <h2 id="name-status-of-this-memo">
-<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
-        </h2>
-<p id="section-boilerplate.1-1">
-        This Internet-Draft is submitted in full conformance with the
-        provisions of BCP 78 and BCP 79.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.1-2">
-        Internet-Drafts are working documents of the Internet Engineering Task
-        Force (IETF). Note that other groups may also distribute working
-        documents as Internet-Drafts. The list of current Internet-Drafts is
-        at <span><a href="https://datatracker.ietf.org/drafts/current/">https://datatracker.ietf.org/drafts/current/</a></span>.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.1-3">
-        Internet-Drafts are draft documents valid for a maximum of six months
-        and may be updated, replaced, or obsoleted by other documents at any
-        time. It is inappropriate to use Internet-Drafts as reference
-        material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.1-4">
-        This Internet-Draft will expire on 15 April 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="copyright">
-<section id="section-boilerplate.2">
-        <h2 id="name-copyright-notice">
-<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
-        </h2>
-<p id="section-boilerplate.2-1">
-            Copyright (c) 2023 IETF Trust and the persons identified as the
-            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
-<p id="section-boilerplate.2-2">
-            This document is subject to BCP 78 and the IETF Trust's Legal
-            Provisions Relating to IETF Documents
-            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
-            publication of this document. Please review these documents
-            carefully, as they describe your rights and restrictions with
-            respect to this document. Code Components extracted from this
-            document must include Revised BSD License text as described in
-            Section 4.e of the Trust Legal Provisions and are provided without
-            warranty as described in the Revised BSD License.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="toc">
-<section id="section-toc.1">
-        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
-<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
-        </h2>
-<nav class="toc"><ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.1">
-            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="auto internal xref">1</a>.  <a href="#name-introduction" class="internal xref">Introduction</a></p>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.2">
-            <p id="section-toc.1-1.2.1" class="keepWithNext"><a href="#section-2" class="auto internal xref">2</a>.  <a href="#name-terminology" class="internal xref">Terminology</a></p>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.3">
-            <p id="section-toc.1-1.3.1" class="keepWithNext"><a href="#section-3" class="auto internal xref">3</a>.  <a href="#name-protocol-overview" class="internal xref">Protocol Overview</a></p>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.4">
-            <p id="section-toc.1-1.4.1"><a href="#section-4" class="auto internal xref">4</a>.  <a href="#name-configuration" class="internal xref">Configuration</a></p>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5">
-            <p id="section-toc.1-1.5.1"><a href="#section-5" class="auto internal xref">5</a>.  <a href="#name-issuance-protocol-for-priva" class="internal xref">Issuance Protocol for Privately Verifiable Tokens</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.1">
-                <p id="section-toc.1-1.5.2.1.1"><a href="#section-5.1" class="auto internal xref">5.1</a>.  <a href="#name-client-to-issuer-request" class="internal xref">Client-to-Issuer Request</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.2">
-                <p id="section-toc.1-1.5.2.2.1"><a href="#section-5.2" class="auto internal xref">5.2</a>.  <a href="#name-issuer-to-client-response" class="internal xref">Issuer-to-Client Response</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.3">
-                <p id="section-toc.1-1.5.2.3.1"><a href="#section-5.3" class="auto internal xref">5.3</a>.  <a href="#name-finalization" class="internal xref">Finalization</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.4">
-                <p id="section-toc.1-1.5.2.4.1"><a href="#section-5.4" class="auto internal xref">5.4</a>.  <a href="#name-token-verification" class="internal xref">Token Verification</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.5.2.5">
-                <p id="section-toc.1-1.5.2.5.1"><a href="#section-5.5" class="auto internal xref">5.5</a>.  <a href="#name-issuer-configuration" class="internal xref">Issuer Configuration</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6">
-            <p id="section-toc.1-1.6.1"><a href="#section-6" class="auto internal xref">6</a>.  <a href="#name-issuance-protocol-for-publi" class="internal xref">Issuance Protocol for Publicly Verifiable Tokens</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.1">
-                <p id="section-toc.1-1.6.2.1.1"><a href="#section-6.1" class="auto internal xref">6.1</a>.  <a href="#name-client-to-issuer-request-2" class="internal xref">Client-to-Issuer Request</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.2">
-                <p id="section-toc.1-1.6.2.2.1"><a href="#section-6.2" class="auto internal xref">6.2</a>.  <a href="#name-issuer-to-client-response-2" class="internal xref">Issuer-to-Client Response</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.3">
-                <p id="section-toc.1-1.6.2.3.1"><a href="#section-6.3" class="auto internal xref">6.3</a>.  <a href="#name-finalization-2" class="internal xref">Finalization</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.4">
-                <p id="section-toc.1-1.6.2.4.1"><a href="#section-6.4" class="auto internal xref">6.4</a>.  <a href="#name-token-verification-2" class="internal xref">Token Verification</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.6.2.5">
-                <p id="section-toc.1-1.6.2.5.1"><a href="#section-6.5" class="auto internal xref">6.5</a>.  <a href="#name-issuer-configuration-2" class="internal xref">Issuer Configuration</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.7">
-            <p id="section-toc.1-1.7.1"><a href="#section-7" class="auto internal xref">7</a>.  <a href="#name-security-considerations" class="internal xref">Security considerations</a></p>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8">
-            <p id="section-toc.1-1.8.1"><a href="#section-8" class="auto internal xref">8</a>.  <a href="#name-iana-considerations" class="internal xref">IANA considerations</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.1">
-                <p id="section-toc.1-1.8.2.1.1"><a href="#section-8.1" class="auto internal xref">8.1</a>.  <a href="#name-well-known-private-token-is" class="internal xref">Well-Known 'private-token-issuer-directory' URI</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.2">
-                <p id="section-toc.1-1.8.2.2.1"><a href="#section-8.2" class="auto internal xref">8.2</a>.  <a href="#name-token-type-registry-updates" class="internal xref">Token Type Registry Updates</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.2.2.1">
-                    <p id="section-toc.1-1.8.2.2.2.1.1"><a href="#section-8.2.1" class="auto internal xref">8.2.1</a>.  <a href="#name-token-type-voprf-p-384-sha-" class="internal xref">Token Type VOPRF (P-384, SHA-384)</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.2.2.2">
-                    <p id="section-toc.1-1.8.2.2.2.2.1"><a href="#section-8.2.2" class="auto internal xref">8.2.2</a>.  <a href="#name-token-type-blind-rsa-2048-b" class="internal xref">Token Type Blind RSA (2048-bit)</a></p>
-</li>
-                </ul>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.3">
-                <p id="section-toc.1-1.8.2.3.1"><a href="#section-8.3" class="auto internal xref">8.3</a>.  <a href="#name-media-types" class="internal xref">Media Types</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.3.2.1">
-                    <p id="section-toc.1-1.8.2.3.2.1.1"><a href="#section-8.3.1" class="auto internal xref">8.3.1</a>.  <a href="#name-application-private-token-i" class="internal xref">"application/private-token-issuer-directory" media type</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.3.2.2">
-                    <p id="section-toc.1-1.8.2.3.2.2.1"><a href="#section-8.3.2" class="auto internal xref">8.3.2</a>.  <a href="#name-application-private-token-r" class="internal xref">"application/private-token-request" media type</a></p>
-</li>
-                  <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.8.2.3.2.3">
-                    <p id="section-toc.1-1.8.2.3.2.3.1"><a href="#section-8.3.3" class="auto internal xref">8.3.3</a>.  <a href="#name-application-private-token-re" class="internal xref">"application/private-token-response" media type</a></p>
-</li>
-                </ul>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9">
-            <p id="section-toc.1-1.9.1"><a href="#section-9" class="auto internal xref">9</a>.  <a href="#name-references" class="internal xref">References</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.1">
-                <p id="section-toc.1-1.9.2.1.1"><a href="#section-9.1" class="auto internal xref">9.1</a>.  <a href="#name-normative-references" class="internal xref">Normative References</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.9.2.2">
-                <p id="section-toc.1-1.9.2.2.1"><a href="#section-9.2" class="auto internal xref">9.2</a>.  <a href="#name-informative-references" class="internal xref">Informative References</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.10">
-            <p id="section-toc.1-1.10.1"><a href="#appendix-A" class="auto internal xref">Appendix A</a>.  <a href="#name-acknowledgements" class="internal xref">Acknowledgements</a></p>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11">
-            <p id="section-toc.1-1.11.1"><a href="#appendix-B" class="auto internal xref">Appendix B</a>.  <a href="#name-test-vectors" class="internal xref">Test Vectors</a></p>
-<ul class="compact toc ulBare ulEmpty">
-<li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.1">
-                <p id="section-toc.1-1.11.2.1.1"><a href="#appendix-B.1" class="auto internal xref">B.1</a>.  <a href="#name-issuance-protocol-1-voprfp-" class="internal xref">Issuance Protocol 1 - VOPRF(P-384, SHA-384)</a></p>
-</li>
-              <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.11.2.2">
-                <p id="section-toc.1-1.11.2.2.1"><a href="#appendix-B.2" class="auto internal xref">B.2</a>.  <a href="#name-issuance-protocol-2-blind-r" class="internal xref">Issuance Protocol 2 - Blind RSA, 2048</a></p>
-</li>
-            </ul>
-</li>
-          <li class="compact toc ulBare ulEmpty" id="section-toc.1-1.12">
-            <p id="section-toc.1-1.12.1"><a href="#appendix-C" class="auto internal xref"></a><a href="#name-authors-addresses" class="internal xref">Authors' Addresses</a></p>
-</li>
-        </ul>
-</nav>
-</section>
-</div>
-<div id="introduction">
-<section id="section-1">
-      <h2 id="name-introduction">
-<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
-      </h2>
-<p id="section-1-1">The Privacy Pass protocol provides a privacy-preserving authorization
-mechanism. In essence, the protocol allows clients to provide cryptographic
-tokens that prove nothing other than that they have been created by a given
-server in the past <span>[<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>.<a href="#section-1-1" class="pilcrow">¶</a></p>
-<p id="section-1-2">This document describes the issuance protocol for Privacy Pass built on
-<span>[<a href="#HTTP" class="cite xref">HTTP</a>]</span>. It specifies two variants: one that is privately verifiable
-using the issuance private key based on the oblivious pseudorandom function from
-<span>[<a href="#OPRF" class="cite xref">OPRF</a>]</span>, and one that is publicly verifiable using the
-issuance public key based on the blind RSA signature scheme
-<span>[<a href="#BLINDRSA" class="cite xref">BLINDRSA</a>]</span>.<a href="#section-1-2" class="pilcrow">¶</a></p>
-<p id="section-1-3">This document does not cover the Privacy Pass architecture, including
-choices that are necessary for deployment and application specific choices
-for protecting client privacy. This information is covered in <span>[<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>.<a href="#section-1-3" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="terminology">
-<section id="section-2">
-      <h2 id="name-terminology">
-<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-terminology" class="section-name selfRef">Terminology</a>
-      </h2>
-<p id="section-2-1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
-NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
-"MAY", and "OPTIONAL" in this document are to be interpreted as
-described in BCP 14 <span>[<a href="#RFC2119" class="cite xref">RFC2119</a>]</span> <span>[<a href="#RFC8174" class="cite xref">RFC8174</a>]</span> when, and only when, they
-appear in all capitals, as shown here.<a href="#section-2-1" class="pilcrow">¶</a></p>
-<p id="section-2-2">This document uses the terms Origin, Client, Issuer, and Token as defined in
-<span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-2" class="relref">Section 2</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>. Moreover, the following additional terms are
-used throughout this document.<a href="#section-2-2" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-2-3.1">
-          <p id="section-2-3.1.1">Issuer Public Key: The public key (from a private-public key pair) used by
-the Issuer for issuing and verifying Tokens.<a href="#section-2-3.1.1" class="pilcrow">¶</a></p>
-</li>
-        <li class="normal" id="section-2-3.2">
-          <p id="section-2-3.2.1">Issuer Private Key: The private key (from a private-public key pair) used by
-the Issuer for issuing and verifying Tokens.<a href="#section-2-3.2.1" class="pilcrow">¶</a></p>
-</li>
-      </ul>
-<p id="section-2-4">Unless otherwise specified, this document encodes protocol messages in TLS
-notation from <span><a href="https://rfc-editor.org/rfc/rfc8446#section-3" class="relref">Section 3</a> of [<a href="#TLS13" class="cite xref">TLS13</a>]</span>. Moreover, all constants are in
-network byte order.<a href="#section-2-4" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="protocol-overview">
-<section id="section-3">
-      <h2 id="name-protocol-overview">
-<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-protocol-overview" class="section-name selfRef">Protocol Overview</a>
-      </h2>
-<p id="section-3-1">The issuance protocols defined in this document embody the core of Privacy Pass.
-Clients receive TokenChallenge inputs from the redemption protocol
-(<span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>], <a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.1" class="relref">Section 2.1</a></span>) and use the issuance protocols to produce
-corresponding Token values (<span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>], <a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.2" class="relref">Section 2.2</a></span>). The issuance protocol
-describes how Clients and Issuers interact to compute a token using a one-round
-protocol consisting of a TokenRequest from the Client and TokenResponse from
-the Issuer. This interaction is shown below.<a href="#section-3-1" class="pilcrow">¶</a></p>
-<span id="name-issuance-overview"></span><div id="fig-issuance">
-<figure id="figure-1">
-        <div id="section-3-2.1">
-          <div class="alignLeft art-svg artwork" id="section-3-2.1.1">
-<svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="224" width="520" viewBox="0 0 520 224" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
-              <path d="M 8,32 L 8,64" fill="none" stroke="black"></path>
-              <path d="M 40,64 L 40,208" fill="none" stroke="black"></path>
-              <path d="M 80,32 L 80,64" fill="none" stroke="black"></path>
-              <path d="M 184,32 L 184,64" fill="none" stroke="black"></path>
-              <path d="M 216,64 L 216,208" fill="none" stroke="black"></path>
-              <path d="M 256,32 L 256,64" fill="none" stroke="black"></path>
-              <path d="M 336,32 L 336,64" fill="none" stroke="black"></path>
-              <path d="M 376,64 L 376,144" fill="none" stroke="black"></path>
-              <path d="M 376,192 L 376,208" fill="none" stroke="black"></path>
-              <path d="M 424,32 L 424,64" fill="none" stroke="black"></path>
-              <path d="M 440,32 L 440,64" fill="none" stroke="black"></path>
-              <path d="M 472,64 L 472,208" fill="none" stroke="black"></path>
-              <path d="M 512,32 L 512,64" fill="none" stroke="black"></path>
-              <path d="M 8,32 L 80,32" fill="none" stroke="black"></path>
-              <path d="M 184,32 L 256,32" fill="none" stroke="black"></path>
-              <path d="M 336,32 L 424,32" fill="none" stroke="black"></path>
-              <path d="M 440,32 L 512,32" fill="none" stroke="black"></path>
-              <path d="M 8,64 L 80,64" fill="none" stroke="black"></path>
-              <path d="M 184,64 L 256,64" fill="none" stroke="black"></path>
-              <path d="M 336,64 L 424,64" fill="none" stroke="black"></path>
-              <path d="M 440,64 L 512,64" fill="none" stroke="black"></path>
-              <path d="M 48,96 L 88,96" fill="none" stroke="black"></path>
-              <path d="M 168,96 L 216,96" fill="none" stroke="black"></path>
-              <path d="M 40,112 L 56,112" fill="none" stroke="black"></path>
-              <path d="M 192,112 L 208,112" fill="none" stroke="black"></path>
-              <path d="M 224,126 L 240,126" fill="none" stroke="black"></path>
-              <path d="M 224,130 L 240,130" fill="none" stroke="black"></path>
-              <path d="M 352,126 L 368,126" fill="none" stroke="black"></path>
-              <path d="M 352,130 L 368,130" fill="none" stroke="black"></path>
-              <path d="M 216,160 L 288,160" fill="none" stroke="black"></path>
-              <path d="M 408,160 L 464,160" fill="none" stroke="black"></path>
-              <path d="M 224,176 L 288,176" fill="none" stroke="black"></path>
-              <path d="M 416,176 L 472,176" fill="none" stroke="black"></path>
-              <path d="M 48,192 L 64,192" fill="none" stroke="black"></path>
-              <path d="M 192,192 L 216,192" fill="none" stroke="black"></path>
-              <polygon class="arrowhead" points="472,160 460,154.4 460,165.6" fill="black" transform="rotate(0,464,160)"></polygon>
-              <polygon class="arrowhead" points="376,128 364,122.4 364,133.6" fill="black" transform="rotate(0,368,128)"></polygon>
-              <polygon class="arrowhead" points="232,176 220,170.4 220,181.6" fill="black" transform="rotate(180,224,176)"></polygon>
-              <polygon class="arrowhead" points="232,128 220,122.4 220,133.6" fill="black" transform="rotate(180,224,128)"></polygon>
-              <polygon class="arrowhead" points="216,112 204,106.4 204,117.6" fill="black" transform="rotate(0,208,112)"></polygon>
-              <polygon class="arrowhead" points="56,192 44,186.4 44,197.6" fill="black" transform="rotate(180,48,192)"></polygon>
-              <polygon class="arrowhead" points="56,96 44,90.4 44,101.6" fill="black" transform="rotate(180,48,96)"></polygon>
-              <g class="text">
-                <text x="44" y="52">Origin</text>
-                <text x="220" y="52">Client</text>
-                <text x="380" y="52">Attester</text>
-                <text x="476" y="52">Issuer</text>
-                <text x="128" y="100">Request</text>
-                <text x="124" y="116">TokenChallenge</text>
-                <text x="296" y="132">Attestation</text>
-                <text x="348" y="164">TokenRequest</text>
-                <text x="352" y="180">TokenResponse</text>
-                <text x="128" y="196">Request+Token</text>
-              </g>
-            </svg><a href="#section-3-2.1.1" class="pilcrow">¶</a>
-</div>
-</div>
-<figcaption><a href="#figure-1" class="selfRef">Figure 1</a>:
-<a href="#name-issuance-overview" class="selfRef">Issuance Overview</a>
-        </figcaption></figure>
-</div>
-<p id="section-3-3">The TokenChallenge inputs to the issuance protocols described in this
-document can be interactive or non-interactive, and per-origin or cross-origin.<a href="#section-3-3" class="pilcrow">¶</a></p>
-<p id="section-3-4">The issuance protocols defined in this document are compatible with any
-deployment model defined in <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-4" class="relref">Section 4</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>. The details of
-attestation are outside the scope of the issuance protocol; see
-<span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-4" class="relref">Section 4</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span> for information about how attestation can
-be implemented in each of the relevant deployment models.<a href="#section-3-4" class="pilcrow">¶</a></p>
-<p id="section-3-5">This document describes two variants of the issuance protocol: one that is
-privately verifiable (<a href="#private-flow" class="auto internal xref">Section 5</a>) using the issuance private key based on
-the oblivious pseudorandom function from <span>[<a href="#OPRF" class="cite xref">OPRF</a>]</span>, and one
-that is publicly verifiable (<a href="#public-flow" class="auto internal xref">Section 6</a>) using the issuance public key
-based on the blind RSA signature scheme
-<span>[<a href="#BLINDRSA" class="cite xref">BLINDRSA</a>]</span>.<a href="#section-3-5" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="setup">
-<section id="section-4">
-      <h2 id="name-configuration">
-<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-configuration" class="section-name selfRef">Configuration</a>
-      </h2>
-<p id="section-4-1">Issuers MUST provide two parameters for configuration:<a href="#section-4-1" class="pilcrow">¶</a></p>
-<ol start="1" type="1" class="normal type-1" id="section-4-2">
-<li id="section-4-2.1">
-          <p id="section-4-2.1.1">Issuer Request URL: A token request URL for generating access tokens.
-For example, an Issuer URL might be
-https://issuer.example.net/request.<a href="#section-4-2.1.1" class="pilcrow">¶</a></p>
-</li>
-        <li id="section-4-2.2">
-          <p id="section-4-2.2.1">Issuer Public Key values: A list of Issuer Public Keys for the issuance
-protocol.<a href="#section-4-2.2.1" class="pilcrow">¶</a></p>
-</li>
-      </ol>
-<p id="section-4-3">The Issuer parameters can be obtained from an Issuer via a directory object,
-which is a JSON object (<span>[<a href="#RFC8259" class="cite xref">RFC8259</a>], <a href="https://rfc-editor.org/rfc/rfc8259#section-4" class="relref">Section 4</a></span>) whose values are other JSON
-values (<span>[<a href="#RFC8259" class="cite xref">RFC8259</a>], <a href="https://rfc-editor.org/rfc/rfc8259#section-3" class="relref">Section 3</a></span>) for the parameters. The contents of this JSON
-object are defined in <a href="#directory-values" class="auto internal xref">Table 1</a>.<a href="#section-4-3" class="pilcrow">¶</a></p>
-<span id="name-issuer-directory-object-des"></span><div id="directory-values">
-<table class="center" id="table-1">
-        <caption>
-<a href="#table-1" class="selfRef">Table 1</a>:
-<a href="#name-issuer-directory-object-des" class="selfRef">Issuer directory object description</a>
-        </caption>
-<thead>
-          <tr>
-            <th class="text-left" rowspan="1" colspan="1">Field Name</th>
-            <th class="text-left" rowspan="1" colspan="1">Value</th>
-          </tr>
-        </thead>
-        <tbody>
-          <tr>
-            <td class="text-left" rowspan="1" colspan="1">issuer-request-uri</td>
-            <td class="text-left" rowspan="1" colspan="1">Issuer Request URL value (as an absolute URL, or a URL relative to the directory object) as a percent-encoded URL string, represented as a JSON string (<span>[<a href="#RFC8259" class="cite xref">RFC8259</a>], <a href="https://rfc-editor.org/rfc/rfc8259#section-7" class="relref">Section 7</a></span>)</td>
-          </tr>
-          <tr>
-            <td class="text-left" rowspan="1" colspan="1">token-keys</td>
-            <td class="text-left" rowspan="1" colspan="1">List of Issuer Public Key values, each represented as JSON objects (<span>[<a href="#RFC8259" class="cite xref">RFC8259</a>], <a href="https://rfc-editor.org/rfc/rfc8259#section-4" class="relref">Section 4</a></span>)</td>
-          </tr>
-        </tbody>
-      </table>
-</div>
-<p id="section-4-5">Each "token-keys" JSON object contains the fields and corresponding raw values
-defined in <a href="#tokenkeys-values" class="auto internal xref">Table 2</a>.<a href="#section-4-5" class="pilcrow">¶</a></p>
-<span id="name-issuer-token-keys-object-de"></span><div id="tokenkeys-values">
-<table class="center" id="table-2">
-        <caption>
-<a href="#table-2" class="selfRef">Table 2</a>:
-<a href="#name-issuer-token-keys-object-de" class="selfRef">Issuer 'token-keys' object description'</a>
-        </caption>
-<thead>
-          <tr>
-            <th class="text-left" rowspan="1" colspan="1">Field Name</th>
-            <th class="text-left" rowspan="1" colspan="1">Value</th>
-          </tr>
-        </thead>
-        <tbody>
-          <tr>
-            <td class="text-left" rowspan="1" colspan="1">token-type</td>
-            <td class="text-left" rowspan="1" colspan="1">Integer value of the Token Type, as defined in <a href="#token-type" class="auto internal xref">Section 8.2</a>, represented as a JSON number (<span>[<a href="#RFC8259" class="cite xref">RFC8259</a>], <a href="https://rfc-editor.org/rfc/rfc8259#section-6" class="relref">Section 6</a></span>)</td>
-          </tr>
-          <tr>
-            <td class="text-left" rowspan="1" colspan="1">token-key</td>
-            <td class="text-left" rowspan="1" colspan="1">The base64url-encoded <span>[<a href="#RFC4648" class="cite xref">RFC4648</a>]</span> Public Key for use with the issuance protocol as determined by the token-type field, including padding, represented as a JSON string (<span>[<a href="#RFC8259" class="cite xref">RFC8259</a>], <a href="https://rfc-editor.org/rfc/rfc8259#section-7" class="relref">Section 7</a></span>)</td>
-          </tr>
-        </tbody>
-      </table>
-</div>
-<p id="section-4-7">Each "token-keys" JSON object may also contain the optional field "not-before".
-The value of this field is the UNIX timestamp (number of seconds since
-January 1, 1970, UTC -- see <span><a href="https://rfc-editor.org/rfc/rfc8877#section-4.2.1" class="relref">Section 4.2.1</a> of [<a href="#TIMESTAMP" class="cite xref">TIMESTAMP</a>]</span>) at which
-the key can be used. If this field is present, Clients SHOULD NOT use a token
-key before this timestamp, as doing so can lead to issuance failures. The
-purpose of this field is to assist in scheduled key rotations.<a href="#section-4-7" class="pilcrow">¶</a></p>
-<p id="section-4-8">Beyond staging keys with the "not-before" value, Issuers MAY advertise multiple
-"token-keys" for the same token-type to facilitate key rotation. In this case,
-Issuers indicate preference for which token key to use based on the order of
-keys in the list, with preference given to keys earlier in the list. Clients
-SHOULD use the first key in the "token-keys" list that either does not have a
-"not-before" value or has a "not-before" value in the past, since the first such key is the
-most likely to be valid in the given time window. Origins can attempt
-to use any key in the "token-keys" list to verify tokens, starting with the most
-preferred key in the list. Trial verification like this can help deal with Client
-clock skew.<a href="#section-4-8" class="pilcrow">¶</a></p>
-<p id="section-4-9">Altogether, the Issuer's directory could look like the following (with the
-"token-key" fields abbreviated):<a href="#section-4-9" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-4-10">
-<pre>
- {
-    "issuer-request-uri": "https://issuer.example.net/request",
-    "token-keys": [
-      {
-        "token-type": 2,
-        "token-key": "MI...AB",
-        "not-before": 1686913811,
-      },
-      {
-        "token-type": 2,
-        "token-key": "MI...AQ",
-      }
-    ]
- }
-</pre><a href="#section-4-10" class="pilcrow">¶</a>
-</div>
-<p id="section-4-11">Clients that use this directory resource before 1686913811 in UNIX time would use the
-second key in the "token-keys" list, whereas Clients that use this directory after
-1686913811 in UNIX time would use the first key in the "token-keys" list.<a href="#section-4-11" class="pilcrow">¶</a></p>
-<p id="section-4-12">A complete "token-key" value, encoded as it would be in the Issuer directory,
-would look like the following (line breaks are inserted to fit within the per-line
-character limits):<a href="#section-4-12" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-4-13">
-<pre>
-$ echo MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAqEaMBgGCSqGSIb3DQEBCDAL \
- BglghkgBZQMEAgKiAwIBMAOCAQ8AMIIBCgKCAQEAmKHGAMyeoJt1pj3n7xTtqAPr_DhZAPhJM7 \
- Pc8ENR2BzdZwPTTF7KFKms5wt-mL01at0SC-cdBuIj6WYK8Ovz0AyaBuvTvW6SKCh7ZPXEqCGR \
- sq5I0nthREtrYkGo113oMVPVp3sy4VHPgzd8KdzTLGzOrjiUOsSFWbjf21iaVjXJ2VdwdS-8O- \
- 430wkucYjGeOJwi8rWx_ZkcHtav0S67Q_SlExJel6nyRzpuuID9OQm1nxfs1Z4PhWBzt93T2oz \
- Tnda3OklF5n0pIXD6bttmTekIw_8Xx2LMis0jfJ1QL99aA-muXRFN4ZUwORrF7cAcCUD_-56_6 \
- fh9s34FmqBGwIDAQAB \
- | sed s/-/+/g | sed s/_/\\//g | openssl base64 -d \
- | openssl asn1parse -dump -inform DER
-    0:d=0  hl=4 l= 338 cons: SEQUENCE
-    4:d=1  hl=2 l=  61 cons: SEQUENCE
-    6:d=2  hl=2 l=   9 prim: OBJECT            :rsassaPss
-   17:d=2  hl=2 l=  48 cons: SEQUENCE
-   19:d=3  hl=2 l=  13 cons: cont [ 0 ]
-   21:d=4  hl=2 l=  11 cons: SEQUENCE
-   23:d=5  hl=2 l=   9 prim: OBJECT            :sha384
-   34:d=3  hl=2 l=  26 cons: cont [ 1 ]
-   36:d=4  hl=2 l=  24 cons: SEQUENCE
-   38:d=5  hl=2 l=   9 prim: OBJECT            :mgf1
-   49:d=5  hl=2 l=  11 cons: SEQUENCE
-   51:d=6  hl=2 l=   9 prim: OBJECT            :sha384
-   62:d=3  hl=2 l=   3 cons: cont [ 2 ]
-   64:d=4  hl=2 l=   1 prim: INTEGER           :30
-   67:d=1  hl=4 l= 271 prim: BIT STRING
-   ... truncated public key bytes ...
-</pre><a href="#section-4-13" class="pilcrow">¶</a>
-</div>
-<p id="section-4-14">Issuer directory resources have the media type
-"application/private-token-issuer-directory" and are located at the well-known location
-/.well-known/private-token-issuer-directory; see <a href="#wkuri-reg" class="auto internal xref">Section 8.1</a> for the registration
-information for this well-known URI. The reason that this resource is located
-at a well-known URI is that Issuers are defined by an origin name in TokenChallenge
-structures; see <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.1" class="relref">Section 2.1</a> of [<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span>.<a href="#section-4-14" class="pilcrow">¶</a></p>
-<p id="section-4-15">The Issuer directory and Issuer resources SHOULD be available on the same origin. If
-an Issuer wants to service multiple different Issuer directories they MUST create
-unique subdomains for each so the TokenChallenge defined in
-<span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.1" class="relref">Section 2.1</a> of [<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span> can be
-differentiated correctly.<a href="#section-4-15" class="pilcrow">¶</a></p>
-<p id="section-4-16">Issuers SHOULD use HTTP cache directives to permit caching of this resource
-<span>[<a href="#RFC5861" class="cite xref">RFC5861</a>]</span>. The cache lifetime depends on the Issuer's key rotation schedule.
-Regular rotation of token keys is recommended to minimize the risk of key
-compromise and any harmful effects that happen due to key compromise.<a href="#section-4-16" class="pilcrow">¶</a></p>
-<p id="section-4-17">Issuers can control cache lifetime with the Cache-Control header, as follows:<a href="#section-4-17" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-4-18">
-<pre>
-  Cache-Control: max-age=86400
-</pre><a href="#section-4-18" class="pilcrow">¶</a>
-</div>
-<p id="section-4-19">Consumers of the Issuer directory resource SHOULD follow the usual HTTP caching
-<span>[<a href="#RFC9111" class="cite xref">RFC9111</a>]</span> semantics when processing this resource. Long cache lifetimes may
-result in use of stale Issuer configuration information, whereas short
-lifetimes may result in decreased performance. When use of an Issuer
-configuration results in token issuance failures, e.g., because the
-Issuer has invalidated its directory resource before its expiration
-time and issuance requests using this configuration are unsuccessful,
-the directory SHOULD be fetched and revalidated. Issuance will continue
-to fail until the Issuer configuration is updated.<a href="#section-4-19" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="private-flow">
-<section id="section-5">
-      <h2 id="name-issuance-protocol-for-priva">
-<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-issuance-protocol-for-priva" class="section-name selfRef">Issuance Protocol for Privately Verifiable Tokens</a>
-      </h2>
-<p id="section-5-1">The privately verifiable issuance protocol allows Clients to produce Token
-values that verify using the Issuer Private Key. This protocol is based
-on the oblivious pseudorandom function from <span>[<a href="#OPRF" class="cite xref">OPRF</a>]</span>.<a href="#section-5-1" class="pilcrow">¶</a></p>
-<p id="section-5-2">Issuers provide a Issuer Private and Public Key, denoted <code>skI</code> and <code>pkI</code> respectively,
-used to produce tokens as input to the protocol. See <a href="#issuer-configuration" class="auto internal xref">Section 5.5</a>
-for how these keys are generated.<a href="#section-5-2" class="pilcrow">¶</a></p>
-<p id="section-5-3">Clients provide the following as input to the issuance protocol:<a href="#section-5-3" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-5-4.1">
-          <p id="section-5-4.1.1">Issuer Request URL: A URL identifying the location to which issuance requests
-are sent. This can be a URL derived from the "issuer-request-uri" value in the
-Issuer's directory resource, or it can be another Client-configured URL. The value
-of this parameter depends on the Client configuration and deployment model.
-For example, in the 'Joint Origin and Issuer' deployment model, the Issuer
-Request URL might correspond to the Client's configured Attester, and the
-Attester is configured to relay requests to the Issuer.<a href="#section-5-4.1.1" class="pilcrow">¶</a></p>
-</li>
-        <li class="normal" id="section-5-4.2">
-          <p id="section-5-4.2.1">Issuer name: An identifier for the Issuer. This is typically a host name that
-can be used to construct HTTP requests to the Issuer.<a href="#section-5-4.2.1" class="pilcrow">¶</a></p>
-</li>
-        <li class="normal" id="section-5-4.3">
-          <p id="section-5-4.3.1">Issuer Public Key: <code>pkI</code>, with a key identifier <code>token_key_id</code> computed as
-described in <a href="#issuer-configuration" class="auto internal xref">Section 5.5</a>.<a href="#section-5-4.3.1" class="pilcrow">¶</a></p>
-</li>
-        <li class="normal" id="section-5-4.4">
-          <p id="section-5-4.4.1">Challenge value: <code>challenge</code>, an opaque byte string. For example, this might
-be provided by the redemption protocol in <span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span>.<a href="#section-5-4.4.1" class="pilcrow">¶</a></p>
-</li>
-      </ul>
-<p id="section-5-5">Given this configuration and these inputs, the two messages exchanged in
-this protocol are described below. This section uses notation described in
-<span>[<a href="#OPRF" class="cite xref">OPRF</a>], <a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-4" class="relref">Section 4</a></span>, including SerializeElement and DeserializeElement,
-SerializeScalar and DeserializeScalar, and DeriveKeyPair.<a href="#section-5-5" class="pilcrow">¶</a></p>
-<p id="section-5-6">The constants <code>Ne</code> and <code>Ns</code> are as defined in <span>[<a href="#OPRF" class="cite xref">OPRF</a>], <a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-4" class="relref">Section 4</a></span> for
-OPRF(P-384, SHA-384). The constant <code>Nk</code>, which is also equal to <code>Nh</code> as defined
-in <span>[<a href="#OPRF" class="cite xref">OPRF</a>], <a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-4" class="relref">Section 4</a></span>, is defined by <a href="#private-token-type" class="auto internal xref">Section 8.2.1</a>.<a href="#section-5-6" class="pilcrow">¶</a></p>
-<div id="private-request">
-<section id="section-5.1">
-        <h3 id="name-client-to-issuer-request">
-<a href="#section-5.1" class="section-number selfRef">5.1. </a><a href="#name-client-to-issuer-request" class="section-name selfRef">Client-to-Issuer Request</a>
-        </h3>
-<p id="section-5.1-1">The Client first creates a context as follows:<a href="#section-5.1-1" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.1-2">
-<pre>
-client_context = SetupVOPRFClient("P384-SHA384", pkI)
-</pre><a href="#section-5.1-2" class="pilcrow">¶</a>
-</div>
-<p id="section-5.1-3">Here, "P384-SHA384" is the identifier corresponding to the
-OPRF(P-384, SHA-384) ciphersuite in <span>[<a href="#OPRF" class="cite xref">OPRF</a>]</span>. SetupVOPRFClient
-is defined in <span>[<a href="#OPRF" class="cite xref">OPRF</a>], <a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-3.2" class="relref">Section 3.2</a></span>.<a href="#section-5.1-3" class="pilcrow">¶</a></p>
-<p id="section-5.1-4">The Client then creates an issuance request message for a random 32-byte value <code>nonce</code>
-with the input challenge and Issuer key identifier as described below:<a href="#section-5.1-4" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.1-5">
-<pre>
-nonce = random(32)
-challenge_digest = SHA256(challenge)
-token_input = concat(0x0001, // Token type field is 2 bytes long
-                     nonce,
-                     challenge_digest,
-                     token_key_id)
-blind, blinded_element = client_context.Blind(token_input)
-</pre><a href="#section-5.1-5" class="pilcrow">¶</a>
-</div>
-<p id="section-5.1-6">The Blind function is defined in <span>[<a href="#OPRF" class="cite xref">OPRF</a>], <a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-3.3.2" class="relref">Section 3.3.2</a></span>.
-If the Blind function fails, the Client aborts the protocol.
-The Client stores the <code>nonce</code> and <code>challenge_digest</code> values locally
-for use when finalizing the issuance protocol to produce a token
-(as described in <a href="#private-finalize" class="auto internal xref">Section 5.3</a>).<a href="#section-5.1-6" class="pilcrow">¶</a></p>
-<p id="section-5.1-7">The Client then creates a TokenRequest structured as follows:<a href="#section-5.1-7" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.1-8">
-<pre>
-struct {
-  uint16_t token_type = 0x0001; /* Type VOPRF(P-384, SHA-384) */
-  uint8_t truncated_token_key_id;
-  uint8_t blinded_msg[Ne];
-} TokenRequest;
-</pre><a href="#section-5.1-8" class="pilcrow">¶</a>
-</div>
-<p id="section-5.1-9">The structure fields are defined as follows:<a href="#section-5.1-9" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-5.1-10.1">
-            <p id="section-5.1-10.1.1">"token_type" is a 2-octet integer, which matches the type in the challenge.<a href="#section-5.1-10.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-5.1-10.2">
-            <p id="section-5.1-10.2.1">"truncated_token_key_id" is the least significant byte of the <code>token_key_id</code>
-(<a href="#issuer-configuration" class="auto internal xref">Section 5.5</a>) in network byte order (in other words, the last 8
-bits of <code>token_key_id</code>). This value is truncated so that Issuers cannot use
-<code>token_key_id</code> as a way of uniquely identifying Clients; see <a href="#security" class="auto internal xref">Section 7</a>
-and referenced information for more details.<a href="#section-5.1-10.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-5.1-10.3">
-            <p id="section-5.1-10.3.1">"blinded_msg" is the Ne-octet blinded message defined above, computed as
-<code>SerializeElement(blinded_element)</code>.<a href="#section-5.1-10.3.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-<p id="section-5.1-11">The values <code>token_input</code> and <code>blinded_element</code> are stored locally and used
-later as described in <a href="#private-finalize" class="auto internal xref">Section 5.3</a>. The Client then generates an HTTP
-POST request to send to the Issuer Request URL, with the TokenRequest as the
-content. The media type for this request is
-"application/private-token-request". An example request for the Issuer Request URL
-"https://issuer.example.net/request" is shown below.<a href="#section-5.1-11" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.1-12">
-<pre>
-POST /request HTTP/1.1
-Host: issuer.example.net
-Accept: application/private-token-response
-Content-Type: application/private-token-request
-Content-Length: &lt;Length of TokenRequest&gt;
-
-&lt;Bytes containing the TokenRequest&gt;
-</pre><a href="#section-5.1-12" class="pilcrow">¶</a>
-</div>
-</section>
-</div>
-<div id="private-response">
-<section id="section-5.2">
-        <h3 id="name-issuer-to-client-response">
-<a href="#section-5.2" class="section-number selfRef">5.2. </a><a href="#name-issuer-to-client-response" class="section-name selfRef">Issuer-to-Client Response</a>
-        </h3>
-<p id="section-5.2-1">Upon receipt of the request, the Issuer validates the following conditions:<a href="#section-5.2-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-5.2-2.1">
-            <p id="section-5.2-2.1.1">The TokenRequest contains a supported token_type.<a href="#section-5.2-2.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-5.2-2.2">
-            <p id="section-5.2-2.2.1">The TokenRequest.truncated_token_key_id corresponds to the truncated key ID
-of a Public Key owned by the Issuer.<a href="#section-5.2-2.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-5.2-2.3">
-            <p id="section-5.2-2.3.1">The TokenRequest.blinded_msg is of the correct size.<a href="#section-5.2-2.3.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-<p id="section-5.2-3">If any of these conditions is not met, the Issuer MUST return an HTTP 422
-(Unprocessable Content) error to the client.<a href="#section-5.2-3" class="pilcrow">¶</a></p>
-<p id="section-5.2-4">If these conditions are met, the Issuer then tries to deserialize
-TokenRequest.blinded_msg using DeserializeElement from
-<span><a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-2.1" class="relref">Section 2.1</a> of [<a href="#OPRF" class="cite xref">OPRF</a>]</span>, yielding <code>blinded_element</code>. If this fails, the
-Issuer MUST return an HTTP 422 (Unprocessable Content) error to the
-client. Otherwise, if the Issuer is willing to produce a token to the Client,
-the Issuer completes the issuance flow by computing a blinded response as
-follows:<a href="#section-5.2-4" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.2-5">
-<pre>
-server_context = SetupVOPRFServer("P384-SHA384", skI)
-evaluate_element, proof =
-  server_context.BlindEvaluate(skI, pkI, blinded_element)
-</pre><a href="#section-5.2-5" class="pilcrow">¶</a>
-</div>
-<p id="section-5.2-6">SetupVOPRFServer is defined in <span>[<a href="#OPRF" class="cite xref">OPRF</a>], <a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-3.2" class="relref">Section 3.2</a></span> and BlindEvaluate is
-defined in <span>[<a href="#OPRF" class="cite xref">OPRF</a>], <a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-3.3.2" class="relref">Section 3.3.2</a></span>. The Issuer then creates a TokenResponse
-structured as follows:<a href="#section-5.2-6" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.2-7">
-<pre>
-struct {
-   uint8_t evaluate_msg[Ne];
-   uint8_t evaluate_proof[Ns+Ns];
-} TokenResponse;
-</pre><a href="#section-5.2-7" class="pilcrow">¶</a>
-</div>
-<p id="section-5.2-8">The structure fields are defined as follows:<a href="#section-5.2-8" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-5.2-9.1">
-            <p id="section-5.2-9.1.1">"evaluate_msg" is the Ne-octet evaluated message, computed as
-<code>SerializeElement(evaluate_element)</code>.<a href="#section-5.2-9.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-5.2-9.2">
-            <p id="section-5.2-9.2.1">"evaluate_proof" is the (Ns+Ns)-octet serialized proof, which is a pair of
-Scalar values, computed as
-<code>concat(SerializeScalar(proof[0]), SerializeScalar(proof[1]))</code>.<a href="#section-5.2-9.2.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-<p id="section-5.2-10">The Issuer generates an HTTP response with status code 200 whose content
-consists of TokenResponse, with the content type set as
-"application/private-token-response".<a href="#section-5.2-10" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.2-11">
-<pre>
-HTTP/1.1 200 OK
-Content-Type: application/private-token-response
-Content-Length: &lt;Length of TokenResponse&gt;
-
-&lt;Bytes containing the TokenResponse&gt;
-</pre><a href="#section-5.2-11" class="pilcrow">¶</a>
-</div>
-</section>
-</div>
-<div id="private-finalize">
-<section id="section-5.3">
-        <h3 id="name-finalization">
-<a href="#section-5.3" class="section-number selfRef">5.3. </a><a href="#name-finalization" class="section-name selfRef">Finalization</a>
-        </h3>
-<p id="section-5.3-1">Upon receipt, the Client handles the response and, if successful, deserializes
-the content values TokenResponse.evaluate_msg and TokenResponse.evaluate_proof,
-yielding <code>evaluated_element</code> and <code>proof</code>. If deserialization of either value
-fails, the Client aborts the protocol. Otherwise, the Client processes the
-response as follows:<a href="#section-5.3-1" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.3-2">
-<pre>
-authenticator = client_context.Finalize(token_input, blind,
-                                        evaluated_element,
-                                        blinded_element,
-                                        proof)
-</pre><a href="#section-5.3-2" class="pilcrow">¶</a>
-</div>
-<p id="section-5.3-3">The Finalize function is defined in <span>[<a href="#OPRF" class="cite xref">OPRF</a>], <a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-3.3.2" class="relref">Section 3.3.2</a></span>. If this
-succeeds, the Client then constructs a Token as follows:<a href="#section-5.3-3" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.3-4">
-<pre>
-struct {
-  uint16_t token_type = 0x0001; /* Type VOPRF(P-384, SHA-384) */
-  uint8_t nonce[32];
-  uint8_t challenge_digest[32];
-  uint8_t token_key_id[32];
-  uint8_t authenticator[Nk];
-} Token;
-</pre><a href="#section-5.3-4" class="pilcrow">¶</a>
-</div>
-<p id="section-5.3-5">The Token.nonce value is that which was created in <a href="#private-request" class="auto internal xref">Section 5.1</a>.
-If the Finalize function fails, the Client aborts the protocol.<a href="#section-5.3-5" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="token-verification">
-<section id="section-5.4">
-        <h3 id="name-token-verification">
-<a href="#section-5.4" class="section-number selfRef">5.4. </a><a href="#name-token-verification" class="section-name selfRef">Token Verification</a>
-        </h3>
-<p id="section-5.4-1">Verifying a Token requires creating a VOPRF context using the Issuer Private
-Key and Public Key, evaluating the token contents, and comparing the result
-against the token authenticator value:<a href="#section-5.4-1" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.4-2">
-<pre>
-server_context = SetupVOPRFServer("P384-SHA384", skI)
-token_authenticator_input =
-  concat(Token.token_type,
-         Token.nonce,
-         Token.challenge_digest,
-         Token.token_key_id)
-token_authenticator =
-  server_context.Evaluate(token_authenticator_input)
-valid = (token_authenticator == Token.authenticator)
-</pre><a href="#section-5.4-2" class="pilcrow">¶</a>
-</div>
-</section>
-</div>
-<div id="issuer-configuration">
-<section id="section-5.5">
-        <h3 id="name-issuer-configuration">
-<a href="#section-5.5" class="section-number selfRef">5.5. </a><a href="#name-issuer-configuration" class="section-name selfRef">Issuer Configuration</a>
-        </h3>
-<p id="section-5.5-1">Issuers are configured with Issuer Private and Public Keys, each denoted <code>skI</code>
-and <code>pkI</code>, respectively, used to produce tokens. These keys MUST NOT be reused
-in other protocols. A RECOMMENDED method for generating keys is as
-follows:<a href="#section-5.5-1" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.5-2">
-<pre>
-seed = random(Ns)
-(skI, pkI) = DeriveKeyPair(seed, "PrivacyPass")
-</pre><a href="#section-5.5-2" class="pilcrow">¶</a>
-</div>
-<p id="section-5.5-3">The DeriveKeyPair function is defined in <span>[<a href="#OPRF" class="cite xref">OPRF</a>], <a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-3.3.1" class="relref">Section 3.3.1</a></span>.
-The key identifier for a public key <code>pkI</code>, denoted <code>token_key_id</code>, is computed
-as follows:<a href="#section-5.5-3" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-5.5-4">
-<pre>
-token_key_id = SHA256(SerializeElement(pkI))
-</pre><a href="#section-5.5-4" class="pilcrow">¶</a>
-</div>
-<p id="section-5.5-5">Since Clients truncate <code>token_key_id</code> in each <code>TokenRequest</code>, Issuers SHOULD
-ensure that the truncated form of new key IDs do not collide with other
-truncated key IDs in rotation. Collisions can cause the Issuer to use
-the wrong Issuer Private Key for issuance, which will in turn cause the
-resulting tokens to be invalid. There is no known security consequence of
-using the the wrong Issuer Private Key. A possible exception to this constraint
-would be a colliding key that is still in use but in the process of being
-rotated out, in which case the collision cannot reasonably be avoided but it
-is expected to be transient.<a href="#section-5.5-5" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="public-flow">
-<section id="section-6">
-      <h2 id="name-issuance-protocol-for-publi">
-<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-issuance-protocol-for-publi" class="section-name selfRef">Issuance Protocol for Publicly Verifiable Tokens</a>
-      </h2>
-<p id="section-6-1">This section describes a variant of the issuance protocol in <a href="#private-flow" class="auto internal xref">Section 5</a>
-for producing publicly verifiable tokens using the protocol in <span>[<a href="#BLINDRSA" class="cite xref">BLINDRSA</a>]</span>.
-In particular, this variant of the issuance protocol works for the
-RSABSSA-SHA384-PSS-Deterministic and RSABSSA-SHA384-PSSZERO-Deterministic
-blind RSA protocol variants described in <span><a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-blind-signatures-14#section-5" class="relref">Section 5</a> of [<a href="#BLINDRSA" class="cite xref">BLINDRSA</a>]</span>.<a href="#section-6-1" class="pilcrow">¶</a></p>
-<p id="section-6-2">The publicly verifiable issuance protocol differs from the protocol in
-<a href="#private-flow" class="auto internal xref">Section 5</a> in that the output tokens are publicly verifiable by anyone
-with the Issuer Public Key. This means any Origin can select a given Issuer to
-produce tokens, as long as the Origin has the Issuer public key, without
-explicit coordination or permission from the Issuer. This is because the Issuer
-does not learn the Origin that requested the token during the issuance protocol.<a href="#section-6-2" class="pilcrow">¶</a></p>
-<p id="section-6-3">Beyond this difference, the publicly verifiable issuance protocol variant is
-nearly identical to the privately verifiable issuance protocol variant. In
-particular, Issuers provide an Issuer Private and Public Key, denoted skI and pkI,
-respectively, used to produce tokens as input to the protocol. See
-<a href="#public-issuer-configuration" class="auto internal xref">Section 6.5</a> for how these keys are generated.<a href="#section-6-3" class="pilcrow">¶</a></p>
-<p id="section-6-4">Clients provide the following as input to the issuance protocol:<a href="#section-6-4" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-6-5.1">
-          <p id="section-6-5.1.1">Issuer Request URL: A URL identifying the location to which issuance requests
-are sent. This can be a URL derived from the "issuer-request-uri" value in the
-Issuer's directory resource, or it can be another Client-configured URL. The value
-of this parameter depends on the Client configuration and deployment model.
-For example, in the 'Split Origin, Attester, Issuer' deployment model, the
-Issuer Request URL might correspond to the Client's configured Attester,
-and the Attester is configured to relay requests to the Issuer.<a href="#section-6-5.1.1" class="pilcrow">¶</a></p>
-</li>
-        <li class="normal" id="section-6-5.2">
-          <p id="section-6-5.2.1">Issuer name: An identifier for the Issuer. This is typically a host name that
-can be used to construct HTTP requests to the Issuer.<a href="#section-6-5.2.1" class="pilcrow">¶</a></p>
-</li>
-        <li class="normal" id="section-6-5.3">
-          <p id="section-6-5.3.1">Issuer Public Key: <code>pkI</code>, with a key identifier <code>token_key_id</code> computed as
-described in <a href="#public-issuer-configuration" class="auto internal xref">Section 6.5</a>.<a href="#section-6-5.3.1" class="pilcrow">¶</a></p>
-</li>
-        <li class="normal" id="section-6-5.4">
-          <p id="section-6-5.4.1">Challenge value: <code>challenge</code>, an opaque byte string. For example, this might
-be provided by the redemption protocol in <span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span>.<a href="#section-6-5.4.1" class="pilcrow">¶</a></p>
-</li>
-      </ul>
-<p id="section-6-6">Given this configuration and these inputs, the two messages exchanged in
-this protocol are described below. The constant <code>Nk</code> is defined by
-<a href="#public-token-type" class="auto internal xref">Section 8.2.2</a>.<a href="#section-6-6" class="pilcrow">¶</a></p>
-<div id="public-request">
-<section id="section-6.1">
-        <h3 id="name-client-to-issuer-request-2">
-<a href="#section-6.1" class="section-number selfRef">6.1. </a><a href="#name-client-to-issuer-request-2" class="section-name selfRef">Client-to-Issuer Request</a>
-        </h3>
-<p id="section-6.1-1">The Client first creates an issuance request message for a random 32-byte value
-<code>nonce</code> using the input challenge and Issuer key identifier as follows:<a href="#section-6.1-1" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-6.1-2">
-<pre>
-nonce = random(32)
-challenge_digest = SHA256(challenge)
-token_input = concat(0x0002, // Token type field is 2 bytes long
-                     nonce,
-                     challenge_digest,
-                     token_key_id)
-blinded_msg, blind_inv =
-  Blind(pkI, PrepareIdentity(token_input))
-</pre><a href="#section-6.1-2" class="pilcrow">¶</a>
-</div>
-<p id="section-6.1-3">The PrepareIdentity and Blind functions are defined in
-<span><a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-blind-signatures-14#section-4.1" class="relref">Section 4.1</a> of [<a href="#BLINDRSA" class="cite xref">BLINDRSA</a>]</span> and <span><a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-blind-signatures-14#section-4.2" class="relref">Section 4.2</a> of [<a href="#BLINDRSA" class="cite xref">BLINDRSA</a>]</span>, respectively.
-The Client stores the nonce and challenge_digest values locally for use
-when finalizing the issuance protocol to produce a token (as described
-in <a href="#public-finalize" class="auto internal xref">Section 6.3</a>).<a href="#section-6.1-3" class="pilcrow">¶</a></p>
-<p id="section-6.1-4">The Client then creates a TokenRequest structured as follows:<a href="#section-6.1-4" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-6.1-5">
-<pre>
-struct {
-  uint16_t token_type = 0x0002; /* Type Blind RSA (2048-bit) */
-  uint8_t truncated_token_key_id;
-  uint8_t blinded_msg[Nk];
-} TokenRequest;
-</pre><a href="#section-6.1-5" class="pilcrow">¶</a>
-</div>
-<p id="section-6.1-6">The structure fields are defined as follows:<a href="#section-6.1-6" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-6.1-7.1">
-            <p id="section-6.1-7.1.1">"token_type" is a 2-octet integer, which matches the type in the challenge.<a href="#section-6.1-7.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-6.1-7.2">
-            <p id="section-6.1-7.2.1">"truncated_token_key_id" is the least significant byte of the <code>token_key_id</code>
-(<a href="#public-issuer-configuration" class="auto internal xref">Section 6.5</a>) in network byte order (in other words, the
-last 8 bits of <code>token_key_id</code>). This value is truncated so that Issuers cannot use
-<code>token_key_id</code> as a way of uniquely identifying Clients; see <a href="#security" class="auto internal xref">Section 7</a>
-and referenced information for more details.<a href="#section-6.1-7.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-6.1-7.3">
-            <p id="section-6.1-7.3.1">"blinded_msg" is the Nk-octet request defined above.<a href="#section-6.1-7.3.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-<p id="section-6.1-8">The Client then generates an HTTP POST request to send to the Issuer Request
-URL, with the TokenRequest as the content. The media type for this request
-is "application/private-token-request". An example request for the Issuer
-Request URL "https://issuer.example.net/request" is shown below.<a href="#section-6.1-8" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-6.1-9">
-<pre>
-POST /request HTTP/1.1
-Host: issuer.example.net
-Accept: application/private-token-response
-Content-Type: application/private-token-request
-Content-Length: &lt;Length of TokenRequest&gt;
-
-&lt;Bytes containing the TokenRequest&gt;
-</pre><a href="#section-6.1-9" class="pilcrow">¶</a>
-</div>
-</section>
-</div>
-<div id="public-response">
-<section id="section-6.2">
-        <h3 id="name-issuer-to-client-response-2">
-<a href="#section-6.2" class="section-number selfRef">6.2. </a><a href="#name-issuer-to-client-response-2" class="section-name selfRef">Issuer-to-Client Response</a>
-        </h3>
-<p id="section-6.2-1">Upon receipt of the request, the Issuer validates the following conditions:<a href="#section-6.2-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-6.2-2.1">
-            <p id="section-6.2-2.1.1">The TokenRequest contains a supported token_type.<a href="#section-6.2-2.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-6.2-2.2">
-            <p id="section-6.2-2.2.1">The TokenRequest.truncated_token_key_id corresponds to the truncated key
-ID of an Issuer Public Key.<a href="#section-6.2-2.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-6.2-2.3">
-            <p id="section-6.2-2.3.1">The TokenRequest.blinded_msg is of the correct size.<a href="#section-6.2-2.3.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-<p id="section-6.2-3">If any of these conditions is not met, the Issuer MUST return an HTTP 422
-(Unprocessable Content) error to the Client. Otherwise, if the
-Issuer is willing to produce a token to the Client, the Issuer
-completes the issuance flow by computing a blinded response as follows:<a href="#section-6.2-3" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-6.2-4">
-<pre>
-blind_sig = BlindSign(skI, TokenRequest.blinded_msg)
-</pre><a href="#section-6.2-4" class="pilcrow">¶</a>
-</div>
-<p id="section-6.2-5">The BlindSign function is defined in <span><a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-blind-signatures-14#section-4.3" class="relref">Section 4.3</a> of [<a href="#BLINDRSA" class="cite xref">BLINDRSA</a>]</span>.
-The result is encoded and transmitted to the client in the following
-TokenResponse structure:<a href="#section-6.2-5" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-6.2-6">
-<pre>
-struct {
-  uint8_t blind_sig[Nk];
-} TokenResponse;
-</pre><a href="#section-6.2-6" class="pilcrow">¶</a>
-</div>
-<p id="section-6.2-7">The Issuer generates an HTTP response with status code 200 whose content
-consists of TokenResponse, with the content type set as
-"application/private-token-response".<a href="#section-6.2-7" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-6.2-8">
-<pre>
-HTTP/1.1 200 OK
-Content-Type: application/private-token-response
-Content-Length: &lt;Length of TokenResponse&gt;
-
-&lt;Bytes containing the TokenResponse&gt;
-</pre><a href="#section-6.2-8" class="pilcrow">¶</a>
-</div>
-</section>
-</div>
-<div id="public-finalize">
-<section id="section-6.3">
-        <h3 id="name-finalization-2">
-<a href="#section-6.3" class="section-number selfRef">6.3. </a><a href="#name-finalization-2" class="section-name selfRef">Finalization</a>
-        </h3>
-<p id="section-6.3-1">Upon receipt, the Client handles the response and, if successful, processes the
-content as follows:<a href="#section-6.3-1" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-6.3-2">
-<pre>
-authenticator =
-  Finalize(pkI, nonce, blind_sig, blind_inv)
-</pre><a href="#section-6.3-2" class="pilcrow">¶</a>
-</div>
-<p id="section-6.3-3">The Finalize function is defined in <span><a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-blind-signatures-14#section-4.4" class="relref">Section 4.4</a> of [<a href="#BLINDRSA" class="cite xref">BLINDRSA</a>]</span>. If this
-succeeds, the Client then constructs a Token as described in <span>[<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span> as
-follows:<a href="#section-6.3-3" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-6.3-4">
-<pre>
-struct {
-  uint16_t token_type = 0x0002; /* Type Blind RSA (2048-bit) */
-  uint8_t nonce[32];
-  uint8_t challenge_digest[32];
-  uint8_t token_key_id[32];
-  uint8_t authenticator[Nk];
-} Token;
-</pre><a href="#section-6.3-4" class="pilcrow">¶</a>
-</div>
-<p id="section-6.3-5">The Token.nonce value is that which was sampled in <a href="#private-request" class="auto internal xref">Section 5.1</a>.
-If the Finalize function fails, the Client aborts the protocol.<a href="#section-6.3-5" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="token-verification-1">
-<section id="section-6.4">
-        <h3 id="name-token-verification-2">
-<a href="#section-6.4" class="section-number selfRef">6.4. </a><a href="#name-token-verification-2" class="section-name selfRef">Token Verification</a>
-        </h3>
-<p id="section-6.4-1">Verifying a Token requires checking that Token.authenticator is a valid
-signature over the remainder of the token input using the Issuer Public Key.
-The function <code>RSASSA-PSS-VERIFY</code> is defined in <span><a href="https://rfc-editor.org/rfc/rfc8017#section-8.1.2" class="relref">Section 8.1.2</a> of [<a href="#RFC8017" class="cite xref">RFC8017</a>]</span>,
-using SHA-384 as the Hash function, MGF1 with SHA-384 as the PSS mask
-generation function (MGF), and a 48-byte salt length (sLen).<a href="#section-6.4-1" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-6.4-2">
-<pre>
-token_authenticator_input =
-  concat(Token.token_type,
-         Token.nonce,
-         Token.challenge_digest,
-         Token.token_key_id)
-valid = RSASSA-PSS-VERIFY(pkI,
-                          token_authenticator_input,
-                          Token.authenticator)
-</pre><a href="#section-6.4-2" class="pilcrow">¶</a>
-</div>
-</section>
-</div>
-<div id="public-issuer-configuration">
-<section id="section-6.5">
-        <h3 id="name-issuer-configuration-2">
-<a href="#section-6.5" class="section-number selfRef">6.5. </a><a href="#name-issuer-configuration-2" class="section-name selfRef">Issuer Configuration</a>
-        </h3>
-<p id="section-6.5-1">Issuers are configured with Issuer Private and Public Keys, each denoted skI and
-pkI, respectively, used to produce tokens. Each key SHALL be generated
-securely, for example as specified in FIPS 186-5 <span>[<a href="#DSS" class="cite xref">DSS</a>]</span>.
-These keys MUST NOT be reused in other protocols.<a href="#section-6.5-1" class="pilcrow">¶</a></p>
-<p id="section-6.5-2">The key identifier for an Issuer Private and Public Key (skI, pkI),
-denoted <code>token_key_id</code>, is computed as SHA256(encoded_key), where encoded_key
-is a DER-encoded SubjectPublicKeyInfo <span>[<a href="#RFC5280" class="cite xref">RFC5280</a>]</span> (SPKI) object carrying pkI
-as a DER-encoded RSAPublicKey value <span>[<a href="#RFC5756" class="cite xref">RFC5756</a>]</span> in the subjectPublicKey
-field. Additionally, the SPKI object MUST use the id-RSASSA-PSS object
-identifier in the algorithm field within the SPKI object, the parameters field
-MUST contain a RSASSA-PSS-params value, and MUST include the hashAlgorithm,
-maskGenAlgorithm, and saltLength values. The saltLength MUST match the output
-size of the hash function associated with the public key and token type.<a href="#section-6.5-2" class="pilcrow">¶</a></p>
-<p id="section-6.5-3">An example sequence of the SPKI object (in ASN.1 format, with the actual public key
-bytes truncated) for a 2048-bit key is below:<a href="#section-6.5-3" class="pilcrow">¶</a></p>
-<div class="alignLeft art-text artwork" id="section-6.5-4">
-<pre>
-$ cat spki.bin | xxd -r -p | openssl asn1parse -dump -inform DER
-    0:d=0  hl=4 l= 338 cons: SEQUENCE
-    4:d=1  hl=2 l=  61 cons: SEQUENCE
-    6:d=2  hl=2 l=   9 prim: OBJECT            :rsassaPss
-   17:d=2  hl=2 l=  48 cons: SEQUENCE
-   19:d=3  hl=2 l=  13 cons: cont [ 0 ]
-   21:d=4  hl=2 l=  11 cons: SEQUENCE
-   23:d=5  hl=2 l=   9 prim: OBJECT            :sha384
-   34:d=3  hl=2 l=  26 cons: cont [ 1 ]
-   36:d=4  hl=2 l=  24 cons: SEQUENCE
-   38:d=5  hl=2 l=   9 prim: OBJECT            :mgf1
-   49:d=5  hl=2 l=  11 cons: SEQUENCE
-   51:d=6  hl=2 l=   9 prim: OBJECT            :sha384
-   62:d=3  hl=2 l=   3 cons: cont [ 2 ]
-   64:d=4  hl=2 l=   1 prim: INTEGER           :30
-   67:d=1  hl=4 l= 271 prim: BIT STRING
-   ... truncated public key bytes ...
-</pre><a href="#section-6.5-4" class="pilcrow">¶</a>
-</div>
-<p id="section-6.5-5">Since Clients truncate <code>token_key_id</code> in each <code>TokenRequest</code>, Issuers SHOULD
-ensure that the truncated form of new key IDs do not collide with other
-truncated key IDs in rotation. Collisions can cause the Issuer to use
-the wrong Issuer Private Key for issuance, which will in turn cause the
-resulting tokens to be invalid. There is no known security consequence of
-using the the wrong Issuer Private Key. A possible exception to this constraint
-would be a colliding key that is still in use but in the process of being
-rotated out, in which case the collision cannot reasonably be avoided but it
-is expected to be transient.<a href="#section-6.5-5" class="pilcrow">¶</a></p>
-</section>
-</div>
-</section>
-</div>
-<div id="security">
-<section id="section-7">
-      <h2 id="name-security-considerations">
-<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-security-considerations" class="section-name selfRef">Security considerations</a>
-      </h2>
-<p id="section-7-1">This document outlines how to instantiate the Issuance protocol
-based on the VOPRF defined in <span>[<a href="#OPRF" class="cite xref">OPRF</a>]</span> and blind RSA protocol defined in
-<span>[<a href="#BLINDRSA" class="cite xref">BLINDRSA</a>]</span>. All security considerations described in the VOPRF and blind RSA
-documents also apply in the Privacy Pass use-case. Considerations related to
-broader privacy and security concerns in a multi-Client and multi-Issuer
-setting are deferred to the architecture document <span>[<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span>. In
-particular, Section <a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-4" class="relref">4</a> and Section <a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-5" class="relref">5</a> of <span>[<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span> discuss
-relevant privacy considerations influenced by the Privacy Pass deployment
-model, and <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16#section-6" class="relref">Section 6</a> of [<a href="#ARCHITECTURE" class="cite xref">ARCHITECTURE</a>]</span> discusses privacy considerations that
-apply regardless of deployment model. Notable considerations include those pertaining to
-Issuer Public Key rotation and consistency, where consistency is as described
-in <span>[<a href="#CONSISTENCY" class="cite xref">CONSISTENCY</a>]</span>, and Issuer selection.<a href="#section-7-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="iana-considerations">
-<section id="section-8">
-      <h2 id="name-iana-considerations">
-<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA considerations</a>
-      </h2>
-<p id="section-8-1">This section contains considerations for IANA.<a href="#section-8-1" class="pilcrow">¶</a></p>
-<div id="wkuri-reg">
-<section id="section-8.1">
-        <h3 id="name-well-known-private-token-is">
-<a href="#section-8.1" class="section-number selfRef">8.1. </a><a href="#name-well-known-private-token-is" class="section-name selfRef">Well-Known 'private-token-issuer-directory' URI</a>
-        </h3>
-<p id="section-8.1-1">This document updates the "Well-Known URIs" Registry <span>[<a href="#WellKnownURIs" class="cite xref">WellKnownURIs</a>]</span> with the
-following values.<a href="#section-8.1-1" class="pilcrow">¶</a></p>
-<span id="name-private-token-issuer-direct"></span><div id="wellknownuri-values">
-<table class="center" id="table-3">
-          <caption>
-<a href="#table-3" class="selfRef">Table 3</a>:
-<a href="#name-private-token-issuer-direct" class="selfRef">'private-token-issuer-directory' Well-Known URI</a>
-          </caption>
-<thead>
-            <tr>
-              <th class="text-left" rowspan="1" colspan="1">URI Suffix</th>
-              <th class="text-left" rowspan="1" colspan="1">Change Controller</th>
-              <th class="text-left" rowspan="1" colspan="1">Reference</th>
-              <th class="text-left" rowspan="1" colspan="1">Status</th>
-              <th class="text-left" rowspan="1" colspan="1">Related information</th>
-            </tr>
-          </thead>
-          <tbody>
-            <tr>
-              <td class="text-left" rowspan="1" colspan="1">private-token-issuer-directory</td>
-              <td class="text-left" rowspan="1" colspan="1">IETF</td>
-              <td class="text-left" rowspan="1" colspan="1">[this document]</td>
-              <td class="text-left" rowspan="1" colspan="1">permanent</td>
-              <td class="text-left" rowspan="1" colspan="1">None</td>
-            </tr>
-          </tbody>
-        </table>
-</div>
-</section>
-</div>
-<div id="token-type">
-<section id="section-8.2">
-        <h3 id="name-token-type-registry-updates">
-<a href="#section-8.2" class="section-number selfRef">8.2. </a><a href="#name-token-type-registry-updates" class="section-name selfRef">Token Type Registry Updates</a>
-        </h3>
-<p id="section-8.2-1">This document updates the "Privacy Pass Token Type" Registry with the
-following entries.<a href="#section-8.2-1" class="pilcrow">¶</a></p>
-<div id="private-token-type">
-<section id="section-8.2.1">
-          <h4 id="name-token-type-voprf-p-384-sha-">
-<a href="#section-8.2.1" class="section-number selfRef">8.2.1. </a><a href="#name-token-type-voprf-p-384-sha-" class="section-name selfRef">Token Type VOPRF (P-384, SHA-384)</a>
-          </h4>
-<ul class="normal">
-<li class="normal" id="section-8.2.1-1.1">
-              <p id="section-8.2.1-1.1.1">Value: 0x0001<a href="#section-8.2.1-1.1.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.1-1.2">
-              <p id="section-8.2.1-1.2.1">Name: VOPRF (P-384, SHA-384)<a href="#section-8.2.1-1.2.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.1-1.3">
-              <p id="section-8.2.1-1.3.1">Token Structure: As defined in <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.2" class="relref">Section 2.2</a> of [<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span><a href="#section-8.2.1-1.3.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.1-1.4">
-              <p id="section-8.2.1-1.4.1">Token Key Encoding: Serialized using SerializeElement from <span><a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-2.1" class="relref">Section 2.1</a> of [<a href="#OPRF" class="cite xref">OPRF</a>]</span><a href="#section-8.2.1-1.4.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.1-1.5">
-              <p id="section-8.2.1-1.5.1">TokenChallenge Structure: As defined in <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.1" class="relref">Section 2.1</a> of [<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span><a href="#section-8.2.1-1.5.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.1-1.6">
-              <p id="section-8.2.1-1.6.1">Public Verifiability: N<a href="#section-8.2.1-1.6.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.1-1.7">
-              <p id="section-8.2.1-1.7.1">Public Metadata: N<a href="#section-8.2.1-1.7.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.1-1.8">
-              <p id="section-8.2.1-1.8.1">Private Metadata: N<a href="#section-8.2.1-1.8.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.1-1.9">
-              <p id="section-8.2.1-1.9.1">Nk: 48<a href="#section-8.2.1-1.9.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.1-1.10">
-              <p id="section-8.2.1-1.10.1">Nid: 32<a href="#section-8.2.1-1.10.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.1-1.11">
-              <p id="section-8.2.1-1.11.1">Reference: <a href="#private-flow" class="auto internal xref">Section 5</a><a href="#section-8.2.1-1.11.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.1-1.12">
-              <p id="section-8.2.1-1.12.1">Notes: None<a href="#section-8.2.1-1.12.1" class="pilcrow">¶</a></p>
-</li>
-          </ul>
-</section>
-</div>
-<div id="public-token-type">
-<section id="section-8.2.2">
-          <h4 id="name-token-type-blind-rsa-2048-b">
-<a href="#section-8.2.2" class="section-number selfRef">8.2.2. </a><a href="#name-token-type-blind-rsa-2048-b" class="section-name selfRef">Token Type Blind RSA (2048-bit)</a>
-          </h4>
-<ul class="normal">
-<li class="normal" id="section-8.2.2-1.1">
-              <p id="section-8.2.2-1.1.1">Value: 0x0002<a href="#section-8.2.2-1.1.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.2-1.2">
-              <p id="section-8.2.2-1.2.1">Name: Blind RSA (2048-bit)<a href="#section-8.2.2-1.2.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.2-1.3">
-              <p id="section-8.2.2-1.3.1">Token Structure: As defined in <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.2" class="relref">Section 2.2</a> of [<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span><a href="#section-8.2.2-1.3.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.2-1.4">
-              <p id="section-8.2.2-1.4.1">Token Key Encoding: Serialized as a DER-encoded SubjectPublicKeyInfo (SPKI) object using the RSASSA-PSS OID <span>[<a href="#RFC5756" class="cite xref">RFC5756</a>]</span><a href="#section-8.2.2-1.4.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.2-1.5">
-              <p id="section-8.2.2-1.5.1">TokenChallenge Structure: As defined in <span><a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14#section-2.1" class="relref">Section 2.1</a> of [<a href="#AUTHSCHEME" class="cite xref">AUTHSCHEME</a>]</span><a href="#section-8.2.2-1.5.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.2-1.6">
-              <p id="section-8.2.2-1.6.1">Public Verifiability: Y<a href="#section-8.2.2-1.6.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.2-1.7">
-              <p id="section-8.2.2-1.7.1">Public Metadata: N<a href="#section-8.2.2-1.7.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.2-1.8">
-              <p id="section-8.2.2-1.8.1">Private Metadata: N<a href="#section-8.2.2-1.8.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.2-1.9">
-              <p id="section-8.2.2-1.9.1">Nk: 256<a href="#section-8.2.2-1.9.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.2-1.10">
-              <p id="section-8.2.2-1.10.1">Nid: 32<a href="#section-8.2.2-1.10.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.2-1.11">
-              <p id="section-8.2.2-1.11.1">Reference: <a href="#public-flow" class="auto internal xref">Section 6</a><a href="#section-8.2.2-1.11.1" class="pilcrow">¶</a></p>
-</li>
-            <li class="normal" id="section-8.2.2-1.12">
-              <p id="section-8.2.2-1.12.1">Notes: The RSABSSA-SHA384-PSS-Deterministic and
-RSABSSA-SHA384-PSSZERO-Deterministic variants are supported<a href="#section-8.2.2-1.12.1" class="pilcrow">¶</a></p>
-</li>
-          </ul>
-</section>
-</div>
-</section>
-</div>
-<div id="media-types">
-<section id="section-8.3">
-        <h3 id="name-media-types">
-<a href="#section-8.3" class="section-number selfRef">8.3. </a><a href="#name-media-types" class="section-name selfRef">Media Types</a>
-        </h3>
-<p id="section-8.3-1">The following entries should be added to the IANA "media types"
-registry:<a href="#section-8.3-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="section-8.3-2.1">
-            <p id="section-8.3-2.1.1">"application/private-token-issuer-directory"<a href="#section-8.3-2.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-8.3-2.2">
-            <p id="section-8.3-2.2.1">"application/private-token-request"<a href="#section-8.3-2.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="section-8.3-2.3">
-            <p id="section-8.3-2.3.1">"application/private-token-response"<a href="#section-8.3-2.3.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-<p id="section-8.3-3">The templates for these entries are listed below and the
-reference should be this RFC.<a href="#section-8.3-3" class="pilcrow">¶</a></p>
-<div id="applicationprivate-token-issuer-directory-media-type">
-<section id="section-8.3.1">
-          <h4 id="name-application-private-token-i">
-<a href="#section-8.3.1" class="section-number selfRef">8.3.1. </a><a href="#name-application-private-token-i" class="section-name selfRef">"application/private-token-issuer-directory" media type</a>
-          </h4>
-<span class="break"></span><dl class="dlCompact dlParallel" id="section-8.3.1-1">
-            <dt id="section-8.3.1-1.1">Type name:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.2">
-              <p id="section-8.3.1-1.2.1">application<a href="#section-8.3.1-1.2.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.3">Subtype name:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.4">
-              <p id="section-8.3.1-1.4.1">private-token-issuer-directory<a href="#section-8.3.1-1.4.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.5">Required parameters:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.6">
-              <p id="section-8.3.1-1.6.1">N/A<a href="#section-8.3.1-1.6.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.7">Optional parameters:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.8">
-              <p id="section-8.3.1-1.8.1">N/A<a href="#section-8.3.1-1.8.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.9">Encoding considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.10">
-              <p id="section-8.3.1-1.10.1">"binary"<a href="#section-8.3.1-1.10.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.11">Security considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.12">
-              <p id="section-8.3.1-1.12.1">see <a href="#setup" class="auto internal xref">Section 4</a><a href="#section-8.3.1-1.12.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.13">Interoperability considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.14">
-              <p id="section-8.3.1-1.14.1">N/A<a href="#section-8.3.1-1.14.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.15">Published specification:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.16">
-              <p id="section-8.3.1-1.16.1">this specification<a href="#section-8.3.1-1.16.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.17">Applications that use this media type:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.18">
-              <p id="section-8.3.1-1.18.1">Services that implement the Privacy Pass issuer role, and client
-applications that interact with the issuer for the purposes of
-issuing or redeeming tokens.<a href="#section-8.3.1-1.18.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.19">Fragment identifier considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.20">
-              <p id="section-8.3.1-1.20.1">N/A<a href="#section-8.3.1-1.20.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.21">Additional information:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.22">
-              <span class="break"></span><dl class="dlCompact dlParallel" id="section-8.3.1-1.22.1">
-                <dt id="section-8.3.1-1.22.1.1">Magic number(s):</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.1-1.22.1.2">N/A<a href="#section-8.3.1-1.22.1.2" class="pilcrow">¶</a>
-</dd>
-                <dd class="break"></dd>
-<dt id="section-8.3.1-1.22.1.3">Deprecated alias names for this type:</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.1-1.22.1.4">N/A<a href="#section-8.3.1-1.22.1.4" class="pilcrow">¶</a>
-</dd>
-                <dd class="break"></dd>
-<dt id="section-8.3.1-1.22.1.5">File extension(s):</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.1-1.22.1.6">N/A<a href="#section-8.3.1-1.22.1.6" class="pilcrow">¶</a>
-</dd>
-                <dd class="break"></dd>
-<dt id="section-8.3.1-1.22.1.7">Macintosh file type code(s):</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.1-1.22.1.8">N/A<a href="#section-8.3.1-1.22.1.8" class="pilcrow">¶</a>
-</dd>
-              <dd class="break"></dd>
-</dl>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.23">Person and email address to contact for further information:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.24">
-              <p id="section-8.3.1-1.24.1">see Authors' Addresses section<a href="#section-8.3.1-1.24.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.25">Intended usage:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.26">
-              <p id="section-8.3.1-1.26.1">COMMON<a href="#section-8.3.1-1.26.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.27">Restrictions on usage:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.28">
-              <p id="section-8.3.1-1.28.1">N/A<a href="#section-8.3.1-1.28.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.29">Author:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.30">
-              <p id="section-8.3.1-1.30.1">see Authors' Addresses section<a href="#section-8.3.1-1.30.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.1-1.31">Change controller:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.1-1.32">
-              <p id="section-8.3.1-1.32.1">IETF<a href="#section-8.3.1-1.32.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-</dl>
-</section>
-</div>
-<div id="applicationprivate-token-request-media-type">
-<section id="section-8.3.2">
-          <h4 id="name-application-private-token-r">
-<a href="#section-8.3.2" class="section-number selfRef">8.3.2. </a><a href="#name-application-private-token-r" class="section-name selfRef">"application/private-token-request" media type</a>
-          </h4>
-<span class="break"></span><dl class="dlCompact dlParallel" id="section-8.3.2-1">
-            <dt id="section-8.3.2-1.1">Type name:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.2">
-              <p id="section-8.3.2-1.2.1">application<a href="#section-8.3.2-1.2.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.3">Subtype name:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.4">
-              <p id="section-8.3.2-1.4.1">private-token-request<a href="#section-8.3.2-1.4.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.5">Required parameters:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.6">
-              <p id="section-8.3.2-1.6.1">N/A<a href="#section-8.3.2-1.6.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.7">Optional parameters:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.8">
-              <p id="section-8.3.2-1.8.1">N/A<a href="#section-8.3.2-1.8.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.9">Encoding considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.10">
-              <p id="section-8.3.2-1.10.1">"binary"<a href="#section-8.3.2-1.10.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.11">Security considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.12">
-              <p id="section-8.3.2-1.12.1">see <a href="#security" class="auto internal xref">Section 7</a><a href="#section-8.3.2-1.12.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.13">Interoperability considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.14">
-              <p id="section-8.3.2-1.14.1">N/A<a href="#section-8.3.2-1.14.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.15">Published specification:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.16">
-              <p id="section-8.3.2-1.16.1">this specification<a href="#section-8.3.2-1.16.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.17">Applications that use this media type:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.18">
-              <p id="section-8.3.2-1.18.1">Applications that want to issue or facilitate issuance of Privacy Pass tokens,
-including Privacy Pass issuer applications themselves.<a href="#section-8.3.2-1.18.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.19">Fragment identifier considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.20">
-              <p id="section-8.3.2-1.20.1">N/A<a href="#section-8.3.2-1.20.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.21">Additional information:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.22">
-              <span class="break"></span><dl class="dlCompact dlParallel" id="section-8.3.2-1.22.1">
-                <dt id="section-8.3.2-1.22.1.1">Magic number(s):</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.2-1.22.1.2">N/A<a href="#section-8.3.2-1.22.1.2" class="pilcrow">¶</a>
-</dd>
-                <dd class="break"></dd>
-<dt id="section-8.3.2-1.22.1.3">Deprecated alias names for this type:</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.2-1.22.1.4">N/A<a href="#section-8.3.2-1.22.1.4" class="pilcrow">¶</a>
-</dd>
-                <dd class="break"></dd>
-<dt id="section-8.3.2-1.22.1.5">File extension(s):</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.2-1.22.1.6">N/A<a href="#section-8.3.2-1.22.1.6" class="pilcrow">¶</a>
-</dd>
-                <dd class="break"></dd>
-<dt id="section-8.3.2-1.22.1.7">Macintosh file type code(s):</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.2-1.22.1.8">N/A<a href="#section-8.3.2-1.22.1.8" class="pilcrow">¶</a>
-</dd>
-              <dd class="break"></dd>
-</dl>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.23">Person and email address to contact for further information:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.24">
-              <p id="section-8.3.2-1.24.1">see Authors' Addresses section<a href="#section-8.3.2-1.24.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.25">Intended usage:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.26">
-              <p id="section-8.3.2-1.26.1">COMMON<a href="#section-8.3.2-1.26.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.27">Restrictions on usage:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.28">
-              <p id="section-8.3.2-1.28.1">N/A<a href="#section-8.3.2-1.28.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.29">Author:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.30">
-              <p id="section-8.3.2-1.30.1">see Authors' Addresses section<a href="#section-8.3.2-1.30.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.2-1.31">Change controller:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.2-1.32">
-              <p id="section-8.3.2-1.32.1">IETF<a href="#section-8.3.2-1.32.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-</dl>
-</section>
-</div>
-<div id="applicationprivate-token-response-media-type">
-<section id="section-8.3.3">
-          <h4 id="name-application-private-token-re">
-<a href="#section-8.3.3" class="section-number selfRef">8.3.3. </a><a href="#name-application-private-token-re" class="section-name selfRef">"application/private-token-response" media type</a>
-          </h4>
-<span class="break"></span><dl class="dlCompact dlParallel" id="section-8.3.3-1">
-            <dt id="section-8.3.3-1.1">Type name:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.2">
-              <p id="section-8.3.3-1.2.1">application<a href="#section-8.3.3-1.2.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.3">Subtype name:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.4">
-              <p id="section-8.3.3-1.4.1">private-token-response<a href="#section-8.3.3-1.4.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.5">Required parameters:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.6">
-              <p id="section-8.3.3-1.6.1">N/A<a href="#section-8.3.3-1.6.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.7">Optional parameters:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.8">
-              <p id="section-8.3.3-1.8.1">N/A<a href="#section-8.3.3-1.8.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.9">Encoding considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.10">
-              <p id="section-8.3.3-1.10.1">"binary"<a href="#section-8.3.3-1.10.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.11">Security considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.12">
-              <p id="section-8.3.3-1.12.1">see <a href="#security" class="auto internal xref">Section 7</a><a href="#section-8.3.3-1.12.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.13">Interoperability considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.14">
-              <p id="section-8.3.3-1.14.1">N/A<a href="#section-8.3.3-1.14.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.15">Published specification:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.16">
-              <p id="section-8.3.3-1.16.1">this specification<a href="#section-8.3.3-1.16.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.17">Applications that use this media type:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.18">
-              <p id="section-8.3.3-1.18.1">Applications that want to issue or facilitate issuance of Privacy Pass tokens,
-including Privacy Pass issuer applications themselves.<a href="#section-8.3.3-1.18.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.19">Fragment identifier considerations:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.20">
-              <p id="section-8.3.3-1.20.1">N/A<a href="#section-8.3.3-1.20.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.21">Additional information:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.22">
-              <span class="break"></span><dl class="dlCompact dlParallel" id="section-8.3.3-1.22.1">
-                <dt id="section-8.3.3-1.22.1.1">Magic number(s):</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.3-1.22.1.2">N/A<a href="#section-8.3.3-1.22.1.2" class="pilcrow">¶</a>
-</dd>
-                <dd class="break"></dd>
-<dt id="section-8.3.3-1.22.1.3">Deprecated alias names for this type:</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.3-1.22.1.4">N/A<a href="#section-8.3.3-1.22.1.4" class="pilcrow">¶</a>
-</dd>
-                <dd class="break"></dd>
-<dt id="section-8.3.3-1.22.1.5">File extension(s):</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.3-1.22.1.6">N/A<a href="#section-8.3.3-1.22.1.6" class="pilcrow">¶</a>
-</dd>
-                <dd class="break"></dd>
-<dt id="section-8.3.3-1.22.1.7">Macintosh file type code(s):</dt>
-                <dd style="margin-left: 1.5em" id="section-8.3.3-1.22.1.8">N/A<a href="#section-8.3.3-1.22.1.8" class="pilcrow">¶</a>
-</dd>
-              <dd class="break"></dd>
-</dl>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.23">Person and email address to contact for further information:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.24">
-              <p id="section-8.3.3-1.24.1">see Authors' Addresses section<a href="#section-8.3.3-1.24.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.25">Intended usage:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.26">
-              <p id="section-8.3.3-1.26.1">COMMON<a href="#section-8.3.3-1.26.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.27">Restrictions on usage:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.28">
-              <p id="section-8.3.3-1.28.1">N/A<a href="#section-8.3.3-1.28.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.29">Author:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.30">
-              <p id="section-8.3.3-1.30.1">see Authors' Addresses section<a href="#section-8.3.3-1.30.1" class="pilcrow">¶</a></p>
-</dd>
-            <dd class="break"></dd>
-<dt id="section-8.3.3-1.31">Change controller:</dt>
-            <dd style="margin-left: 1.5em" id="section-8.3.3-1.32">
-              <p id="section-8.3.3-1.32.1">IETF<a href="#section-8.3.3-1.32.1" class="pilcrow">¶</a></p>
-</dd>
-          <dd class="break"></dd>
-</dl>
-</section>
-</div>
-</section>
-</div>
-</section>
-</div>
-<section id="section-9">
-      <h2 id="name-references">
-<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-references" class="section-name selfRef">References</a>
-      </h2>
-<div id="sec-normative-references">
-<section id="section-9.1">
-        <h3 id="name-normative-references">
-<a href="#section-9.1" class="section-number selfRef">9.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
-        </h3>
-<dl class="references">
-<dt id="ARCHITECTURE">[ARCHITECTURE]</dt>
-        <dd>
-<span class="refAuthor">Davidson, A.</span>, <span class="refAuthor">Iyengar, J.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"The Privacy Pass Architecture"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-privacypass-architecture-16</span>, <time datetime="2023-09-25" class="refDate">25 September 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16">https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-architecture-16</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="AUTHSCHEME">[AUTHSCHEME]</dt>
-        <dd>
-<span class="refAuthor">Pauly, T.</span>, <span class="refAuthor">Valdez, S.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"The Privacy Pass HTTP Authentication Scheme"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-privacypass-auth-scheme-14</span>, <time datetime="2023-09-25" class="refDate">25 September 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14">https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-auth-scheme-14</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="BLINDRSA">[BLINDRSA]</dt>
-        <dd>
-<span class="refAuthor">Denis, F.</span>, <span class="refAuthor">Jacobs, F.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"RSA Blind Signatures"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-irtf-cfrg-rsa-blind-signatures-14</span>, <time datetime="2023-07-10" class="refDate">10 July 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-blind-signatures-14">https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-rsa-blind-signatures-14</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="HTTP">[HTTP]</dt>
-        <dd>
-<span class="refAuthor">Fielding, R., Ed.</span>, <span class="refAuthor">Nottingham, M., Ed.</span>, and <span class="refAuthor">J. Reschke, Ed.</span>, <span class="refTitle">"HTTP Semantics"</span>, <span class="seriesInfo">STD 97</span>, <span class="seriesInfo">RFC 9110</span>, <span class="seriesInfo">DOI 10.17487/RFC9110</span>, <time datetime="2022-06" class="refDate">June 2022</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc9110">https://www.rfc-editor.org/rfc/rfc9110</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="OPRF">[OPRF]</dt>
-        <dd>
-<span class="refAuthor">Davidson, A.</span>, <span class="refAuthor">Faz-Hernandez, A.</span>, <span class="refAuthor">Sullivan, N.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"Oblivious Pseudorandom Functions (OPRFs) using Prime-Order Groups"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-irtf-cfrg-voprf-21</span>, <time datetime="2023-02-21" class="refDate">21 February 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21">https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC2119">[RFC2119]</dt>
-        <dd>
-<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03" class="refDate">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc2119">https://www.rfc-editor.org/rfc/rfc2119</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC4648">[RFC4648]</dt>
-        <dd>
-<span class="refAuthor">Josefsson, S.</span>, <span class="refTitle">"The Base16, Base32, and Base64 Data Encodings"</span>, <span class="seriesInfo">RFC 4648</span>, <span class="seriesInfo">DOI 10.17487/RFC4648</span>, <time datetime="2006-10" class="refDate">October 2006</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc4648">https://www.rfc-editor.org/rfc/rfc4648</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC5756">[RFC5756]</dt>
-        <dd>
-<span class="refAuthor">Turner, S.</span>, <span class="refAuthor">Brown, D.</span>, <span class="refAuthor">Yiu, K.</span>, <span class="refAuthor">Housley, R.</span>, and <span class="refAuthor">T. Polk</span>, <span class="refTitle">"Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters"</span>, <span class="seriesInfo">RFC 5756</span>, <span class="seriesInfo">DOI 10.17487/RFC5756</span>, <time datetime="2010-01" class="refDate">January 2010</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc5756">https://www.rfc-editor.org/rfc/rfc5756</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC5861">[RFC5861]</dt>
-        <dd>
-<span class="refAuthor">Nottingham, M.</span>, <span class="refTitle">"HTTP Cache-Control Extensions for Stale Content"</span>, <span class="seriesInfo">RFC 5861</span>, <span class="seriesInfo">DOI 10.17487/RFC5861</span>, <time datetime="2010-05" class="refDate">May 2010</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc5861">https://www.rfc-editor.org/rfc/rfc5861</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC8017">[RFC8017]</dt>
-        <dd>
-<span class="refAuthor">Moriarty, K., Ed.</span>, <span class="refAuthor">Kaliski, B.</span>, <span class="refAuthor">Jonsson, J.</span>, and <span class="refAuthor">A. Rusch</span>, <span class="refTitle">"PKCS #1: RSA Cryptography Specifications Version 2.2"</span>, <span class="seriesInfo">RFC 8017</span>, <span class="seriesInfo">DOI 10.17487/RFC8017</span>, <time datetime="2016-11" class="refDate">November 2016</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8017">https://www.rfc-editor.org/rfc/rfc8017</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC8174">[RFC8174]</dt>
-        <dd>
-<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05" class="refDate">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8174">https://www.rfc-editor.org/rfc/rfc8174</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC8259">[RFC8259]</dt>
-        <dd>
-<span class="refAuthor">Bray, T., Ed.</span>, <span class="refTitle">"The JavaScript Object Notation (JSON) Data Interchange Format"</span>, <span class="seriesInfo">STD 90</span>, <span class="seriesInfo">RFC 8259</span>, <span class="seriesInfo">DOI 10.17487/RFC8259</span>, <time datetime="2017-12" class="refDate">December 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8259">https://www.rfc-editor.org/rfc/rfc8259</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC9111">[RFC9111]</dt>
-        <dd>
-<span class="refAuthor">Fielding, R., Ed.</span>, <span class="refAuthor">Nottingham, M., Ed.</span>, and <span class="refAuthor">J. Reschke, Ed.</span>, <span class="refTitle">"HTTP Caching"</span>, <span class="seriesInfo">STD 98</span>, <span class="seriesInfo">RFC 9111</span>, <span class="seriesInfo">DOI 10.17487/RFC9111</span>, <time datetime="2022-06" class="refDate">June 2022</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc9111">https://www.rfc-editor.org/rfc/rfc9111</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="TIMESTAMP">[TIMESTAMP]</dt>
-        <dd>
-<span class="refAuthor">Mizrahi, T.</span>, <span class="refAuthor">Fabini, J.</span>, and <span class="refAuthor">A. Morton</span>, <span class="refTitle">"Guidelines for Defining Packet Timestamps"</span>, <span class="seriesInfo">RFC 8877</span>, <span class="seriesInfo">DOI 10.17487/RFC8877</span>, <time datetime="2020-09" class="refDate">September 2020</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8877">https://www.rfc-editor.org/rfc/rfc8877</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="TLS13">[TLS13]</dt>
-        <dd>
-<span class="refAuthor">Rescorla, E.</span>, <span class="refTitle">"The Transport Layer Security (TLS) Protocol Version 1.3"</span>, <span class="seriesInfo">RFC 8446</span>, <span class="seriesInfo">DOI 10.17487/RFC8446</span>, <time datetime="2018-08" class="refDate">August 2018</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc8446">https://www.rfc-editor.org/rfc/rfc8446</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="WellKnownURIs">[WellKnownURIs]</dt>
-      <dd>
-<span class="refTitle">"Well-Known URIs"</span>, <span>n.d.</span>, <span>&lt;<a href="https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml">https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-</dl>
-</section>
-</div>
-<div id="sec-informative-references">
-<section id="section-9.2">
-        <h3 id="name-informative-references">
-<a href="#section-9.2" class="section-number selfRef">9.2. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
-        </h3>
-<dl class="references">
-<dt id="CONSISTENCY">[CONSISTENCY]</dt>
-        <dd>
-<span class="refAuthor">Davidson, A.</span>, <span class="refAuthor">Finkel, M.</span>, <span class="refAuthor">Thomson, M.</span>, and <span class="refAuthor">C. A. Wood</span>, <span class="refTitle">"Key Consistency and Discovery"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-privacypass-key-consistency-01</span>, <time datetime="2023-07-10" class="refDate">10 July 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01">https://datatracker.ietf.org/doc/html/draft-ietf-privacypass-key-consistency-01</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="DSS">[DSS]</dt>
-        <dd>
-<span class="refAuthor">Moody, D.</span>, <span class="refTitle">"Digital Signature Standard (DSS)"</span>, <span class="refContent">National Institute of Standards and Technology</span>, <span class="seriesInfo">DOI 10.6028/nist.fips.186-5</span>, <time datetime="2023" class="refDate">2023</time>, <span>&lt;<a href="https://doi.org/10.6028/nist.fips.186-5">https://doi.org/10.6028/nist.fips.186-5</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-<dt id="RFC5280">[RFC5280]</dt>
-      <dd>
-<span class="refAuthor">Cooper, D.</span>, <span class="refAuthor">Santesson, S.</span>, <span class="refAuthor">Farrell, S.</span>, <span class="refAuthor">Boeyen, S.</span>, <span class="refAuthor">Housley, R.</span>, and <span class="refAuthor">W. Polk</span>, <span class="refTitle">"Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"</span>, <span class="seriesInfo">RFC 5280</span>, <span class="seriesInfo">DOI 10.17487/RFC5280</span>, <time datetime="2008-05" class="refDate">May 2008</time>, <span>&lt;<a href="https://www.rfc-editor.org/rfc/rfc5280">https://www.rfc-editor.org/rfc/rfc5280</a>&gt;</span>. </dd>
-<dd class="break"></dd>
-</dl>
-</section>
-</div>
-</section>
-<div id="acknowledgements">
-<section id="appendix-A">
-      <h2 id="name-acknowledgements">
-<a href="#appendix-A" class="section-number selfRef">Appendix A. </a><a href="#name-acknowledgements" class="section-name selfRef">Acknowledgements</a>
-      </h2>
-<p id="appendix-A-1">The authors of this document would like to acknowledge the helpful
-feedback and discussions from Benjamin Schwartz, Joseph Salowey,
-and Tara Whalen.<a href="#appendix-A-1" class="pilcrow">¶</a></p>
-</section>
-</div>
-<div id="test-vectors">
-<section id="appendix-B">
-      <h2 id="name-test-vectors">
-<a href="#appendix-B" class="section-number selfRef">Appendix B. </a><a href="#name-test-vectors" class="section-name selfRef">Test Vectors</a>
-      </h2>
-<p id="appendix-B-1">This section includes test vectors for the two basic issuance protocols
-specified in this document. <a href="#test-vectors-poprf" class="auto internal xref">Appendix B.1</a> contains test vectors
-for token issuance protocol 1 (0x0001), and <a href="#test-vectors-rsa" class="auto internal xref">Appendix B.2</a> contains
-test vectors for token issuance protocol 2 (0x0002).<a href="#appendix-B-1" class="pilcrow">¶</a></p>
-<div id="test-vectors-poprf">
-<section id="appendix-B.1">
-        <h3 id="name-issuance-protocol-1-voprfp-">
-<a href="#appendix-B.1" class="section-number selfRef">B.1. </a><a href="#name-issuance-protocol-1-voprfp-" class="section-name selfRef">Issuance Protocol 1 - VOPRF(P-384, SHA-384)</a>
-        </h3>
-<p id="appendix-B.1-1">The test vector below lists the following values:<a href="#appendix-B.1-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="appendix-B.1-2.1">
-            <p id="appendix-B.1-2.1.1">skS: The Issuer Private Key, serialized using SerializeScalar from
-<span><a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-2.1" class="relref">Section 2.1</a> of [<a href="#OPRF" class="cite xref">OPRF</a>]</span> and represented as a hexadecimal string.<a href="#appendix-B.1-2.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.1-2.2">
-            <p id="appendix-B.1-2.2.1">pkS: The Issuer Public Key, serialized according to the encoding in <a href="#private-token-type" class="auto internal xref">Section 8.2.1</a>.<a href="#appendix-B.1-2.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.1-2.3">
-            <p id="appendix-B.1-2.3.1">token_challenge: A randomly generated TokenChallenge structure, represented
-as a hexadecimal string.<a href="#appendix-B.1-2.3.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.1-2.4">
-            <p id="appendix-B.1-2.4.1">nonce: The 32-byte client nonce generated according to <a href="#private-request" class="auto internal xref">Section 5.1</a>,
-represented as a hexadecimal string.<a href="#appendix-B.1-2.4.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.1-2.5">
-            <p id="appendix-B.1-2.5.1">blind: The blind used when computing the OPRF blinded message, serialized
-using SerializeScalar from <span><a href="https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-voprf-21#section-2.1" class="relref">Section 2.1</a> of [<a href="#OPRF" class="cite xref">OPRF</a>]</span> and represented as a
-hexadecimal string.<a href="#appendix-B.1-2.5.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.1-2.6">
-            <p id="appendix-B.1-2.6.1">token_request: The TokenRequest message constructed according to
-<a href="#private-request" class="auto internal xref">Section 5.1</a>, represented as a hexadecimal string.<a href="#appendix-B.1-2.6.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.1-2.7">
-            <p id="appendix-B.1-2.7.1">token_response: The TokenResponse message constructed according to
-<a href="#private-response" class="auto internal xref">Section 5.2</a>, represented as a hexadecimal string.<a href="#appendix-B.1-2.7.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.1-2.8">
-            <p id="appendix-B.1-2.8.1">token: The output Token from the protocol, represented as a hexadecimal
-string.<a href="#appendix-B.1-2.8.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-<div class="alignLeft art-text artwork" id="appendix-B.1-3">
-<pre>
-// Test vector 1
-skS: 39b0d04d3732459288fc5edb89bb02c2aa42e06709f201d6c518871d5181
-14910bee3c919bed1bbffe3fc1b87d53240a
-pkS: 02d45bf522425cdd2227d3f27d245d9d563008829252172d34e48469290c
-21da1a46d42ca38f7beabdf05c074aee1455bf
-token_challenge: 0001000e6973737565722e6578616d706c65205de58a52fc
-daef25ca3f65448d04e040fb1924e8264acfccfc6c5ad451d582b3000e6f72696
-7696e2e6578616d706c65
-nonce:
-6aa422c41b59d3e44a136dd439df2454e3587ee5f3697798cdc05fafe73073b8
-blind: 8e7fd80970b8a00b0931b801a2e22d9903d83bd5597c6a4dc1496ed2b1
-7ef820445ef3bd223f3ab2c4f54c5d1c956909
-token_request: 0001f4030ab3e23181d1e213f24315f5775983c678ce22eff9
-427610832ab3900f2cd12d6829a07ec8a6813cf0b5b886f4cc4979
-token_response: 036bb3c5c397d88c3527cf9f08f1fe63687b867e85c930c49
-ee2c222408d4903722a19ff272ac97e3725b947c972784ebfe86eb9ea54336e43
-34ea9660212c0c85fbadfbf491a1ce2446fc3379337fccd45c1059b2bc760110e
-e1ec227d8e01c9f482c00c47ffa0dbe2fb58c32dde2b1dbe69fff920a528e68dd
-9b3c2483848e57c30542b8984fa6bfecd6d71d54d53eda
-token: 00016aa422c41b59d3e44a136dd439df2454e3587ee5f3697798cdc05f
-afe73073b8501370b494089dc462802af545e63809581ee6ef57890a12105c283
-68169514bf260d0792bf7f46c9866a6d37c3032d8714415f87f5f6903d7fb071e
-253be2f4e0a835d76528b8444f73789ee7dc90715b01c17902fd87375c00a7a9d
-3d92540437f470773be20f71e721da3af40edeb
-
-// Test vector 2
-skS: 39efed331527cc4ddff9722ab5cd35aeafe7c27520b0cfa2eedbdc298dc3
-b12bc8298afcc46558af1e2eeacc5307d865
-pkS: 038017e005904c6146b37109d6c2a72b95a183aaa9ed951b8d8fb1ed9033
-f68033284d175e7df89849475cd67a86bfbf4e
-token_challenge: 0001000e6973737565722e6578616d706c6500000e6f7269
-67696e2e6578616d706c65
-nonce:
-7617bc802cfdb5d74722ef7418bdbb4f2c88403820e55fe7ec07d3190c29d665
-blind: 6492ee50072fa18d035d69c4246362dffe2621afb95a10c033bb0109e0
-f705b0437c425553272e0aa5266ec379e7015e
-token_request: 000133033a5fe04a39da1bbfb68ccdeecd1917474dd525462e
-5a90a6ba53b42aaa1486fe443a2e1c7f3fd5ff028a1c7cf1aeac5d
-token_response: 023bf8cd624880d669c5cc6c88b056355c6e8e1bcbf3746cf
-b9ab9248a4c056f23a4876ef998a8b6b281d50f852c6fa868fc4fa135c79ccb5f
-bdf8bf3c926e10c7c12f934a887d86da4a4e5be70f5a169aa75720887bb690536
-92a8f11f9cda7a72f281e4e3568e848225367946c70db09e718e3cba16193987b
-c10bede3ef54c4d036c17cd4015bb113be60d7aa927e0d
-token: 00017617bc802cfdb5d74722ef7418bdbb4f2c88403820e55fe7ec07d3
-190c29d665c994f7d5cdc2fb970b13d4e8eb6e6d8f9dcdaa65851fb091025dfe1
-34bd5a62a116477bc9e1a205cca95d0c92335ca7a3e71063b2ac020bdd231c660
-97f12333ef438d00801bca5ace0fab8eb483dc04cd62578b95b5652921cd2698c
-45ea74f6c8827b4e19f01140fa5bd039866f562
-
-// Test vector 3
-skS: 2b7709595b62b784f14946ae828f65e6caeba6eefe732c86e9ae50e818c0
-55b3d7ca3a5f2beecaa859a62ff7199d35cc
-pkS: 03a0de1bf3fd0a73384283b648884ba9fa5dee190f9d7ad4292c2fd49d8b
-4d64db674059df67f5bd7e626475c78934ae8d
-token_challenge: 0001000e6973737565722e6578616d706c65000017666f6f
-2e6578616d706c652c6261722e6578616d706c65
-nonce:
-87499b5930918d2d83ecebf92d25ca0722aa11b80dbbfd950537c28aa7d3a9df
-blind: 1f659584626ba15f44f3d887b2e5fe4c27315b185dfbfaea4253ebba30
-610c4d9b73c78714c142360e85a00942c0fcff
-token_request: 0001c8024610a9f3aac21090f3079d6809437a2b94b4403c7e
-645f849bc6c505dade154c258c8ecd4d2bdcf574daca65db671908
-token_response: 03c2ab925d03e7793b4a4df6eb505210139f620359e142449
-1b8143c06a3e5298b25b662c33256411be7277233e1a34570f7a4d142d931e4b5
-ff8829e27aaf7eb2cc7f9ab655477d71c01d5da5aef44dd076b5820b4710ef025
-a9e6c6b50a95af6105c5987c1b834d615008cf6370556ed00c6671e69776c09a9
-2b5ac84804750dd867c78817bdf69f1443002b18ae7a52
-token: 000187499b5930918d2d83ecebf92d25ca0722aa11b80dbbfd950537c2
-8aa7d3a9df1949fd455872478ba87e2e6c513c3261cddbe57220581245e4c9c91
-1dd1c0bb865785bff8f3cfe08cccbb3a7b8e41d23a172871be4828cc54582d87b
-c7cfc5c8bcedc1868ebc845b000c317ed75312274a42b10be6db23bd8a168fd2f
-021c23925d72c4d14cd7588c03845da0d41a326
-
-// Test vector 4
-skS: 22e237b7b983d77474e4495aff2fc1e10422b1d955192e0fbf2b7b618fba
-625fcb94b599da9113da49c495a48fbf7f7f
-pkS: 028cd68715caa20d19b2b20d017d6a0a42b9f2b0a47db65e5e763e23744f
-e14d74e374bbc93a2ec3970eb53c8aa765ee21
-token_challenge: 0001000e6973737565722e6578616d706c65000000
-nonce:
-02f0a206752d555a24924f2da5942a1bb4cb2d83ff473aa8b2bc3a89e820cd43
-blind: af91d1dbcf6b46baecde70eb305b8fe75629199cca19c7f9344b8607b9
-0def27bc53e0345ade32c9fd0a1efda056d1c0
-token_request: 0001a503632ebb003ed15b6de4557c047c7f81a58688143331
-2ad3ad7f9416f2dfc940d3f439ad1e8cd677d94ae7c05bc958d134
-token_response: 032018bc3f180d9650e27f72de76a90b47e336ae9cb058548
-d851c7046fa0875d96346c15cb39d8083cc6fb57216544c6a815c37d792769e12
-9c0513ce2034c3286cb212548f4aed1b0f71b28e219a71874a93e53ab2f473282
-71d1e9cbefc197a4f599a6825051fa1c6e55450042f04182b86c9cf12477a9f16
-849396c051fa27012e81a86e6c4a9204a063f1e1722dd7
-token: 000102f0a206752d555a24924f2da5942a1bb4cb2d83ff473aa8b2bc3a
-89e820cd43085cb06952044c7655b412ab7d484c97b97c48c79c568140b8d49a0
-2ca47a9cfb0a5cfb861290c4dbd8fd9b60ee9b1a1a54cf47c98531fe253f1ed6d
-875de5a58f42db12b540b0d11bc5d6b42e6d17c2b73e98631e54d40fd2901ebec
-4268668535b03cbf76f7f15a29d623a64cab0c4
-
-// Test vector 5
-skS: 46f3d4f562002b85ffcfdb4d06835fb9b2e24372861ecaa11357fd1f29f9
-ed26e44715549ccedeb39257f095110f0159
-pkS: 02fbe9da0b7cabe3ec51c36c8487b10909142b59af030c728a5e87bb3b30
-f54c06415d22e03d9212bd3d9a17d5520d4d0f
-token_challenge: 0001000e6973737565722e6578616d706c65205de58a52fc
-daef25ca3f65448d04e040fb1924e8264acfccfc6c5ad451d582b30000
-nonce:
-9ee54942d8a1604452a76856b1bfaf1cd608e1e3fa38acfd9f13e84483c90e89
-blind: 76e0938e824b6cda6c163ff55d0298d539e222ed3984f4e31bbb654a8c
-59671d4e0a7e264ca758cd0f4b533e0f60c5aa
-token_request: 0001e10202bc92ac516c867f39399d71976018db52fcab5403
-f8534a65677ba9e1e7d9b1d01767d137884c86cf5fe698c2f5d8e9
-token_response: 0322ea3856a71533796393229b33d33c02cd714e40d5aa4e0
-71f056276f32f89c09947eca8ff119d940d9d57c2fcbd83d2da494ddeb37dc1f6
-78e5661a8e7bcc96b3477eb89d708b0ce10e0ea1b5ce0001f9332f743c0cc3d47
-48233fea6d3152fae7844821268eb96ba491f60b1a3a848849310a39e9ef59121
-669aa5d5dbb4b4deb532d2f907a01c5b39efaf23985080
-token: 00019ee54942d8a1604452a76856b1bfaf1cd608e1e3fa38acfd9f13e8
-4483c90e89d4380df12a1727f4e2ca1ee0d7abea0d0fb1e9506507a4dd618f9b8
-7e79f9f3521a7c9134d6722925bf622a994041cdb1b082cdf1309af32f0ce00ca
-1dab63e1b603747a8a5c3b46c7c2853de5ec7af8cac7cf3e089cecdc9ed3ff05c
-d24504fe4f6c52d24ac901471267d8b63b61e6b
-</pre><a href="#appendix-B.1-3" class="pilcrow">¶</a>
-</div>
-</section>
-</div>
-<div id="test-vectors-rsa">
-<section id="appendix-B.2">
-        <h3 id="name-issuance-protocol-2-blind-r">
-<a href="#appendix-B.2" class="section-number selfRef">B.2. </a><a href="#name-issuance-protocol-2-blind-r" class="section-name selfRef">Issuance Protocol 2 - Blind RSA, 2048</a>
-        </h3>
-<p id="appendix-B.2-1">The test vector below lists the following values:<a href="#appendix-B.2-1" class="pilcrow">¶</a></p>
-<ul class="normal">
-<li class="normal" id="appendix-B.2-2.1">
-            <p id="appendix-B.2-2.1.1">skS: The PEM-encoded PKCS#8 RSA Issuer Private Key used for signing tokens,
-represented as a hexadecimal string.<a href="#appendix-B.2-2.1.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.2-2.2">
-            <p id="appendix-B.2-2.2.1">pkS: The Issuer Public Key, serialized according to the encoding in <a href="#public-token-type" class="auto internal xref">Section 8.2.2</a>.<a href="#appendix-B.2-2.2.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.2-2.3">
-            <p id="appendix-B.2-2.3.1">token_challenge: A randomly generated TokenChallenge structure, represented
-as a hexadecimal string.<a href="#appendix-B.2-2.3.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.2-2.4">
-            <p id="appendix-B.2-2.4.1">nonce: The 32-byte client nonce generated according to <a href="#public-request" class="auto internal xref">Section 6.1</a>,
-represented as a hexadecimal string.<a href="#appendix-B.2-2.4.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.2-2.5">
-            <p id="appendix-B.2-2.5.1">blind: The blind used when computing the blind RSA blinded message,
-represented as a hexadecimal string.<a href="#appendix-B.2-2.5.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.2-2.6">
-            <p id="appendix-B.2-2.6.1">salt: The randomly generated 48-byte salt used when encoding the blinded
-token request message, represented as a hexadecimal string.<a href="#appendix-B.2-2.6.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.2-2.7">
-            <p id="appendix-B.2-2.7.1">token_request: The TokenRequest message constructed according to
-<a href="#public-request" class="auto internal xref">Section 6.1</a>, represented as a hexadecimal string.<a href="#appendix-B.2-2.7.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.2-2.8">
-            <p id="appendix-B.2-2.8.1">token_request: The TokenResponse message constructed according to
-<a href="#public-response" class="auto internal xref">Section 6.2</a>, represented as a hexadecimal string.<a href="#appendix-B.2-2.8.1" class="pilcrow">¶</a></p>
-</li>
-          <li class="normal" id="appendix-B.2-2.9">
-            <p id="appendix-B.2-2.9.1">token: The output Token from the protocol, represented as a hexadecimal
-string.<a href="#appendix-B.2-2.9.1" class="pilcrow">¶</a></p>
-</li>
-        </ul>
-<div class="alignLeft art-text artwork" id="appendix-B.2-3">
-<pre>
-// Test vector 1
-skS: 2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d49
-4945765149424144414e42676b71686b6947397730424151454641415343424b6
-3776767536a41674541416f49424151444c4775317261705831736334420a4f6b
-7a38717957355379356b6f6a41303543554b66717444774e38366a424b5a4f764
-57245526b49314c527876734d6453327961326333616b4745714c756b440a556a
-35743561496b3172417643655844644e44503442325055707851436e6969396e6
-b492b6d67725769744444494871386139793137586e6c5079596f784f530a646f
-6558563835464f314a752b62397336356d586d34516a755139455961497138337
-1724450567a50335758712b524e4d636379323269686763624c766d42390a6a41
-355334475666325a6c74785954736f4c364872377a58696a4e394637486271656
-76f753967654b524d584645352f2b4a3956595a634a734a624c756570480a544f
-72535a4d4948502b5358514d4166414f454a4547426d6d4430683566672f43473
-475676a79486e4e51383733414e4b6a55716d3676574574413872514c620a4530
-742b496c706641674d4241414543676745414c7a4362647a69316a506435384d6
-b562b434c6679665351322b7266486e7266724665502f566344787275690a3270
-316153584a596962653645532b4d622f4d4655646c485067414c7731785134576
-57266366336444373686c6c784c57535638477342737663386f364750320a6359
-366f777042447763626168474b556b5030456b62395330584c4a5763475347356
-1556e484a585237696e7834635a6c666f4c6e7245516536685578734d710a6230
-644878644844424d644766565777674b6f6a4f6a70532f39386d4555793756422
-f3661326c7265676c766a632f326e4b434b7459373744376454716c47460a787a
-414261577538364d435a342f5131334c762b426566627174493973715a5a776a7
-264556851483856437872793251564d515751696e57684174364d7154340a5342
-5354726f6c5a7a7772716a65384d504a393175614e4d6458474c63484c4932367
-3587a76374b53514b42675144766377735055557641395a325a583958350a6d49
-784d54424e6445467a56625550754b4b413179576e31554d444e63556a71682b7
-a652f376b337946786b68305146333162713630654c393047495369414f0a354b
-4f574d39454b6f2b7841513262614b314d664f5931472b386a7a4258557042733
-9346b353353383879586d4b366e796467763730424a385a6835666b55710a5732
-306f5362686b686a5264537a48326b52476972672b5553774b426751445a4a4d6
-e7279324578612f3345713750626f737841504d69596e6b354a415053470a7932
-7a305a375455622b7548514f2f2b78504d376e433075794c494d44396c61544d4
-8776e3673372f4c62476f455031575267706f59482f4231346b2f526e360a6675
-77524e3632496f397463392b41434c745542377674476179332b6752775974534
-33262356564386c4969656774546b6561306830754453527841745673330a6e35
-6b796132513976514b4267464a75467a4f5a742b7467596e576e5155456757385
-0304f494a45484d45345554644f637743784b7248527239334a6a7546320a4533
-77644b6f546969375072774f59496f614a5468706a50634a62626462664b792b6
-e735170315947763977644a724d6156774a6376497077563676315570660a5674
-4c61646d316c6b6c7670717336474e4d386a6e4d30587833616a6d6d6e6665573
-9794758453570684d727a4c4a6c394630396349324c416f4742414e58760a7567
-5658727032627354316f6b6436755361427367704a6a5065774e526433635a4b3
-97a306153503144544131504e6b7065517748672f2b36665361564f487a0a7941
-7844733968355272627852614e6673542b7241554837783153594456565159564
-d68555262546f5a6536472f6a716e544333664e6648563178745a666f740a306c
-6f4d4867776570362b53494d436f6565325a6374755a5633326c6349616639726
-2484f633764416f47416551386b3853494c4e4736444f413331544535500a6d30
-31414a49597737416c5233756f2f524e61432b78596450553354736b75414c787
-86944522f57734c455142436a6b46576d6d4a41576e51554474626e594e0a5363
-77523847324a36466e72454374627479733733574156476f6f465a6e636d504c5
-0386c784c79626c534244454c79615a762f624173506c4d4f39624435630a4a2b
-4e534261612b6f694c6c31776d4361354d43666c633d0a2d2d2d2d2d454e44205
-0524956415445204b45592d2d2d2d2d0a
-pkS: 30820152303d06092a864886f70d01010a3030a00d300b06096086480165
-03040202a11a301806092a864886f70d010108300b0609608648016503040202a
-2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab
-25b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4
-b6c9ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c50
-0a78a2f67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce4
-53b526ef9bf6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c7
-32db68a181c6cbbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b
-1dba9e828bbd81e291317144e7ff89f55619709b096cbb9ea474cead264c2073f
-e49740c01f00e109106066983d21e5f83f086e2e823c879cd43cef700d2a352a9
-babd612d03cad02db134b7e225a5f0203010001
-token_challenge: 0002000e6973737565722e6578616d706c65208e7acc900e
-393381e8810b7c9e4a68b5163f1f880ab6688a6ffe780923609e88000e6f72696
-7696e2e6578616d706c65
-nonce:
-aa72019d1f951df197021ce63876fe8b0a02dc1c31a12b0a2dd1508d07827f05
-blind: 425421de54c7381864ce36473abfb988c454fe6c27de863de702a6a2ad
-ca153fa2de47bd8fcd62734caa8ce1f920b77d980ab58c32d16dde54873f28ca9
-68e8c125b8363514be68972f553655bcc7f80a284cc327e47e804a47333c5b3cd
-f773312cc7ad9fda748aed0baa7e19c5a2d1dafda718f086d7fc0a4bc02d488e0
-f20812daee335af7177b7a8369bd617066aed7a58f659f295c36b418827f67972
-5b81ca14ea16fb82df21ad76da1ac38dcf24bf6252f8510e2308608ac9197f6cb
-54fdcb19db17837302a2b87d659c5605f35f3709a130f0c3d50e172f0cae36cbc
-9467f9914895a215a9e32443bcafff795273ccf8965a7eaa8c0b2184763e3e5c
-salt: 3d980852fa570c064204feb8d107098db976ef8c2137e8641d234bbd88a
-986fdb306a7af220cfadede08f51e1ef61766
-token_request: 0002086a95be84b63cfed0993bb579194a72a95057e1548ac4
-63a9a5b33b011f2b2011d59487f01862f1d8e4d5ea42e73a660fbc3d010b944a5
-4da3a4e0942f8894c0884589b438cb902e9a34278970f33c16f351f7dae58d273
-c3ab66ef368da36f785e89e24d1d983d5c34311cd21f290f9e89e8646ab0d0a48
-988fcd46230de5e7603cd12cc95c7ec5002e5e26737aa7eb69c626476e6c8d465
-10ee404a3d7daf3a23b7c66735d363ca13676925c6ed0117f60d165ce1f8ba616
-d041b6384baf6da3e2f757cb18e879a4f8595c2dc895ddf1f4279c75768d108b5
-c47f95f94e81e2d8b9c8b74476924ab3b7c45243fc99ac5466e8a3680ad37fa15
-c96010b274094
-token_response: 675d84b751d9e593330ec4b6d7ab69c9a61517e98971f4b73
-6150508174b4335761464f237be2d72bbae4b94dffc6143413f6351f1aa4efde6
-c32d4d6d9392a008290d56d1222f9b77a1336213e01934f7d972f3bf9ea5a5786
-c321352f103b3667e605379a55f0fb925fbb09b8a9f85e7dd4b388a3b49d06fd7
-0ba28f6a780e3bc8f6421554fd6c38b63ef19f84ccfcf14709dd0b4d72213c1f0
-60893854eba0ea1a147e275da320db5e9849882d5f9179efa8a2d8d3b803f9d14
-45ef5c1f660be08883ce9b29a0a992fc035d2938cbb61c440044438dbb8b3ce71
-58a8f9827d230482f622d291406ab236b32b122627ae0fd36bd0d6b7607b8044a
-ce404d44
-token: 0002aa72019d1f951df197021ce63876fe8b0a02dc1c31a12b0a2dd150
-8d07827f055969f643b4cfda5196d4aa86aeb5368834f4f06de46950ed435b3b8
-1bd036d44ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f
-71cd2708bc6a21b533d07294b5e900faf5537dd3eb33cee4e08c9670d1e5358fd
-184b0e00c637174f5206b14c7bb0e724ebf6b56271e5aa2ed94c051c4a433d302
-b23bc52460810d489fb050f9de5c868c6c1b06e3849fd087629f704cc724bc0d0
-984d5c339686fcdd75f9a9cdd25f37f855f6f4c584d84f716864f546b696d620c
-5bd41a811498de84ff9740ba3003ba2422d26b91eb745c084758974642a420782
-01543246ddb58030ea8e722376aa82484dca9610a8fb7e018e396165462e17a03
-e40ea7e128c090a911ecc708066cb201833010c1ebd4e910fc8e27a1be467f786
-71836a508257123a45e4e0ae2180a434bd1037713466347a8ebe46439d3da1970
-
-// Test vector 2
-skS: 2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d49
-4945765149424144414e42676b71686b6947397730424151454641415343424b6
-3776767536a41674541416f49424151444c4775317261705831736334420a4f6b
-7a38717957355379356b6f6a41303543554b66717444774e38366a424b5a4f764
-57245526b49314c527876734d6453327961326333616b4745714c756b440a556a
-35743561496b3172417643655844644e44503442325055707851436e6969396e6
-b492b6d67725769744444494871386139793137586e6c5079596f784f530a646f
-6558563835464f314a752b62397336356d586d34516a755139455961497138337
-1724450567a50335758712b524e4d636379323269686763624c766d42390a6a41
-355334475666325a6c74785954736f4c364872377a58696a4e394637486271656
-76f753967654b524d584645352f2b4a3956595a634a734a624c756570480a544f
-72535a4d4948502b5358514d4166414f454a4547426d6d4430683566672f43473
-475676a79486e4e51383733414e4b6a55716d3676574574413872514c620a4530
-742b496c706641674d4241414543676745414c7a4362647a69316a506435384d6
-b562b434c6679665351322b7266486e7266724665502f566344787275690a3270
-316153584a596962653645532b4d622f4d4655646c485067414c7731785134576
-57266366336444373686c6c784c57535638477342737663386f364750320a6359
-366f777042447763626168474b556b5030456b62395330584c4a5763475347356
-1556e484a585237696e7834635a6c666f4c6e7245516536685578734d710a6230
-644878644844424d644766565777674b6f6a4f6a70532f39386d4555793756422
-f3661326c7265676c766a632f326e4b434b7459373744376454716c47460a787a
-414261577538364d435a342f5131334c762b426566627174493973715a5a776a7
-264556851483856437872793251564d515751696e57684174364d7154340a5342
-5354726f6c5a7a7772716a65384d504a393175614e4d6458474c63484c4932367
-3587a76374b53514b42675144766377735055557641395a325a583958350a6d49
-784d54424e6445467a56625550754b4b413179576e31554d444e63556a71682b7
-a652f376b337946786b68305146333162713630654c393047495369414f0a354b
-4f574d39454b6f2b7841513262614b314d664f5931472b386a7a4258557042733
-9346b353353383879586d4b366e796467763730424a385a6835666b55710a5732
-306f5362686b686a5264537a48326b52476972672b5553774b426751445a4a4d6
-e7279324578612f3345713750626f737841504d69596e6b354a415053470a7932
-7a305a375455622b7548514f2f2b78504d376e433075794c494d44396c61544d4
-8776e3673372f4c62476f455031575267706f59482f4231346b2f526e360a6675
-77524e3632496f397463392b41434c745542377674476179332b6752775974534
-33262356564386c4969656774546b6561306830754453527841745673330a6e35
-6b796132513976514b4267464a75467a4f5a742b7467596e576e5155456757385
-0304f494a45484d45345554644f637743784b7248527239334a6a7546320a4533
-77644b6f546969375072774f59496f614a5468706a50634a62626462664b792b6
-e735170315947763977644a724d6156774a6376497077563676315570660a5674
-4c61646d316c6b6c7670717336474e4d386a6e4d30587833616a6d6d6e6665573
-9794758453570684d727a4c4a6c394630396349324c416f4742414e58760a7567
-5658727032627354316f6b6436755361427367704a6a5065774e526433635a4b3
-97a306153503144544131504e6b7065517748672f2b36665361564f487a0a7941
-7844733968355272627852614e6673542b7241554837783153594456565159564
-d68555262546f5a6536472f6a716e544333664e6648563178745a666f740a306c
-6f4d4867776570362b53494d436f6565325a6374755a5633326c6349616639726
-2484f633764416f47416551386b3853494c4e4736444f413331544535500a6d30
-31414a49597737416c5233756f2f524e61432b78596450553354736b75414c787
-86944522f57734c455142436a6b46576d6d4a41576e51554474626e594e0a5363
-77523847324a36466e72454374627479733733574156476f6f465a6e636d504c5
-0386c784c79626c534244454c79615a762f624173506c4d4f39624435630a4a2b
-4e534261612b6f694c6c31776d4361354d43666c633d0a2d2d2d2d2d454e44205
-0524956415445204b45592d2d2d2d2d0a
-pkS: 30820152303d06092a864886f70d01010a3030a00d300b06096086480165
-03040202a11a301806092a864886f70d010108300b0609608648016503040202a
-2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab
-25b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4
-b6c9ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c50
-0a78a2f67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce4
-53b526ef9bf6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c7
-32db68a181c6cbbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b
-1dba9e828bbd81e291317144e7ff89f55619709b096cbb9ea474cead264c2073f
-e49740c01f00e109106066983d21e5f83f086e2e823c879cd43cef700d2a352a9
-babd612d03cad02db134b7e225a5f0203010001
-token_challenge: 0002000e6973737565722e6578616d706c6500000e6f7269
-67696e2e6578616d706c65
-nonce:
-98c1345ff38a554b429b428b0f206cfe4f3892f8041995f2c24873d90e84488d
-blind: 7bb85f89c9b83a0e2b02938b3396f06f8f3df0018a91f1a2cc5416aaa5
-52994d063f634d50bea13bffe8d5e01431e646e2e384549cefd695ac3affff665
-a1ebf0113df2520006bd66e468d37a58266daa8a3a75692535e1fc46d0c1d6fb6
-f37c949808172e20c0b77a48570a1fcb474325bdd23cdbce52b5d6a9e39f7aec7
-3b09004eae8c8bfff2b4b533ea63bcf467a4cd95ccfb0cb4e43bc4992c1fd0be7
-a77a4475dbf8094cf25125ece901abbcea607a9050ad9f8ec3d0d66341f6eab40
-ee9c9c22c0b560b8377f8543d8878c7458885fd285c7556cc88fc6021617075b4
-2c83a86005169a6f13352e789b28fdbbe3d0288e1dd7c801497573893146aea3
-salt: b6b4378421ab0ea677ce3f4036fd0489dee458ad81ea519c3e8bde3fcd5
-ec1505d28e110d7b44dcac5e04ecedd54d11a
-token_request: 00020892d26a271c0104657ba10c0b5cb2827bb209d86e8002
-7f96bfb861e0f40cb897f0fc426498433141ce9bc8b4a95914fefe4e40bdd3802
-a121cb0b59a4ae7e03255275c4abf071d991c82ead402606c0ef912178b0a0f68
-d303e06a966079230592827b84979dbcb5f21ab8904e9908638ddf705c4f8af8a
-053c19a66090726b60c6b4063976e4c66eab33522dd3f9d64828441db4aa82d55
-adcc3d3920592884cd1e5a3f490d5c81f1306705dcc5c61d82373f1dbd7d2ae4b
-2fea0f7339f5d868415f59312766e3074ee4a7305f5f053da82673ee6747a727a
-26d8d10ea1b1a3491d26b0c38b962c02a774ac78932153aae9dcc98a9b1db1f53
-89644682f7727
-token_response: 113a5124c1aef6fc230d9fc42b789226f45ca941aad4da3f4
-8cf37c7744a8d7fd1dcfd71cd39d09e9324760180ea0bade3360efaf7322a1fa1
-5f41247be3857fde8c5c92ec6d67a7ee33be8fdadf8b27bb0db706117448e55bc
-e9927cb6bfb1f87f9edb054181a4558af0c0d3973d7033b9599e674c20cf08a7b
-bcf0da815a2edaab7c4fb80dee4ea2cc53576a9691e857da931c6c592d2c69dd2
-1afda8ea653dd90157adfe80e2375c08e75beb497df8b7b73192fbbd4e80359d9
-bbaecea14e0acebdda92596f71ec1d57e26b6497b3152976bc07a4409148cb843
-89eb207fb8e841106012408c6e19b4f964008b6a909aaab767a661a061c97da16
-43040455
-token: 000298c1345ff38a554b429b428b0f206cfe4f3892f8041995f2c24873
-d90e84488d11e15c91a7c2ad02abd66645802373db1d823bea80f08d452541fb2
-b62b5898bca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f
-71cd27083350a206c5e9b7c0898f97611ce0bb8d74d310bb194ab67e094e32ff6
-da90886924b1b9e7b569402c1101d896d2fc3a7371ef77f02310db1dc9f81c853
-5828c2d0e9d9051720d182cd54e1c2c3bf417da2fc7aa72bb70ccc834ef274a2e
-809c9821b3d395d6535423f7428b3f29175d6eb840b4b7685336e57e2b6afeaab
-c0c17ea4f557e8a9cc2f624e245c6ccd7cbdd6c32c97c5c6974e802f688e2d25f
-0aba4215f609f692244517d5d3407e0172273982c001c158f5fcbe1b5d2447c26
-a87e89f5a9e72b498b0c59ce749823d2cf253d3cf6cd4e64fa0e434d95e488789
-247a9ceed756ff4ff33a8d2402c0db381236d331092838b608a42002552092897
-
-// Test vector 3
-skS: 2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d49
-4945765149424144414e42676b71686b6947397730424151454641415343424b6
-3776767536a41674541416f49424151444c4775317261705831736334420a4f6b
-7a38717957355379356b6f6a41303543554b66717444774e38366a424b5a4f764
-57245526b49314c527876734d6453327961326333616b4745714c756b440a556a
-35743561496b3172417643655844644e44503442325055707851436e6969396e6
-b492b6d67725769744444494871386139793137586e6c5079596f784f530a646f
-6558563835464f314a752b62397336356d586d34516a755139455961497138337
-1724450567a50335758712b524e4d636379323269686763624c766d42390a6a41
-355334475666325a6c74785954736f4c364872377a58696a4e394637486271656
-76f753967654b524d584645352f2b4a3956595a634a734a624c756570480a544f
-72535a4d4948502b5358514d4166414f454a4547426d6d4430683566672f43473
-475676a79486e4e51383733414e4b6a55716d3676574574413872514c620a4530
-742b496c706641674d4241414543676745414c7a4362647a69316a506435384d6
-b562b434c6679665351322b7266486e7266724665502f566344787275690a3270
-316153584a596962653645532b4d622f4d4655646c485067414c7731785134576
-57266366336444373686c6c784c57535638477342737663386f364750320a6359
-366f777042447763626168474b556b5030456b62395330584c4a5763475347356
-1556e484a585237696e7834635a6c666f4c6e7245516536685578734d710a6230
-644878644844424d644766565777674b6f6a4f6a70532f39386d4555793756422
-f3661326c7265676c766a632f326e4b434b7459373744376454716c47460a787a
-414261577538364d435a342f5131334c762b426566627174493973715a5a776a7
-264556851483856437872793251564d515751696e57684174364d7154340a5342
-5354726f6c5a7a7772716a65384d504a393175614e4d6458474c63484c4932367
-3587a76374b53514b42675144766377735055557641395a325a583958350a6d49
-784d54424e6445467a56625550754b4b413179576e31554d444e63556a71682b7
-a652f376b337946786b68305146333162713630654c393047495369414f0a354b
-4f574d39454b6f2b7841513262614b314d664f5931472b386a7a4258557042733
-9346b353353383879586d4b366e796467763730424a385a6835666b55710a5732
-306f5362686b686a5264537a48326b52476972672b5553774b426751445a4a4d6
-e7279324578612f3345713750626f737841504d69596e6b354a415053470a7932
-7a305a375455622b7548514f2f2b78504d376e433075794c494d44396c61544d4
-8776e3673372f4c62476f455031575267706f59482f4231346b2f526e360a6675
-77524e3632496f397463392b41434c745542377674476179332b6752775974534
-33262356564386c4969656774546b6561306830754453527841745673330a6e35
-6b796132513976514b4267464a75467a4f5a742b7467596e576e5155456757385
-0304f494a45484d45345554644f637743784b7248527239334a6a7546320a4533
-77644b6f546969375072774f59496f614a5468706a50634a62626462664b792b6
-e735170315947763977644a724d6156774a6376497077563676315570660a5674
-4c61646d316c6b6c7670717336474e4d386a6e4d30587833616a6d6d6e6665573
-9794758453570684d727a4c4a6c394630396349324c416f4742414e58760a7567
-5658727032627354316f6b6436755361427367704a6a5065774e526433635a4b3
-97a306153503144544131504e6b7065517748672f2b36665361564f487a0a7941
-7844733968355272627852614e6673542b7241554837783153594456565159564
-d68555262546f5a6536472f6a716e544333664e6648563178745a666f740a306c
-6f4d4867776570362b53494d436f6565325a6374755a5633326c6349616639726
-2484f633764416f47416551386b3853494c4e4736444f413331544535500a6d30
-31414a49597737416c5233756f2f524e61432b78596450553354736b75414c787
-86944522f57734c455142436a6b46576d6d4a41576e51554474626e594e0a5363
-77523847324a36466e72454374627479733733574156476f6f465a6e636d504c5
-0386c784c79626c534244454c79615a762f624173506c4d4f39624435630a4a2b
-4e534261612b6f694c6c31776d4361354d43666c633d0a2d2d2d2d2d454e44205
-0524956415445204b45592d2d2d2d2d0a
-pkS: 30820152303d06092a864886f70d01010a3030a00d300b06096086480165
-03040202a11a301806092a864886f70d010108300b0609608648016503040202a
-2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab
-25b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4
-b6c9ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c50
-0a78a2f67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce4
-53b526ef9bf6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c7
-32db68a181c6cbbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b
-1dba9e828bbd81e291317144e7ff89f55619709b096cbb9ea474cead264c2073f
-e49740c01f00e109106066983d21e5f83f086e2e823c879cd43cef700d2a352a9
-babd612d03cad02db134b7e225a5f0203010001
-token_challenge: 0002000e6973737565722e6578616d706c65000017666f6f
-2e6578616d706c652c6261722e6578616d706c65
-nonce:
-9e7a22bdc5d715682434cebc07eb5fa53f622f776a17a6d91757af1592df0e71
-blind: c52cabc5e4e131e0f5860cc4c486c5ee8a5fa8ae59484446121f87b0d8
-ccd037f161a99ebcc57f79d05a2ffc852656ad2d0894fab8d1b0f998e6e678254
-ed5778da98b137371320314d06c24276e35435bccffa49d257687f270f9ce1792
-6a074737546d5415a4bb9e624a6302562b395856632efb6992f6593a4f95fb342
-002efebc3046ca96bbc26edb2f1a1454a24ce7b9a7ec8e44fb9e99c8144d409d8
-cd8a5903c0a3c0acbd9f82573ed1fc4a296e3eaf4867ade30110794678f422d36
-bd103ea4617d2472cf58da3381e52e5be60f4acbf685e280648cef21211a796ec
-d005ecbdaa1046c40950afca4c4e7dd4b8c19e504088489a15667b45895b6e92
-salt: c847b5d0fa9101a1e09954ac9f3eed6600af58936295ad2e54274e13e64
-0d59f732d07530c94c19c20668f03470c77ac
-token_request: 0002080f6bd84fba1822c577c8cd670f1136cca107f84ddd9d
-405d5ed22ad15da975538f031433bad4a2688999732927efe2928d4c132389a12
-2f40b639b083d6fcbbed7a55fb18db536d2dcbaefe6dc0a70730e6565b08a7dfd
-783913a59f37d798de0cfc262c9e90a7ee884a3ec355eacbd44e5f6779fea6a78
-5b05ac352fdd51a116cf2be1d8e38b0bfacd6a3d53a88c99f747cce908f86b335
-62691f540e3e88562092cd17cc2f78ce0fb53312a5f2dc918bdb1dc90d9d65091
-c7ba9080ccc1755cb5437989364dc92f0e8fea18f66d631451feb02a3d68af41d
-e1a3f9be925dda5c4ca0706fc4ca28b3317e939f6573442c6d03be17cd141fa82
-60d382d134c6b
-token_response: 2dd08ce89cf4f62bc236ab7b75266e13c57c750345e328e0b
-ea107537c4cbeea5bfc990716950440628ea2e37dbc5c9c6d84f9a965cbf0cbff
-fb89516b1fd19a90d69cc52a28890bbdcf782f56aefadad85b6e861a74170ce91
-0891c89e4293f37978dbd41cc8b5c68802de3d86d9f0326b9c22b809512245896
-6a6ddd1aeb3828d239c3b359efc9b375390eb19050d5656c2b084304d9bd8a816
-14f631bf82a7e4588413b44a0cb6d94e942fa134790b396cb71e3ed33b557b5bd
-0734e726fa79abdca8694703b81d0e289b749801d4383e0d4f825dcde0dd98c43
-d3ba81c028dd8833a4fc24961f60e118d4421dce5b611d53e9ca96156a52509bf
-a9afeb7e
-token: 00029e7a22bdc5d715682434cebc07eb5fa53f622f776a17a6d91757af
-1592df0e710042eee45ac4dd5acb8f6e65c4d8dd47504f73f7463507ef96a4d72
-27d2774f3ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f
-71cd270815b010bbc0d5f55e9c856d2e9ffaefba007d33c2d5452fbeb0b15919b
-973e0dc9180aaeb18242043758d9fb0ac9ac5e04da9ff74ec93644ae6cdb7068e
-a76ce2295b9b95e383ed3a9856e9f618dafdf4cec5d2b53ea4297c2f3990babca
-71e3ccd6c07a437daae7ed27b6b81178fb7ce5fa5dd63781cc64ac1e410f441c0
-34b0a5cc873a2ce875e8b38c92bab563635c4f8f4fa35d1f582ef19edf7da75aa
-11a503a82e32a12bd4da41e0ca7ec7f451caf586f5b910003fcbbb9ff5ffa2408
-c28d6807737d03da651ea9bfafcc2747a6830e19a1d160fcd5c25d2f79dad86a8
-b3de8e926e08ca1addced72977f7b56398ef59c26e725df0a976a08f2a936ca42
-
-// Test vector 4
-skS: 2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d49
-4945765149424144414e42676b71686b6947397730424151454641415343424b6
-3776767536a41674541416f49424151444c4775317261705831736334420a4f6b
-7a38717957355379356b6f6a41303543554b66717444774e38366a424b5a4f764
-57245526b49314c527876734d6453327961326333616b4745714c756b440a556a
-35743561496b3172417643655844644e44503442325055707851436e6969396e6
-b492b6d67725769744444494871386139793137586e6c5079596f784f530a646f
-6558563835464f314a752b62397336356d586d34516a755139455961497138337
-1724450567a50335758712b524e4d636379323269686763624c766d42390a6a41
-355334475666325a6c74785954736f4c364872377a58696a4e394637486271656
-76f753967654b524d584645352f2b4a3956595a634a734a624c756570480a544f
-72535a4d4948502b5358514d4166414f454a4547426d6d4430683566672f43473
-475676a79486e4e51383733414e4b6a55716d3676574574413872514c620a4530
-742b496c706641674d4241414543676745414c7a4362647a69316a506435384d6
-b562b434c6679665351322b7266486e7266724665502f566344787275690a3270
-316153584a596962653645532b4d622f4d4655646c485067414c7731785134576
-57266366336444373686c6c784c57535638477342737663386f364750320a6359
-366f777042447763626168474b556b5030456b62395330584c4a5763475347356
-1556e484a585237696e7834635a6c666f4c6e7245516536685578734d710a6230
-644878644844424d644766565777674b6f6a4f6a70532f39386d4555793756422
-f3661326c7265676c766a632f326e4b434b7459373744376454716c47460a787a
-414261577538364d435a342f5131334c762b426566627174493973715a5a776a7
-264556851483856437872793251564d515751696e57684174364d7154340a5342
-5354726f6c5a7a7772716a65384d504a393175614e4d6458474c63484c4932367
-3587a76374b53514b42675144766377735055557641395a325a583958350a6d49
-784d54424e6445467a56625550754b4b413179576e31554d444e63556a71682b7
-a652f376b337946786b68305146333162713630654c393047495369414f0a354b
-4f574d39454b6f2b7841513262614b314d664f5931472b386a7a4258557042733
-9346b353353383879586d4b366e796467763730424a385a6835666b55710a5732
-306f5362686b686a5264537a48326b52476972672b5553774b426751445a4a4d6
-e7279324578612f3345713750626f737841504d69596e6b354a415053470a7932
-7a305a375455622b7548514f2f2b78504d376e433075794c494d44396c61544d4
-8776e3673372f4c62476f455031575267706f59482f4231346b2f526e360a6675
-77524e3632496f397463392b41434c745542377674476179332b6752775974534
-33262356564386c4969656774546b6561306830754453527841745673330a6e35
-6b796132513976514b4267464a75467a4f5a742b7467596e576e5155456757385
-0304f494a45484d45345554644f637743784b7248527239334a6a7546320a4533
-77644b6f546969375072774f59496f614a5468706a50634a62626462664b792b6
-e735170315947763977644a724d6156774a6376497077563676315570660a5674
-4c61646d316c6b6c7670717336474e4d386a6e4d30587833616a6d6d6e6665573
-9794758453570684d727a4c4a6c394630396349324c416f4742414e58760a7567
-5658727032627354316f6b6436755361427367704a6a5065774e526433635a4b3
-97a306153503144544131504e6b7065517748672f2b36665361564f487a0a7941
-7844733968355272627852614e6673542b7241554837783153594456565159564
-d68555262546f5a6536472f6a716e544333664e6648563178745a666f740a306c
-6f4d4867776570362b53494d436f6565325a6374755a5633326c6349616639726
-2484f633764416f47416551386b3853494c4e4736444f413331544535500a6d30
-31414a49597737416c5233756f2f524e61432b78596450553354736b75414c787
-86944522f57734c455142436a6b46576d6d4a41576e51554474626e594e0a5363
-77523847324a36466e72454374627479733733574156476f6f465a6e636d504c5
-0386c784c79626c534244454c79615a762f624173506c4d4f39624435630a4a2b
-4e534261612b6f694c6c31776d4361354d43666c633d0a2d2d2d2d2d454e44205
-0524956415445204b45592d2d2d2d2d0a
-pkS: 30820152303d06092a864886f70d01010a3030a00d300b06096086480165
-03040202a11a301806092a864886f70d010108300b0609608648016503040202a
-2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab
-25b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4
-b6c9ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c50
-0a78a2f67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce4
-53b526ef9bf6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c7
-32db68a181c6cbbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b
-1dba9e828bbd81e291317144e7ff89f55619709b096cbb9ea474cead264c2073f
-e49740c01f00e109106066983d21e5f83f086e2e823c879cd43cef700d2a352a9
-babd612d03cad02db134b7e225a5f0203010001
-token_challenge: 0002000e6973737565722e6578616d706c65000000
-nonce:
-494dae41fc7e300c2d09990afcd5d5e1fc95305337dc12f78942c45340bfe8e6
-blind: 097cb17bcedecfe058dff5c4e517d1e36d7ab8f46252b1ac1933ba378c
-32625c0dbc69f5655c2003bf39e75810796cd63675b223cf3162c57108d56e058
-4cfce6cad829e74369ada38a095eb3012c912b31ccde7425f93464e353fb17552
-be3a8df2913daca61543a33ae45058f218c471dfbc12fb304158e29b6ed35bc07
-9e23f1e6173c5dec4545840bbe58e5ad37cbea0a10dca5d9df2781589d27c3410
-8477b52c0d32a1370c17f703941fbb1a007a6794e7de2758709c9bbf80f21eec7
-922b9bb491eb6aac8c1a14764e648e6be4fff0ae913797067aa0826f366c3103e
-103b05653c73b52d7f825a185dccfb806da700db9f53abb848554b7d4f7c28f3
-salt: 49912979f1bf528e5b8228ab1328df74319dce7bdaf45821ceb1100dcf0
-42a2dfe852fc9db59b64a5f6493c282504240
-token_request: 000208244840027ca8c620f8b14caded9a198ba388ccd8541e
-962f68a0071535d958d18494afd0bc11da4da8c8b33864f5a8f623b697cd56348
-594e11a75479048a72c0ed179b070506c09a7eb6ed3582f572df38cf60fcde11a
-52c5ce6d7b23435b60200ad9f66d21f40f323c9aa54307d0b966d4457c37542b6
-6bb183ddeafca914fc74831698b5d52f498ee3d165685f49a8d86e39fe6c4b7ec
-678f5250908d25e5b873c69b422368121aa4210cadd6fc640907d3cb9a7a3e827
-a0e742470f00c2f49dc6c0e8cc9470dbfd73df0ccbb96c10b02af0dd7dee719ec
-a11ff8e1b4929e59f3cf319de9bda29a6d968b43083b5d4242f3448d76ada08b8
-014f70b97e719
-token_response: c2746ff644cffb28a2c19395fa19dfb61fd135daa837844fb
-f9fbe06c253e64e69f53aefddc0fb4833b1b5e58f571134a34f245499c3e73419
-549c2c9111cf94f2f68fea3996d47f71e8d8d6fc5b1c074bf74fa59de4cbf32f5
-f08d45ea45492f0279c3b1a8d852698edbe1651eb8e09eb223a27386c0feb2f6a
-8260235edb36cf433da518100829b63166284b325d87fc941ea3bafe7b6761b70
-82e09397837f74b4f0fc838bce8af7242089dd5561f57735926bcbad219fc9fee
-85ae49a8e8951f63ca194b7ff018c06ee02267e7267bb996432dc76973819da80
-e3e86947b0a4b36d3a972dafaaa3db0e1044b325f02c679996d9bcd3ce51390d5
-4bc10b8c
-token: 0002494dae41fc7e300c2d09990afcd5d5e1fc95305337dc12f78942c4
-5340bfe8e6b741ec1b6fd05f1e95f8982906aec1612896d9ca97d53eef94ad3c9
-fe023f7a4ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f
-71cd2708a55c83dc04292b5d92add1a87b37e54f22f61c58840586f390c50b231
-824423378ddcf50e69dc817d45bfad06c7f2a0ac35d2acd7f26b0bc9954c192b0
-a0ef28a2a5650e390098dd3cb1166a7cb1716d3dd2d19dc5ca3b1ea6206359de0
-002d82bc4fa7e69fb07214b06addcbd2203d1e17f57fc580bcc5a13e0ac15cf94
-2182cc2b5d6eaa737a712704114e357e2ec2f10047463ded02a1a0766dc346dd7
-212b9711e03ac95eb258ac1164104dc9a0d3e738ae742ab5ed8c5139fc07145a7
-88b9f891741ee68f0a66782b7b84a9bb4cb4b3d1b26b67106f397b35b641d882d
-7b0185168946de898ef72349a44a47dbdd6d46e9ba9ba543d5701b65c63d645c2
-
-// Test vector 5
-skS: 2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d49
-4945765149424144414e42676b71686b6947397730424151454641415343424b6
-3776767536a41674541416f49424151444c4775317261705831736334420a4f6b
-7a38717957355379356b6f6a41303543554b66717444774e38366a424b5a4f764
-57245526b49314c527876734d6453327961326333616b4745714c756b440a556a
-35743561496b3172417643655844644e44503442325055707851436e6969396e6
-b492b6d67725769744444494871386139793137586e6c5079596f784f530a646f
-6558563835464f314a752b62397336356d586d34516a755139455961497138337
-1724450567a50335758712b524e4d636379323269686763624c766d42390a6a41
-355334475666325a6c74785954736f4c364872377a58696a4e394637486271656
-76f753967654b524d584645352f2b4a3956595a634a734a624c756570480a544f
-72535a4d4948502b5358514d4166414f454a4547426d6d4430683566672f43473
-475676a79486e4e51383733414e4b6a55716d3676574574413872514c620a4530
-742b496c706641674d4241414543676745414c7a4362647a69316a506435384d6
-b562b434c6679665351322b7266486e7266724665502f566344787275690a3270
-316153584a596962653645532b4d622f4d4655646c485067414c7731785134576
-57266366336444373686c6c784c57535638477342737663386f364750320a6359
-366f777042447763626168474b556b5030456b62395330584c4a5763475347356
-1556e484a585237696e7834635a6c666f4c6e7245516536685578734d710a6230
-644878644844424d644766565777674b6f6a4f6a70532f39386d4555793756422
-f3661326c7265676c766a632f326e4b434b7459373744376454716c47460a787a
-414261577538364d435a342f5131334c762b426566627174493973715a5a776a7
-264556851483856437872793251564d515751696e57684174364d7154340a5342
-5354726f6c5a7a7772716a65384d504a393175614e4d6458474c63484c4932367
-3587a76374b53514b42675144766377735055557641395a325a583958350a6d49
-784d54424e6445467a56625550754b4b413179576e31554d444e63556a71682b7
-a652f376b337946786b68305146333162713630654c393047495369414f0a354b
-4f574d39454b6f2b7841513262614b314d664f5931472b386a7a4258557042733
-9346b353353383879586d4b366e796467763730424a385a6835666b55710a5732
-306f5362686b686a5264537a48326b52476972672b5553774b426751445a4a4d6
-e7279324578612f3345713750626f737841504d69596e6b354a415053470a7932
-7a305a375455622b7548514f2f2b78504d376e433075794c494d44396c61544d4
-8776e3673372f4c62476f455031575267706f59482f4231346b2f526e360a6675
-77524e3632496f397463392b41434c745542377674476179332b6752775974534
-33262356564386c4969656774546b6561306830754453527841745673330a6e35
-6b796132513976514b4267464a75467a4f5a742b7467596e576e5155456757385
-0304f494a45484d45345554644f637743784b7248527239334a6a7546320a4533
-77644b6f546969375072774f59496f614a5468706a50634a62626462664b792b6
-e735170315947763977644a724d6156774a6376497077563676315570660a5674
-4c61646d316c6b6c7670717336474e4d386a6e4d30587833616a6d6d6e6665573
-9794758453570684d727a4c4a6c394630396349324c416f4742414e58760a7567
-5658727032627354316f6b6436755361427367704a6a5065774e526433635a4b3
-97a306153503144544131504e6b7065517748672f2b36665361564f487a0a7941
-7844733968355272627852614e6673542b7241554837783153594456565159564
-d68555262546f5a6536472f6a716e544333664e6648563178745a666f740a306c
-6f4d4867776570362b53494d436f6565325a6374755a5633326c6349616639726
-2484f633764416f47416551386b3853494c4e4736444f413331544535500a6d30
-31414a49597737416c5233756f2f524e61432b78596450553354736b75414c787
-86944522f57734c455142436a6b46576d6d4a41576e51554474626e594e0a5363
-77523847324a36466e72454374627479733733574156476f6f465a6e636d504c5
-0386c784c79626c534244454c79615a762f624173506c4d4f39624435630a4a2b
-4e534261612b6f694c6c31776d4361354d43666c633d0a2d2d2d2d2d454e44205
-0524956415445204b45592d2d2d2d2d0a
-pkS: 30820152303d06092a864886f70d01010a3030a00d300b06096086480165
-03040202a11a301806092a864886f70d010108300b0609608648016503040202a
-2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab
-25b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4
-b6c9ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c50
-0a78a2f67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce4
-53b526ef9bf6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c7
-32db68a181c6cbbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b
-1dba9e828bbd81e291317144e7ff89f55619709b096cbb9ea474cead264c2073f
-e49740c01f00e109106066983d21e5f83f086e2e823c879cd43cef700d2a352a9
-babd612d03cad02db134b7e225a5f0203010001
-token_challenge: 0002000e6973737565722e6578616d706c65208e7acc900e
-393381e8810b7c9e4a68b5163f1f880ab6688a6ffe780923609e880000
-nonce:
-a1aa8b371c37c9a8ddbd7342ab4f9dd5227d5b1600dca6517b60f63143cd43a3
-blind: ad7a32e1ac31b91daefd7042cc23d5621ab3e870d87297bbfe1ee8a518
-ffc5b84770d3b77775c485b2d219954834868842d2f11877ac4bceb5da88944cc
-a043a9afa52f9c9998a5dea7ab7c1f82662d0d327e29705a269ad221ae74a7c11
-72ff89c48997a9fda08886d3998bb538868396c0ace71d260cc71f768001939b2
-4d80d88979f0244a3dbc004eadfac81e138d430b9fa51c1aad21b957ff96b3123
-c91c2fff362a386f0f99a3f9fc906ca626fd9107648f87532b44c4fe3856ecae1
-f46d8ebf5d2f46e52034478e5e883015666574dd80bd5c036c4b55ebcc8b66068
-8d23944cc1932d075b559dcdc269fae3511761f71c113634e60d67accc8875fb
-salt: 35c04710ce866d879447b6230ce098a49e81be5c067881cce7bd5f92c1e
-5bd9b3c7d4d795cfad134fdfe916d735a624a
-token_request: 0002083d6495c72529bbc4f5c0b49e94e4561baec1ca638a93
-b2940ea9e37b838db7b1a91ec1f257d49b45c4f75119c2ab9eb5578541ad2b9ba
-c1bd627abc709097f503f83d98fed6dbeb615c3be9bf09cbf8ea25ea8026c1b8b
-a1c704ff516ed87c3d7d85342fd00111d8a80492d4b8fdbb092a282f74f13901e
-5edc1b3b02cfe24c950affe6130fbb57c1482d674db3c6944812ba081c2235a16
-d01eeec0932a8619d85732fc3e36179f0b50377bf9cb7a50ce3abeb3f31ed5f0f
-3deec7aae7290f5397cec61318357d652b029a0fda0f100a78e36c4ef56ba3779
-963e8745fdf4e347763c63d825836878e249833a0f4bd315392cc06ccca2c955e
-921efbc4f941d
-token_response: 8db727000018a98a2fe9fda8bbde5b8e9cedc31efbcaed695
-0eb1e0f8d9af9db632def52f74f07cdab304bbde40519080dd0388fb2b8900528
-b4791d2bca40aa2c2a6d1b92f010c1849bfb781cc813cc204855dd05e8a2dd31e
-a5220981b8ab6b008e153083dc8f594206440d66286fea9c21b56807be8655506
-ab7818bb9c8c69489dda56fe6390a5397268c8b5711f9d2df6f2584740cccf034
-5fd67f93f345426f33c078a0aceb90845df9eef74f6248d06c36d19e191da325b
-721ddc12ea78ed37b0c3b6170590536e3aee7eb0efc7d11a2c9d072a394f12ffa
-67ecf316c49efd8f31723b11fe46740636bd89ad4f7ef96bc38b2cb4916d9dc04
-ba1b2fc6
-token: 0002a1aa8b371c37c9a8ddbd7342ab4f9dd5227d5b1600dca6517b60f6
-3143cd43a3bb8a8cf1c59e7a251358ed76fe0ccff61044bc79dd261f16020324d
-22f2d434cca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f
-71cd27082899f4bc385b4147a650a3e7efc7d23a743cb944bb53e2ed8b88ee03a
-9c0b1cf1f73fd7f15c1bd1f850a5a96a34d4ee9f295543f30ac920825e9a0ce26
-e924f2c145583019dd14408c565b660e8b702fbea559908b1a8c8f9d21ef22f7c
-c6a4641c57c146e6c5497d2890ca230a6749f5f83a8fdd79eba0722f10dff9e81
-a2fb2d05fa4d989acc2e93f595ae69c98c3daa3b169efcdd6e59596b2f049f16b
-a49528761f661032da65a3ee0fe8a22409766e90daf8c60323c16522818c49273
-c795f26bbab306dc63cfc16fe1702af2464028cf819cc647d6f9b8a8f54d7d658
-5a268fdb8c75f76618c64aba266836a3b2db7cdd739815a021d7ff2b36ef91f23
-</pre><a href="#appendix-B.2-3" class="pilcrow">¶</a>
-</div>
-</section>
-</div>
-</section>
-</div>
-<div id="authors-addresses">
-<section id="appendix-C">
-      <h2 id="name-authors-addresses">
-<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
-      </h2>
-<address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">Sofía Celi</span></div>
-<div dir="auto" class="left"><span class="org">Brave Software</span></div>
-<div dir="auto" class="left"><span class="locality">Lisbon</span></div>
-<div dir="auto" class="left"><span class="country-name">Portugal</span></div>
-<div class="email">
-<span>Email:</span>
-<a href="mailto:cherenkov@riseup.net" class="email">cherenkov@riseup.net</a>
-</div>
-</address>
-<address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">Alex Davidson</span></div>
-<div dir="auto" class="left"><span class="org">Brave Software</span></div>
-<div dir="auto" class="left"><span class="locality">Lisbon</span></div>
-<div dir="auto" class="left"><span class="country-name">Portugal</span></div>
-<div class="email">
-<span>Email:</span>
-<a href="mailto:alex.davidson92@gmail.com" class="email">alex.davidson92@gmail.com</a>
-</div>
-</address>
-<address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">Steven Valdez</span></div>
-<div dir="auto" class="left"><span class="org">Google LLC</span></div>
-<div class="email">
-<span>Email:</span>
-<a href="mailto:svaldez@chromium.org" class="email">svaldez@chromium.org</a>
-</div>
-</address>
-<address class="vcard">
-        <div dir="auto" class="left"><span class="fn nameRole">Christopher A. Wood</span></div>
-<div dir="auto" class="left"><span class="org">Cloudflare</span></div>
-<div dir="auto" class="left"><span class="street-address">101 Townsend St</span></div>
-<div dir="auto" class="left">
-<span class="locality">San Francisco</span>,  </div>
-<div dir="auto" class="left"><span class="country-name">United States of America</span></div>
-<div class="email">
-<span>Email:</span>
-<a href="mailto:caw@heapingbits.net" class="email">caw@heapingbits.net</a>
-</div>
-</address>
-</section>
-</div>
-<script>const toc = document.getElementById("toc");
-toc.querySelector("h2").addEventListener("click", e => {
-  toc.classList.toggle("active");
-});
-toc.querySelector("nav").addEventListener("click", e => {
-  toc.classList.remove("active");
-});
-</script>
-</body>
-</html>
diff --git a/chris-wood-patch-8/draft-ietf-privacypass-protocol.txt b/chris-wood-patch-8/draft-ietf-privacypass-protocol.txt
deleted file mode 100644
index 613ede1f..00000000
--- a/chris-wood-patch-8/draft-ietf-privacypass-protocol.txt
+++ /dev/null
@@ -1,1868 +0,0 @@
-
-
-
-
-Network Working Group                                            S. Celi
-Internet-Draft                                               A. Davidson
-Intended status: Standards Track                          Brave Software
-Expires: 15 April 2024                                         S. Valdez
-                                                              Google LLC
-                                                              C. A. Wood
-                                                              Cloudflare
-                                                         13 October 2023
-
-
-                     Privacy Pass Issuance Protocol
-                 draft-ietf-privacypass-protocol-latest
-
-Abstract
-
-   This document specifies two variants of the two-message issuance
-   protocol for Privacy Pass tokens: one that produces tokens that are
-   privately verifiable using the issuance private key, and another that
-   produces tokens that are publicly verifiable using the issuance
-   public key.
-
-Status of This Memo
-
-   This Internet-Draft is submitted in full conformance with the
-   provisions of BCP 78 and BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF).  Note that other groups may also distribute
-   working documents as Internet-Drafts.  The list of current Internet-
-   Drafts is at https://datatracker.ietf.org/drafts/current/.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   This Internet-Draft will expire on 15 April 2024.
-
-Copyright Notice
-
-   Copyright (c) 2023 IETF Trust and the persons identified as the
-   document authors.  All rights reserved.
-
-   This document is subject to BCP 78 and the IETF Trust's Legal
-   Provisions Relating to IETF Documents (https://trustee.ietf.org/
-   license-info) in effect on the date of publication of this document.
-   Please review these documents carefully, as they describe your rights
-   and restrictions with respect to this document.  Code Components
-   extracted from this document must include Revised BSD License text as
-   described in Section 4.e of the Trust Legal Provisions and are
-   provided without warranty as described in the Revised BSD License.
-
-Table of Contents
-
-   1.  Introduction
-   2.  Terminology
-   3.  Protocol Overview
-   4.  Configuration
-   5.  Issuance Protocol for Privately Verifiable Tokens
-     5.1.  Client-to-Issuer Request
-     5.2.  Issuer-to-Client Response
-     5.3.  Finalization
-     5.4.  Token Verification
-     5.5.  Issuer Configuration
-   6.  Issuance Protocol for Publicly Verifiable Tokens
-     6.1.  Client-to-Issuer Request
-     6.2.  Issuer-to-Client Response
-     6.3.  Finalization
-     6.4.  Token Verification
-     6.5.  Issuer Configuration
-   7.  Security considerations
-   8.  IANA considerations
-     8.1.  Well-Known 'private-token-issuer-directory' URI
-     8.2.  Token Type Registry Updates
-       8.2.1.  Token Type VOPRF (P-384, SHA-384)
-       8.2.2.  Token Type Blind RSA (2048-bit)
-     8.3.  Media Types
-       8.3.1.  "application/private-token-issuer-directory" media type
-       8.3.2.  "application/private-token-request" media type
-       8.3.3.  "application/private-token-response" media type
-   9.  References
-     9.1.  Normative References
-     9.2.  Informative References
-   Appendix A.  Acknowledgements
-   Appendix B.  Test Vectors
-     B.1.  Issuance Protocol 1 - VOPRF(P-384, SHA-384)
-     B.2.  Issuance Protocol 2 - Blind RSA, 2048
-   Authors' Addresses
-
-1.  Introduction
-
-   The Privacy Pass protocol provides a privacy-preserving authorization
-   mechanism.  In essence, the protocol allows clients to provide
-   cryptographic tokens that prove nothing other than that they have
-   been created by a given server in the past [ARCHITECTURE].
-
-   This document describes the issuance protocol for Privacy Pass built
-   on [HTTP].  It specifies two variants: one that is privately
-   verifiable using the issuance private key based on the oblivious
-   pseudorandom function from [OPRF], and one that is publicly
-   verifiable using the issuance public key based on the blind RSA
-   signature scheme [BLINDRSA].
-
-   This document does not cover the Privacy Pass architecture, including
-   choices that are necessary for deployment and application specific
-   choices for protecting client privacy.  This information is covered
-   in [ARCHITECTURE].
-
-2.  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
-   "OPTIONAL" in this document are to be interpreted as described in
-   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
-   capitals, as shown here.
-
-   This document uses the terms Origin, Client, Issuer, and Token as
-   defined in Section 2 of [ARCHITECTURE].  Moreover, the following
-   additional terms are used throughout this document.
-
-   *  Issuer Public Key: The public key (from a private-public key pair)
-      used by the Issuer for issuing and verifying Tokens.
-
-   *  Issuer Private Key: The private key (from a private-public key
-      pair) used by the Issuer for issuing and verifying Tokens.
-
-   Unless otherwise specified, this document encodes protocol messages
-   in TLS notation from Section 3 of [TLS13].  Moreover, all constants
-   are in network byte order.
-
-3.  Protocol Overview
-
-   The issuance protocols defined in this document embody the core of
-   Privacy Pass.  Clients receive TokenChallenge inputs from the
-   redemption protocol ([AUTHSCHEME], Section 2.1) and use the issuance
-   protocols to produce corresponding Token values ([AUTHSCHEME],
-   Section 2.2).  The issuance protocol describes how Clients and
-   Issuers interact to compute a token using a one-round protocol
-   consisting of a TokenRequest from the Client and TokenResponse from
-   the Issuer.  This interaction is shown below.
-
-   +--------+            +--------+         +----------+ +--------+
-   | Origin |            | Client |         | Attester | | Issuer |
-   +---+----+            +---+----+         +----+-----+ +---+----+
-       |                     |                   |           |
-       |<----- Request ------+                   |           |
-       +-- TokenChallenge -->|                   |           |
-       |                     |<== Attestation ==>|           |
-       |                     |                   |           |
-       |                     +--------- TokenRequest ------->|
-       |                     |<-------- TokenResponse -------+
-       |<-- Request+Token ---+                   |           |
-       |                     |                   |           |
-
-                        Figure 1: Issuance Overview
-
-   The TokenChallenge inputs to the issuance protocols described in this
-   document can be interactive or non-interactive, and per-origin or
-   cross-origin.
-
-   The issuance protocols defined in this document are compatible with
-   any deployment model defined in Section 4 of [ARCHITECTURE].  The
-   details of attestation are outside the scope of the issuance
-   protocol; see Section 4 of [ARCHITECTURE] for information about how
-   attestation can be implemented in each of the relevant deployment
-   models.
-
-   This document describes two variants of the issuance protocol: one
-   that is privately verifiable (Section 5) using the issuance private
-   key based on the oblivious pseudorandom function from [OPRF], and one
-   that is publicly verifiable (Section 6) using the issuance public key
-   based on the blind RSA signature scheme [BLINDRSA].
-
-4.  Configuration
-
-   Issuers MUST provide two parameters for configuration:
-
-   1.  Issuer Request URL: A token request URL for generating access
-       tokens.  For example, an Issuer URL might be
-       https://issuer.example.net/request.
-
-   2.  Issuer Public Key values: A list of Issuer Public Keys for the
-       issuance protocol.
-
-   The Issuer parameters can be obtained from an Issuer via a directory
-   object, which is a JSON object ([RFC8259], Section 4) whose values
-   are other JSON values ([RFC8259], Section 3) for the parameters.  The
-   contents of this JSON object are defined in Table 1.
-
-       +====================+======================================+
-       | Field Name         | Value                                |
-       +====================+======================================+
-       | issuer-request-uri | Issuer Request URL value (as an      |
-       |                    | absolute URL, or a URL relative to   |
-       |                    | the directory object) as a percent-  |
-       |                    | encoded URL string, represented as a |
-       |                    | JSON string ([RFC8259], Section 7)   |
-       +--------------------+--------------------------------------+
-       | token-keys         | List of Issuer Public Key values,    |
-       |                    | each represented as JSON objects     |
-       |                    | ([RFC8259], Section 4)               |
-       +--------------------+--------------------------------------+
-
-                Table 1: Issuer directory object description
-
-   Each "token-keys" JSON object contains the fields and corresponding
-   raw values defined in Table 2.
-
-    +============+====================================================+
-    | Field Name | Value                                              |
-    +============+====================================================+
-    | token-type | Integer value of the Token Type, as defined in     |
-    |            | Section 8.2, represented as a JSON number          |
-    |            | ([RFC8259], Section 6)                             |
-    +------------+----------------------------------------------------+
-    | token-key  | The base64url-encoded [RFC4648] Public Key for use |
-    |            | with the issuance protocol as determined by the    |
-    |            | token-type field, including padding, represented   |
-    |            | as a JSON string ([RFC8259], Section 7)            |
-    +------------+----------------------------------------------------+
-
-              Table 2: Issuer 'token-keys' object description'
-
-   Each "token-keys" JSON object may also contain the optional field
-   "not-before".  The value of this field is the UNIX timestamp (number
-   of seconds since January 1, 1970, UTC -- see Section 4.2.1 of
-   [TIMESTAMP]) at which the key can be used.  If this field is present,
-   Clients SHOULD NOT use a token key before this timestamp, as doing so
-   can lead to issuance failures.  The purpose of this field is to
-   assist in scheduled key rotations.
-
-   Beyond staging keys with the "not-before" value, Issuers MAY
-   advertise multiple "token-keys" for the same token-type to facilitate
-   key rotation.  In this case, Issuers indicate preference for which
-   token key to use based on the order of keys in the list, with
-   preference given to keys earlier in the list.  Clients SHOULD use the
-   first key in the "token-keys" list that either does not have a "not-
-   before" value or has a "not-before" value in the past, since the
-   first such key is the most likely to be valid in the given time
-   window.  Origins can attempt to use any key in the "token-keys" list
-   to verify tokens, starting with the most preferred key in the list.
-   Trial verification like this can help deal with Client clock skew.
-
-   Altogether, the Issuer's directory could look like the following
-   (with the "token-key" fields abbreviated):
-
-    {
-       "issuer-request-uri": "https://issuer.example.net/request",
-       "token-keys": [
-         {
-           "token-type": 2,
-           "token-key": "MI...AB",
-           "not-before": 1686913811,
-         },
-         {
-           "token-type": 2,
-           "token-key": "MI...AQ",
-         }
-       ]
-    }
-
-   Clients that use this directory resource before 1686913811 in UNIX
-   time would use the second key in the "token-keys" list, whereas
-   Clients that use this directory after 1686913811 in UNIX time would
-   use the first key in the "token-keys" list.
-
-   A complete "token-key" value, encoded as it would be in the Issuer
-   directory, would look like the following (line breaks are inserted to
-   fit within the per-line character limits):
-
-$ echo MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAqEaMBgGCSqGSIb3DQEBCDAL \
- BglghkgBZQMEAgKiAwIBMAOCAQ8AMIIBCgKCAQEAmKHGAMyeoJt1pj3n7xTtqAPr_DhZAPhJM7 \
- Pc8ENR2BzdZwPTTF7KFKms5wt-mL01at0SC-cdBuIj6WYK8Ovz0AyaBuvTvW6SKCh7ZPXEqCGR \
- sq5I0nthREtrYkGo113oMVPVp3sy4VHPgzd8KdzTLGzOrjiUOsSFWbjf21iaVjXJ2VdwdS-8O- \
- 430wkucYjGeOJwi8rWx_ZkcHtav0S67Q_SlExJel6nyRzpuuID9OQm1nxfs1Z4PhWBzt93T2oz \
- Tnda3OklF5n0pIXD6bttmTekIw_8Xx2LMis0jfJ1QL99aA-muXRFN4ZUwORrF7cAcCUD_-56_6 \
- fh9s34FmqBGwIDAQAB \
- | sed s/-/+/g | sed s/_/\\//g | openssl base64 -d \
- | openssl asn1parse -dump -inform DER
-    0:d=0  hl=4 l= 338 cons: SEQUENCE
-    4:d=1  hl=2 l=  61 cons: SEQUENCE
-    6:d=2  hl=2 l=   9 prim: OBJECT            :rsassaPss
-   17:d=2  hl=2 l=  48 cons: SEQUENCE
-   19:d=3  hl=2 l=  13 cons: cont [ 0 ]
-   21:d=4  hl=2 l=  11 cons: SEQUENCE
-   23:d=5  hl=2 l=   9 prim: OBJECT            :sha384
-   34:d=3  hl=2 l=  26 cons: cont [ 1 ]
-   36:d=4  hl=2 l=  24 cons: SEQUENCE
-   38:d=5  hl=2 l=   9 prim: OBJECT            :mgf1
-   49:d=5  hl=2 l=  11 cons: SEQUENCE
-   51:d=6  hl=2 l=   9 prim: OBJECT            :sha384
-   62:d=3  hl=2 l=   3 cons: cont [ 2 ]
-   64:d=4  hl=2 l=   1 prim: INTEGER           :30
-   67:d=1  hl=4 l= 271 prim: BIT STRING
-   ... truncated public key bytes ...
-
-   Issuer directory resources have the media type "application/private-
-   token-issuer-directory" and are located at the well-known location
-   /.well-known/private-token-issuer-directory; see Section 8.1 for the
-   registration information for this well-known URI.  The reason that
-   this resource is located at a well-known URI is that Issuers are
-   defined by an origin name in TokenChallenge structures; see
-   Section 2.1 of [AUTHSCHEME].
-
-   The Issuer directory and Issuer resources SHOULD be available on the
-   same origin.  If an Issuer wants to service multiple different Issuer
-   directories they MUST create unique subdomains for each so the
-   TokenChallenge defined in Section 2.1 of [AUTHSCHEME] can be
-   differentiated correctly.
-
-   Issuers SHOULD use HTTP cache directives to permit caching of this
-   resource [RFC5861].  The cache lifetime depends on the Issuer's key
-   rotation schedule.  Regular rotation of token keys is recommended to
-   minimize the risk of key compromise and any harmful effects that
-   happen due to key compromise.
-
-   Issuers can control cache lifetime with the Cache-Control header, as
-   follows:
-
-     Cache-Control: max-age=86400
-
-   Consumers of the Issuer directory resource SHOULD follow the usual
-   HTTP caching [RFC9111] semantics when processing this resource.  Long
-   cache lifetimes may result in use of stale Issuer configuration
-   information, whereas short lifetimes may result in decreased
-   performance.  When use of an Issuer configuration results in token
-   issuance failures, e.g., because the Issuer has invalidated its
-   directory resource before its expiration time and issuance requests
-   using this configuration are unsuccessful, the directory SHOULD be
-   fetched and revalidated.  Issuance will continue to fail until the
-   Issuer configuration is updated.
-
-5.  Issuance Protocol for Privately Verifiable Tokens
-
-   The privately verifiable issuance protocol allows Clients to produce
-   Token values that verify using the Issuer Private Key. This protocol
-   is based on the oblivious pseudorandom function from [OPRF].
-
-   Issuers provide a Issuer Private and Public Key, denoted skI and pkI
-   respectively, used to produce tokens as input to the protocol.  See
-   Section 5.5 for how these keys are generated.
-
-   Clients provide the following as input to the issuance protocol:
-
-   *  Issuer Request URL: A URL identifying the location to which
-      issuance requests are sent.  This can be a URL derived from the
-      "issuer-request-uri" value in the Issuer's directory resource, or
-      it can be another Client-configured URL.  The value of this
-      parameter depends on the Client configuration and deployment
-      model.  For example, in the 'Joint Origin and Issuer' deployment
-      model, the Issuer Request URL might correspond to the Client's
-      configured Attester, and the Attester is configured to relay
-      requests to the Issuer.
-
-   *  Issuer name: An identifier for the Issuer.  This is typically a
-      host name that can be used to construct HTTP requests to the
-      Issuer.
-
-   *  Issuer Public Key: pkI, with a key identifier token_key_id
-      computed as described in Section 5.5.
-
-   *  Challenge value: challenge, an opaque byte string.  For example,
-      this might be provided by the redemption protocol in [AUTHSCHEME].
-
-   Given this configuration and these inputs, the two messages exchanged
-   in this protocol are described below.  This section uses notation
-   described in [OPRF], Section 4, including SerializeElement and
-   DeserializeElement, SerializeScalar and DeserializeScalar, and
-   DeriveKeyPair.
-
-   The constants Ne and Ns are as defined in [OPRF], Section 4 for
-   OPRF(P-384, SHA-384).  The constant Nk, which is also equal to Nh as
-   defined in [OPRF], Section 4, is defined by Section 8.2.1.
-
-5.1.  Client-to-Issuer Request
-
-   The Client first creates a context as follows:
-
-   client_context = SetupVOPRFClient("P384-SHA384", pkI)
-
-   Here, "P384-SHA384" is the identifier corresponding to the
-   OPRF(P-384, SHA-384) ciphersuite in [OPRF].  SetupVOPRFClient is
-   defined in [OPRF], Section 3.2.
-
-   The Client then creates an issuance request message for a random
-   32-byte value nonce with the input challenge and Issuer key
-   identifier as described below:
-
-   nonce = random(32)
-   challenge_digest = SHA256(challenge)
-   token_input = concat(0x0001, // Token type field is 2 bytes long
-                        nonce,
-                        challenge_digest,
-                        token_key_id)
-   blind, blinded_element = client_context.Blind(token_input)
-
-   The Blind function is defined in [OPRF], Section 3.3.2.  If the Blind
-   function fails, the Client aborts the protocol.  The Client stores
-   the nonce and challenge_digest values locally for use when finalizing
-   the issuance protocol to produce a token (as described in
-   Section 5.3).
-
-   The Client then creates a TokenRequest structured as follows:
-
-   struct {
-     uint16_t token_type = 0x0001; /* Type VOPRF(P-384, SHA-384) */
-     uint8_t truncated_token_key_id;
-     uint8_t blinded_msg[Ne];
-   } TokenRequest;
-
-   The structure fields are defined as follows:
-
-   *  "token_type" is a 2-octet integer, which matches the type in the
-      challenge.
-
-   *  "truncated_token_key_id" is the least significant byte of the
-      token_key_id (Section 5.5) in network byte order (in other words,
-      the last 8 bits of token_key_id).  This value is truncated so that
-      Issuers cannot use token_key_id as a way of uniquely identifying
-      Clients; see Section 7 and referenced information for more
-      details.
-
-   *  "blinded_msg" is the Ne-octet blinded message defined above,
-      computed as SerializeElement(blinded_element).
-
-   The values token_input and blinded_element are stored locally and
-   used later as described in Section 5.3.  The Client then generates an
-   HTTP POST request to send to the Issuer Request URL, with the
-   TokenRequest as the content.  The media type for this request is
-   "application/private-token-request".  An example request for the
-   Issuer Request URL "https://issuer.example.net/request" is shown
-   below.
-
-   POST /request HTTP/1.1
-   Host: issuer.example.net
-   Accept: application/private-token-response
-   Content-Type: application/private-token-request
-   Content-Length: <Length of TokenRequest>
-
-   <Bytes containing the TokenRequest>
-
-5.2.  Issuer-to-Client Response
-
-   Upon receipt of the request, the Issuer validates the following
-   conditions:
-
-   *  The TokenRequest contains a supported token_type.
-
-   *  The TokenRequest.truncated_token_key_id corresponds to the
-      truncated key ID of a Public Key owned by the Issuer.
-
-   *  The TokenRequest.blinded_msg is of the correct size.
-
-   If any of these conditions is not met, the Issuer MUST return an HTTP
-   422 (Unprocessable Content) error to the client.
-
-   If these conditions are met, the Issuer then tries to deserialize
-   TokenRequest.blinded_msg using DeserializeElement from Section 2.1 of
-   [OPRF], yielding blinded_element.  If this fails, the Issuer MUST
-   return an HTTP 422 (Unprocessable Content) error to the client.
-   Otherwise, if the Issuer is willing to produce a token to the Client,
-   the Issuer completes the issuance flow by computing a blinded
-   response as follows:
-
-   server_context = SetupVOPRFServer("P384-SHA384", skI)
-   evaluate_element, proof =
-     server_context.BlindEvaluate(skI, pkI, blinded_element)
-
-   SetupVOPRFServer is defined in [OPRF], Section 3.2 and BlindEvaluate
-   is defined in [OPRF], Section 3.3.2.  The Issuer then creates a
-   TokenResponse structured as follows:
-
-   struct {
-      uint8_t evaluate_msg[Ne];
-      uint8_t evaluate_proof[Ns+Ns];
-   } TokenResponse;
-
-   The structure fields are defined as follows:
-
-   *  "evaluate_msg" is the Ne-octet evaluated message, computed as
-      SerializeElement(evaluate_element).
-
-   *  "evaluate_proof" is the (Ns+Ns)-octet serialized proof, which is a
-      pair of Scalar values, computed as
-      concat(SerializeScalar(proof[0]), SerializeScalar(proof[1])).
-
-   The Issuer generates an HTTP response with status code 200 whose
-   content consists of TokenResponse, with the content type set as
-   "application/private-token-response".
-
-   HTTP/1.1 200 OK
-   Content-Type: application/private-token-response
-   Content-Length: <Length of TokenResponse>
-
-   <Bytes containing the TokenResponse>
-
-5.3.  Finalization
-
-   Upon receipt, the Client handles the response and, if successful,
-   deserializes the content values TokenResponse.evaluate_msg and
-   TokenResponse.evaluate_proof, yielding evaluated_element and proof.
-   If deserialization of either value fails, the Client aborts the
-   protocol.  Otherwise, the Client processes the response as follows:
-
-   authenticator = client_context.Finalize(token_input, blind,
-                                           evaluated_element,
-                                           blinded_element,
-                                           proof)
-
-   The Finalize function is defined in [OPRF], Section 3.3.2.  If this
-   succeeds, the Client then constructs a Token as follows:
-
-   struct {
-     uint16_t token_type = 0x0001; /* Type VOPRF(P-384, SHA-384) */
-     uint8_t nonce[32];
-     uint8_t challenge_digest[32];
-     uint8_t token_key_id[32];
-     uint8_t authenticator[Nk];
-   } Token;
-
-   The Token.nonce value is that which was created in Section 5.1.  If
-   the Finalize function fails, the Client aborts the protocol.
-
-5.4.  Token Verification
-
-   Verifying a Token requires creating a VOPRF context using the Issuer
-   Private Key and Public Key, evaluating the token contents, and
-   comparing the result against the token authenticator value:
-
-   server_context = SetupVOPRFServer("P384-SHA384", skI)
-   token_authenticator_input =
-     concat(Token.token_type,
-            Token.nonce,
-            Token.challenge_digest,
-            Token.token_key_id)
-   token_authenticator =
-     server_context.Evaluate(token_authenticator_input)
-   valid = (token_authenticator == Token.authenticator)
-
-5.5.  Issuer Configuration
-
-   Issuers are configured with Issuer Private and Public Keys, each
-   denoted skI and pkI, respectively, used to produce tokens.  These
-   keys MUST NOT be reused in other protocols.  A RECOMMENDED method for
-   generating keys is as follows:
-
-   seed = random(Ns)
-   (skI, pkI) = DeriveKeyPair(seed, "PrivacyPass")
-
-   The DeriveKeyPair function is defined in [OPRF], Section 3.3.1.  The
-   key identifier for a public key pkI, denoted token_key_id, is
-   computed as follows:
-
-   token_key_id = SHA256(SerializeElement(pkI))
-
-   Since Clients truncate token_key_id in each TokenRequest, Issuers
-   SHOULD ensure that the truncated form of new key IDs do not collide
-   with other truncated key IDs in rotation.  Collisions can cause the
-   Issuer to use the wrong Issuer Private Key for issuance, which will
-   in turn cause the resulting tokens to be invalid.  There is no known
-   security consequence of using the the wrong Issuer Private Key. A
-   possible exception to this constraint would be a colliding key that
-   is still in use but in the process of being rotated out, in which
-   case the collision cannot reasonably be avoided but it is expected to
-   be transient.
-
-6.  Issuance Protocol for Publicly Verifiable Tokens
-
-   This section describes a variant of the issuance protocol in
-   Section 5 for producing publicly verifiable tokens using the protocol
-   in [BLINDRSA].  In particular, this variant of the issuance protocol
-   works for the RSABSSA-SHA384-PSS-Deterministic and RSABSSA-SHA384-
-   PSSZERO-Deterministic blind RSA protocol variants described in
-   Section 5 of [BLINDRSA].
-
-   The publicly verifiable issuance protocol differs from the protocol
-   in Section 5 in that the output tokens are publicly verifiable by
-   anyone with the Issuer Public Key. This means any Origin can select a
-   given Issuer to produce tokens, as long as the Origin has the Issuer
-   public key, without explicit coordination or permission from the
-   Issuer.  This is because the Issuer does not learn the Origin that
-   requested the token during the issuance protocol.
-
-   Beyond this difference, the publicly verifiable issuance protocol
-   variant is nearly identical to the privately verifiable issuance
-   protocol variant.  In particular, Issuers provide an Issuer Private
-   and Public Key, denoted skI and pkI, respectively, used to produce
-   tokens as input to the protocol.  See Section 6.5 for how these keys
-   are generated.
-
-   Clients provide the following as input to the issuance protocol:
-
-   *  Issuer Request URL: A URL identifying the location to which
-      issuance requests are sent.  This can be a URL derived from the
-      "issuer-request-uri" value in the Issuer's directory resource, or
-      it can be another Client-configured URL.  The value of this
-      parameter depends on the Client configuration and deployment
-      model.  For example, in the 'Split Origin, Attester, Issuer'
-      deployment model, the Issuer Request URL might correspond to the
-      Client's configured Attester, and the Attester is configured to
-      relay requests to the Issuer.
-
-   *  Issuer name: An identifier for the Issuer.  This is typically a
-      host name that can be used to construct HTTP requests to the
-      Issuer.
-
-   *  Issuer Public Key: pkI, with a key identifier token_key_id
-      computed as described in Section 6.5.
-
-   *  Challenge value: challenge, an opaque byte string.  For example,
-      this might be provided by the redemption protocol in [AUTHSCHEME].
-
-   Given this configuration and these inputs, the two messages exchanged
-   in this protocol are described below.  The constant Nk is defined by
-   Section 8.2.2.
-
-6.1.  Client-to-Issuer Request
-
-   The Client first creates an issuance request message for a random
-   32-byte value nonce using the input challenge and Issuer key
-   identifier as follows:
-
-   nonce = random(32)
-   challenge_digest = SHA256(challenge)
-   token_input = concat(0x0002, // Token type field is 2 bytes long
-                        nonce,
-                        challenge_digest,
-                        token_key_id)
-   blinded_msg, blind_inv =
-     Blind(pkI, PrepareIdentity(token_input))
-
-   The PrepareIdentity and Blind functions are defined in Section 4.1 of
-   [BLINDRSA] and Section 4.2 of [BLINDRSA], respectively.  The Client
-   stores the nonce and challenge_digest values locally for use when
-   finalizing the issuance protocol to produce a token (as described in
-   Section 6.3).
-
-   The Client then creates a TokenRequest structured as follows:
-
-   struct {
-     uint16_t token_type = 0x0002; /* Type Blind RSA (2048-bit) */
-     uint8_t truncated_token_key_id;
-     uint8_t blinded_msg[Nk];
-   } TokenRequest;
-
-   The structure fields are defined as follows:
-
-   *  "token_type" is a 2-octet integer, which matches the type in the
-      challenge.
-
-   *  "truncated_token_key_id" is the least significant byte of the
-      token_key_id (Section 6.5) in network byte order (in other words,
-      the last 8 bits of token_key_id).  This value is truncated so that
-      Issuers cannot use token_key_id as a way of uniquely identifying
-      Clients; see Section 7 and referenced information for more
-      details.
-
-   *  "blinded_msg" is the Nk-octet request defined above.
-
-   The Client then generates an HTTP POST request to send to the Issuer
-   Request URL, with the TokenRequest as the content.  The media type
-   for this request is "application/private-token-request".  An example
-   request for the Issuer Request URL "https://issuer.example.net/
-   request" is shown below.
-
-   POST /request HTTP/1.1
-   Host: issuer.example.net
-   Accept: application/private-token-response
-   Content-Type: application/private-token-request
-   Content-Length: <Length of TokenRequest>
-
-   <Bytes containing the TokenRequest>
-
-6.2.  Issuer-to-Client Response
-
-   Upon receipt of the request, the Issuer validates the following
-   conditions:
-
-   *  The TokenRequest contains a supported token_type.
-
-   *  The TokenRequest.truncated_token_key_id corresponds to the
-      truncated key ID of an Issuer Public Key.
-
-   *  The TokenRequest.blinded_msg is of the correct size.
-
-   If any of these conditions is not met, the Issuer MUST return an HTTP
-   422 (Unprocessable Content) error to the Client.  Otherwise, if the
-   Issuer is willing to produce a token to the Client, the Issuer
-   completes the issuance flow by computing a blinded response as
-   follows:
-
-   blind_sig = BlindSign(skI, TokenRequest.blinded_msg)
-
-   The BlindSign function is defined in Section 4.3 of [BLINDRSA].  The
-   result is encoded and transmitted to the client in the following
-   TokenResponse structure:
-
-   struct {
-     uint8_t blind_sig[Nk];
-   } TokenResponse;
-
-   The Issuer generates an HTTP response with status code 200 whose
-   content consists of TokenResponse, with the content type set as
-   "application/private-token-response".
-
-   HTTP/1.1 200 OK
-   Content-Type: application/private-token-response
-   Content-Length: <Length of TokenResponse>
-
-   <Bytes containing the TokenResponse>
-
-6.3.  Finalization
-
-   Upon receipt, the Client handles the response and, if successful,
-   processes the content as follows:
-
-   authenticator =
-     Finalize(pkI, nonce, blind_sig, blind_inv)
-
-   The Finalize function is defined in Section 4.4 of [BLINDRSA].  If
-   this succeeds, the Client then constructs a Token as described in
-   [AUTHSCHEME] as follows:
-
-   struct {
-     uint16_t token_type = 0x0002; /* Type Blind RSA (2048-bit) */
-     uint8_t nonce[32];
-     uint8_t challenge_digest[32];
-     uint8_t token_key_id[32];
-     uint8_t authenticator[Nk];
-   } Token;
-
-   The Token.nonce value is that which was sampled in Section 5.1.  If
-   the Finalize function fails, the Client aborts the protocol.
-
-6.4.  Token Verification
-
-   Verifying a Token requires checking that Token.authenticator is a
-   valid signature over the remainder of the token input using the
-   Issuer Public Key. The function RSASSA-PSS-VERIFY is defined in
-   Section 8.1.2 of [RFC8017], using SHA-384 as the Hash function, MGF1
-   with SHA-384 as the PSS mask generation function (MGF), and a 48-byte
-   salt length (sLen).
-
-   token_authenticator_input =
-     concat(Token.token_type,
-            Token.nonce,
-            Token.challenge_digest,
-            Token.token_key_id)
-   valid = RSASSA-PSS-VERIFY(pkI,
-                             token_authenticator_input,
-                             Token.authenticator)
-
-6.5.  Issuer Configuration
-
-   Issuers are configured with Issuer Private and Public Keys, each
-   denoted skI and pkI, respectively, used to produce tokens.  Each key
-   SHALL be generated securely, for example as specified in FIPS 186-5
-   [DSS].  These keys MUST NOT be reused in other protocols.
-
-   The key identifier for an Issuer Private and Public Key (skI, pkI),
-   denoted token_key_id, is computed as SHA256(encoded_key), where
-   encoded_key is a DER-encoded SubjectPublicKeyInfo [RFC5280] (SPKI)
-   object carrying pkI as a DER-encoded RSAPublicKey value [RFC5756] in
-   the subjectPublicKey field.  Additionally, the SPKI object MUST use
-   the id-RSASSA-PSS object identifier in the algorithm field within the
-   SPKI object, the parameters field MUST contain a RSASSA-PSS-params
-   value, and MUST include the hashAlgorithm, maskGenAlgorithm, and
-   saltLength values.  The saltLength MUST match the output size of the
-   hash function associated with the public key and token type.
-
-   An example sequence of the SPKI object (in ASN.1 format, with the
-   actual public key bytes truncated) for a 2048-bit key is below:
-
-   $ cat spki.bin | xxd -r -p | openssl asn1parse -dump -inform DER
-       0:d=0  hl=4 l= 338 cons: SEQUENCE
-       4:d=1  hl=2 l=  61 cons: SEQUENCE
-       6:d=2  hl=2 l=   9 prim: OBJECT            :rsassaPss
-      17:d=2  hl=2 l=  48 cons: SEQUENCE
-      19:d=3  hl=2 l=  13 cons: cont [ 0 ]
-      21:d=4  hl=2 l=  11 cons: SEQUENCE
-      23:d=5  hl=2 l=   9 prim: OBJECT            :sha384
-      34:d=3  hl=2 l=  26 cons: cont [ 1 ]
-      36:d=4  hl=2 l=  24 cons: SEQUENCE
-      38:d=5  hl=2 l=   9 prim: OBJECT            :mgf1
-      49:d=5  hl=2 l=  11 cons: SEQUENCE
-      51:d=6  hl=2 l=   9 prim: OBJECT            :sha384
-      62:d=3  hl=2 l=   3 cons: cont [ 2 ]
-      64:d=4  hl=2 l=   1 prim: INTEGER           :30
-      67:d=1  hl=4 l= 271 prim: BIT STRING
-      ... truncated public key bytes ...
-
-   Since Clients truncate token_key_id in each TokenRequest, Issuers
-   SHOULD ensure that the truncated form of new key IDs do not collide
-   with other truncated key IDs in rotation.  Collisions can cause the
-   Issuer to use the wrong Issuer Private Key for issuance, which will
-   in turn cause the resulting tokens to be invalid.  There is no known
-   security consequence of using the the wrong Issuer Private Key. A
-   possible exception to this constraint would be a colliding key that
-   is still in use but in the process of being rotated out, in which
-   case the collision cannot reasonably be avoided but it is expected to
-   be transient.
-
-7.  Security considerations
-
-   This document outlines how to instantiate the Issuance protocol based
-   on the VOPRF defined in [OPRF] and blind RSA protocol defined in
-   [BLINDRSA].  All security considerations described in the VOPRF and
-   blind RSA documents also apply in the Privacy Pass use-case.
-   Considerations related to broader privacy and security concerns in a
-   multi-Client and multi-Issuer setting are deferred to the
-   architecture document [ARCHITECTURE].  In particular, Section 4 and
-   Section 5 of [ARCHITECTURE] discuss relevant privacy considerations
-   influenced by the Privacy Pass deployment model, and Section 6 of
-   [ARCHITECTURE] discusses privacy considerations that apply regardless
-   of deployment model.  Notable considerations include those pertaining
-   to Issuer Public Key rotation and consistency, where consistency is
-   as described in [CONSISTENCY], and Issuer selection.
-
-8.  IANA considerations
-
-   This section contains considerations for IANA.
-
-8.1.  Well-Known 'private-token-issuer-directory' URI
-
-   This document updates the "Well-Known URIs" Registry [WellKnownURIs]
-   with the following values.
-
-   +===============+============+===========+===========+=============+
-   | URI Suffix    | Change     | Reference | Status    | Related     |
-   |               | Controller |           |           | information |
-   +===============+============+===========+===========+=============+
-   | private-      | IETF       | [this     | permanent | None        |
-   | token-issuer- |            | document] |           |             |
-   | directory     |            |           |           |             |
-   +---------------+------------+-----------+-----------+-------------+
-
-         Table 3: 'private-token-issuer-directory' Well-Known URI
-
-8.2.  Token Type Registry Updates
-
-   This document updates the "Privacy Pass Token Type" Registry with the
-   following entries.
-
-8.2.1.  Token Type VOPRF (P-384, SHA-384)
-
-   *  Value: 0x0001
-
-   *  Name: VOPRF (P-384, SHA-384)
-
-   *  Token Structure: As defined in Section 2.2 of [AUTHSCHEME]
-
-   *  Token Key Encoding: Serialized using SerializeElement from
-      Section 2.1 of [OPRF]
-
-   *  TokenChallenge Structure: As defined in Section 2.1 of
-      [AUTHSCHEME]
-
-   *  Public Verifiability: N
-
-   *  Public Metadata: N
-
-   *  Private Metadata: N
-
-   *  Nk: 48
-
-   *  Nid: 32
-
-   *  Reference: Section 5
-
-   *  Notes: None
-
-8.2.2.  Token Type Blind RSA (2048-bit)
-
-   *  Value: 0x0002
-
-   *  Name: Blind RSA (2048-bit)
-
-   *  Token Structure: As defined in Section 2.2 of [AUTHSCHEME]
-
-   *  Token Key Encoding: Serialized as a DER-encoded
-      SubjectPublicKeyInfo (SPKI) object using the RSASSA-PSS OID
-      [RFC5756]
-
-   *  TokenChallenge Structure: As defined in Section 2.1 of
-      [AUTHSCHEME]
-
-   *  Public Verifiability: Y
-
-   *  Public Metadata: N
-
-   *  Private Metadata: N
-
-   *  Nk: 256
-
-   *  Nid: 32
-
-   *  Reference: Section 6
-
-   *  Notes: The RSABSSA-SHA384-PSS-Deterministic and RSABSSA-SHA384-
-      PSSZERO-Deterministic variants are supported
-
-8.3.  Media Types
-
-   The following entries should be added to the IANA "media types"
-   registry:
-
-   *  "application/private-token-issuer-directory"
-
-   *  "application/private-token-request"
-
-   *  "application/private-token-response"
-
-   The templates for these entries are listed below and the reference
-   should be this RFC.
-
-8.3.1.  "application/private-token-issuer-directory" media type
-
-   Type name:  application
-   Subtype name:  private-token-issuer-directory
-   Required parameters:  N/A
-   Optional parameters:  N/A
-   Encoding considerations:  "binary"
-   Security considerations:  see Section 4
-   Interoperability considerations:  N/A
-   Published specification:  this specification
-   Applications that use this media type:  Services that implement the
-      Privacy Pass issuer role, and client applications that interact
-      with the issuer for the purposes of issuing or redeeming tokens.
-   Fragment identifier considerations:  N/A
-   Additional information:  Magic number(s):  N/A
-                            Deprecated alias names for this type:  N/A
-                            File extension(s):  N/A
-                            Macintosh file type code(s):  N/A
-   Person and email address to contact for further information:  see Aut
-      hors' Addresses section
-   Intended usage:  COMMON
-   Restrictions on usage:  N/A
-   Author:  see Authors' Addresses section
-   Change controller:  IETF
-
-8.3.2.  "application/private-token-request" media type
-
-   Type name:  application
-   Subtype name:  private-token-request
-   Required parameters:  N/A
-   Optional parameters:  N/A
-   Encoding considerations:  "binary"
-   Security considerations:  see Section 7
-   Interoperability considerations:  N/A
-   Published specification:  this specification
-   Applications that use this media type:  Applications that want to
-      issue or facilitate issuance of Privacy Pass tokens, including
-      Privacy Pass issuer applications themselves.
-   Fragment identifier considerations:  N/A
-   Additional information:  Magic number(s):  N/A
-                            Deprecated alias names for this type:  N/A
-                            File extension(s):  N/A
-                            Macintosh file type code(s):  N/A
-   Person and email address to contact for further information:  see Aut
-      hors' Addresses section
-   Intended usage:  COMMON
-   Restrictions on usage:  N/A
-   Author:  see Authors' Addresses section
-   Change controller:  IETF
-
-8.3.3.  "application/private-token-response" media type
-
-   Type name:  application
-   Subtype name:  private-token-response
-   Required parameters:  N/A
-   Optional parameters:  N/A
-   Encoding considerations:  "binary"
-   Security considerations:  see Section 7
-   Interoperability considerations:  N/A
-   Published specification:  this specification
-   Applications that use this media type:  Applications that want to
-      issue or facilitate issuance of Privacy Pass tokens, including
-      Privacy Pass issuer applications themselves.
-   Fragment identifier considerations:  N/A
-   Additional information:  Magic number(s):  N/A
-                            Deprecated alias names for this type:  N/A
-                            File extension(s):  N/A
-                            Macintosh file type code(s):  N/A
-   Person and email address to contact for further information:  see Aut
-      hors' Addresses section
-   Intended usage:  COMMON
-   Restrictions on usage:  N/A
-   Author:  see Authors' Addresses section
-   Change controller:  IETF
-
-9.  References
-
-9.1.  Normative References
-
-   [ARCHITECTURE]
-              Davidson, A., Iyengar, J., and C. A. Wood, "The Privacy
-              Pass Architecture", Work in Progress, Internet-Draft,
-              draft-ietf-privacypass-architecture-16, 25 September 2023,
-              <https://datatracker.ietf.org/doc/html/draft-ietf-
-              privacypass-architecture-16>.
-
-   [AUTHSCHEME]
-              Pauly, T., Valdez, S., and C. A. Wood, "The Privacy Pass
-              HTTP Authentication Scheme", Work in Progress, Internet-
-              Draft, draft-ietf-privacypass-auth-scheme-14, 25 September
-              2023, <https://datatracker.ietf.org/doc/html/draft-ietf-
-              privacypass-auth-scheme-14>.
-
-   [BLINDRSA] Denis, F., Jacobs, F., and C. A. Wood, "RSA Blind
-              Signatures", Work in Progress, Internet-Draft, draft-irtf-
-              cfrg-rsa-blind-signatures-14, 10 July 2023,
-              <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-
-              rsa-blind-signatures-14>.
-
-   [HTTP]     Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
-              Ed., "HTTP Semantics", STD 97, RFC 9110,
-              DOI 10.17487/RFC9110, June 2022,
-              <https://www.rfc-editor.org/rfc/rfc9110>.
-
-   [OPRF]     Davidson, A., Faz-Hernandez, A., Sullivan, N., and C. A.
-              Wood, "Oblivious Pseudorandom Functions (OPRFs) using
-              Prime-Order Groups", Work in Progress, Internet-Draft,
-              draft-irtf-cfrg-voprf-21, 21 February 2023,
-              <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-
-              voprf-21>.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119,
-              DOI 10.17487/RFC2119, March 1997,
-              <https://www.rfc-editor.org/rfc/rfc2119>.
-
-   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
-              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
-              <https://www.rfc-editor.org/rfc/rfc4648>.
-
-   [RFC5756]  Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
-              "Updates for RSAES-OAEP and RSASSA-PSS Algorithm
-              Parameters", RFC 5756, DOI 10.17487/RFC5756, January 2010,
-              <https://www.rfc-editor.org/rfc/rfc5756>.
-
-   [RFC5861]  Nottingham, M., "HTTP Cache-Control Extensions for Stale
-              Content", RFC 5861, DOI 10.17487/RFC5861, May 2010,
-              <https://www.rfc-editor.org/rfc/rfc5861>.
-
-   [RFC8017]  Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
-              "PKCS #1: RSA Cryptography Specifications Version 2.2",
-              RFC 8017, DOI 10.17487/RFC8017, November 2016,
-              <https://www.rfc-editor.org/rfc/rfc8017>.
-
-   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
-              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
-              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
-
-   [RFC8259]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
-              Interchange Format", STD 90, RFC 8259,
-              DOI 10.17487/RFC8259, December 2017,
-              <https://www.rfc-editor.org/rfc/rfc8259>.
-
-   [RFC9111]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
-              Ed., "HTTP Caching", STD 98, RFC 9111,
-              DOI 10.17487/RFC9111, June 2022,
-              <https://www.rfc-editor.org/rfc/rfc9111>.
-
-   [TIMESTAMP]
-              Mizrahi, T., Fabini, J., and A. Morton, "Guidelines for
-              Defining Packet Timestamps", RFC 8877,
-              DOI 10.17487/RFC8877, September 2020,
-              <https://www.rfc-editor.org/rfc/rfc8877>.
-
-   [TLS13]    Rescorla, E., "The Transport Layer Security (TLS) Protocol
-              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
-              <https://www.rfc-editor.org/rfc/rfc8446>.
-
-   [WellKnownURIs]
-              "Well-Known URIs", n.d.,
-              <https://www.iana.org/assignments/well-known-uris/well-
-              known-uris.xhtml>.
-
-9.2.  Informative References
-
-   [CONSISTENCY]
-              Davidson, A., Finkel, M., Thomson, M., and C. A. Wood,
-              "Key Consistency and Discovery", Work in Progress,
-              Internet-Draft, draft-ietf-privacypass-key-consistency-01,
-              10 July 2023, <https://datatracker.ietf.org/doc/html/
-              draft-ietf-privacypass-key-consistency-01>.
-
-   [DSS]      Moody, D., "Digital Signature Standard (DSS)", National
-              Institute of Standards and Technology,
-              DOI 10.6028/nist.fips.186-5, 2023,
-              <https://doi.org/10.6028/nist.fips.186-5>.
-
-   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
-              Housley, R., and W. Polk, "Internet X.509 Public Key
-              Infrastructure Certificate and Certificate Revocation List
-              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
-              <https://www.rfc-editor.org/rfc/rfc5280>.
-
-Appendix A.  Acknowledgements
-
-   The authors of this document would like to acknowledge the helpful
-   feedback and discussions from Benjamin Schwartz, Joseph Salowey, and
-   Tara Whalen.
-
-Appendix B.  Test Vectors
-
-   This section includes test vectors for the two basic issuance
-   protocols specified in this document.  Appendix B.1 contains test
-   vectors for token issuance protocol 1 (0x0001), and Appendix B.2
-   contains test vectors for token issuance protocol 2 (0x0002).
-
-B.1.  Issuance Protocol 1 - VOPRF(P-384, SHA-384)
-
-   The test vector below lists the following values:
-
-   *  skS: The Issuer Private Key, serialized using SerializeScalar from
-      Section 2.1 of [OPRF] and represented as a hexadecimal string.
-
-   *  pkS: The Issuer Public Key, serialized according to the encoding
-      in Section 8.2.1.
-
-   *  token_challenge: A randomly generated TokenChallenge structure,
-      represented as a hexadecimal string.
-
-   *  nonce: The 32-byte client nonce generated according to
-      Section 5.1, represented as a hexadecimal string.
-
-   *  blind: The blind used when computing the OPRF blinded message,
-      serialized using SerializeScalar from Section 2.1 of [OPRF] and
-      represented as a hexadecimal string.
-
-   *  token_request: The TokenRequest message constructed according to
-      Section 5.1, represented as a hexadecimal string.
-
-   *  token_response: The TokenResponse message constructed according to
-      Section 5.2, represented as a hexadecimal string.
-
-   *  token: The output Token from the protocol, represented as a
-      hexadecimal string.
-
-   // Test vector 1
-   skS: 39b0d04d3732459288fc5edb89bb02c2aa42e06709f201d6c518871d5181
-   14910bee3c919bed1bbffe3fc1b87d53240a
-   pkS: 02d45bf522425cdd2227d3f27d245d9d563008829252172d34e48469290c
-   21da1a46d42ca38f7beabdf05c074aee1455bf
-   token_challenge: 0001000e6973737565722e6578616d706c65205de58a52fc
-   daef25ca3f65448d04e040fb1924e8264acfccfc6c5ad451d582b3000e6f72696
-   7696e2e6578616d706c65
-   nonce:
-   6aa422c41b59d3e44a136dd439df2454e3587ee5f3697798cdc05fafe73073b8
-   blind: 8e7fd80970b8a00b0931b801a2e22d9903d83bd5597c6a4dc1496ed2b1
-   7ef820445ef3bd223f3ab2c4f54c5d1c956909
-   token_request: 0001f4030ab3e23181d1e213f24315f5775983c678ce22eff9
-   427610832ab3900f2cd12d6829a07ec8a6813cf0b5b886f4cc4979
-   token_response: 036bb3c5c397d88c3527cf9f08f1fe63687b867e85c930c49
-   ee2c222408d4903722a19ff272ac97e3725b947c972784ebfe86eb9ea54336e43
-   34ea9660212c0c85fbadfbf491a1ce2446fc3379337fccd45c1059b2bc760110e
-   e1ec227d8e01c9f482c00c47ffa0dbe2fb58c32dde2b1dbe69fff920a528e68dd
-   9b3c2483848e57c30542b8984fa6bfecd6d71d54d53eda
-   token: 00016aa422c41b59d3e44a136dd439df2454e3587ee5f3697798cdc05f
-   afe73073b8501370b494089dc462802af545e63809581ee6ef57890a12105c283
-   68169514bf260d0792bf7f46c9866a6d37c3032d8714415f87f5f6903d7fb071e
-   253be2f4e0a835d76528b8444f73789ee7dc90715b01c17902fd87375c00a7a9d
-   3d92540437f470773be20f71e721da3af40edeb
-
-   // Test vector 2
-   skS: 39efed331527cc4ddff9722ab5cd35aeafe7c27520b0cfa2eedbdc298dc3
-   b12bc8298afcc46558af1e2eeacc5307d865
-   pkS: 038017e005904c6146b37109d6c2a72b95a183aaa9ed951b8d8fb1ed9033
-   f68033284d175e7df89849475cd67a86bfbf4e
-   token_challenge: 0001000e6973737565722e6578616d706c6500000e6f7269
-   67696e2e6578616d706c65
-   nonce:
-   7617bc802cfdb5d74722ef7418bdbb4f2c88403820e55fe7ec07d3190c29d665
-   blind: 6492ee50072fa18d035d69c4246362dffe2621afb95a10c033bb0109e0
-   f705b0437c425553272e0aa5266ec379e7015e
-   token_request: 000133033a5fe04a39da1bbfb68ccdeecd1917474dd525462e
-   5a90a6ba53b42aaa1486fe443a2e1c7f3fd5ff028a1c7cf1aeac5d
-   token_response: 023bf8cd624880d669c5cc6c88b056355c6e8e1bcbf3746cf
-   b9ab9248a4c056f23a4876ef998a8b6b281d50f852c6fa868fc4fa135c79ccb5f
-   bdf8bf3c926e10c7c12f934a887d86da4a4e5be70f5a169aa75720887bb690536
-   92a8f11f9cda7a72f281e4e3568e848225367946c70db09e718e3cba16193987b
-   c10bede3ef54c4d036c17cd4015bb113be60d7aa927e0d
-   token: 00017617bc802cfdb5d74722ef7418bdbb4f2c88403820e55fe7ec07d3
-   190c29d665c994f7d5cdc2fb970b13d4e8eb6e6d8f9dcdaa65851fb091025dfe1
-   34bd5a62a116477bc9e1a205cca95d0c92335ca7a3e71063b2ac020bdd231c660
-   97f12333ef438d00801bca5ace0fab8eb483dc04cd62578b95b5652921cd2698c
-   45ea74f6c8827b4e19f01140fa5bd039866f562
-
-   // Test vector 3
-   skS: 2b7709595b62b784f14946ae828f65e6caeba6eefe732c86e9ae50e818c0
-   55b3d7ca3a5f2beecaa859a62ff7199d35cc
-   pkS: 03a0de1bf3fd0a73384283b648884ba9fa5dee190f9d7ad4292c2fd49d8b
-   4d64db674059df67f5bd7e626475c78934ae8d
-   token_challenge: 0001000e6973737565722e6578616d706c65000017666f6f
-   2e6578616d706c652c6261722e6578616d706c65
-   nonce:
-   87499b5930918d2d83ecebf92d25ca0722aa11b80dbbfd950537c28aa7d3a9df
-   blind: 1f659584626ba15f44f3d887b2e5fe4c27315b185dfbfaea4253ebba30
-   610c4d9b73c78714c142360e85a00942c0fcff
-   token_request: 0001c8024610a9f3aac21090f3079d6809437a2b94b4403c7e
-   645f849bc6c505dade154c258c8ecd4d2bdcf574daca65db671908
-   token_response: 03c2ab925d03e7793b4a4df6eb505210139f620359e142449
-   1b8143c06a3e5298b25b662c33256411be7277233e1a34570f7a4d142d931e4b5
-   ff8829e27aaf7eb2cc7f9ab655477d71c01d5da5aef44dd076b5820b4710ef025
-   a9e6c6b50a95af6105c5987c1b834d615008cf6370556ed00c6671e69776c09a9
-   2b5ac84804750dd867c78817bdf69f1443002b18ae7a52
-   token: 000187499b5930918d2d83ecebf92d25ca0722aa11b80dbbfd950537c2
-   8aa7d3a9df1949fd455872478ba87e2e6c513c3261cddbe57220581245e4c9c91
-   1dd1c0bb865785bff8f3cfe08cccbb3a7b8e41d23a172871be4828cc54582d87b
-   c7cfc5c8bcedc1868ebc845b000c317ed75312274a42b10be6db23bd8a168fd2f
-   021c23925d72c4d14cd7588c03845da0d41a326
-
-   // Test vector 4
-   skS: 22e237b7b983d77474e4495aff2fc1e10422b1d955192e0fbf2b7b618fba
-   625fcb94b599da9113da49c495a48fbf7f7f
-   pkS: 028cd68715caa20d19b2b20d017d6a0a42b9f2b0a47db65e5e763e23744f
-   e14d74e374bbc93a2ec3970eb53c8aa765ee21
-   token_challenge: 0001000e6973737565722e6578616d706c65000000
-   nonce:
-   02f0a206752d555a24924f2da5942a1bb4cb2d83ff473aa8b2bc3a89e820cd43
-   blind: af91d1dbcf6b46baecde70eb305b8fe75629199cca19c7f9344b8607b9
-   0def27bc53e0345ade32c9fd0a1efda056d1c0
-   token_request: 0001a503632ebb003ed15b6de4557c047c7f81a58688143331
-   2ad3ad7f9416f2dfc940d3f439ad1e8cd677d94ae7c05bc958d134
-   token_response: 032018bc3f180d9650e27f72de76a90b47e336ae9cb058548
-   d851c7046fa0875d96346c15cb39d8083cc6fb57216544c6a815c37d792769e12
-   9c0513ce2034c3286cb212548f4aed1b0f71b28e219a71874a93e53ab2f473282
-   71d1e9cbefc197a4f599a6825051fa1c6e55450042f04182b86c9cf12477a9f16
-   849396c051fa27012e81a86e6c4a9204a063f1e1722dd7
-   token: 000102f0a206752d555a24924f2da5942a1bb4cb2d83ff473aa8b2bc3a
-   89e820cd43085cb06952044c7655b412ab7d484c97b97c48c79c568140b8d49a0
-   2ca47a9cfb0a5cfb861290c4dbd8fd9b60ee9b1a1a54cf47c98531fe253f1ed6d
-   875de5a58f42db12b540b0d11bc5d6b42e6d17c2b73e98631e54d40fd2901ebec
-   4268668535b03cbf76f7f15a29d623a64cab0c4
-
-   // Test vector 5
-   skS: 46f3d4f562002b85ffcfdb4d06835fb9b2e24372861ecaa11357fd1f29f9
-   ed26e44715549ccedeb39257f095110f0159
-   pkS: 02fbe9da0b7cabe3ec51c36c8487b10909142b59af030c728a5e87bb3b30
-   f54c06415d22e03d9212bd3d9a17d5520d4d0f
-   token_challenge: 0001000e6973737565722e6578616d706c65205de58a52fc
-   daef25ca3f65448d04e040fb1924e8264acfccfc6c5ad451d582b30000
-   nonce:
-   9ee54942d8a1604452a76856b1bfaf1cd608e1e3fa38acfd9f13e84483c90e89
-   blind: 76e0938e824b6cda6c163ff55d0298d539e222ed3984f4e31bbb654a8c
-   59671d4e0a7e264ca758cd0f4b533e0f60c5aa
-   token_request: 0001e10202bc92ac516c867f39399d71976018db52fcab5403
-   f8534a65677ba9e1e7d9b1d01767d137884c86cf5fe698c2f5d8e9
-   token_response: 0322ea3856a71533796393229b33d33c02cd714e40d5aa4e0
-   71f056276f32f89c09947eca8ff119d940d9d57c2fcbd83d2da494ddeb37dc1f6
-   78e5661a8e7bcc96b3477eb89d708b0ce10e0ea1b5ce0001f9332f743c0cc3d47
-   48233fea6d3152fae7844821268eb96ba491f60b1a3a848849310a39e9ef59121
-   669aa5d5dbb4b4deb532d2f907a01c5b39efaf23985080
-   token: 00019ee54942d8a1604452a76856b1bfaf1cd608e1e3fa38acfd9f13e8
-   4483c90e89d4380df12a1727f4e2ca1ee0d7abea0d0fb1e9506507a4dd618f9b8
-   7e79f9f3521a7c9134d6722925bf622a994041cdb1b082cdf1309af32f0ce00ca
-   1dab63e1b603747a8a5c3b46c7c2853de5ec7af8cac7cf3e089cecdc9ed3ff05c
-   d24504fe4f6c52d24ac901471267d8b63b61e6b
-
-B.2.  Issuance Protocol 2 - Blind RSA, 2048
-
-   The test vector below lists the following values:
-
-   *  skS: The PEM-encoded PKCS#8 RSA Issuer Private Key used for
-      signing tokens, represented as a hexadecimal string.
-
-   *  pkS: The Issuer Public Key, serialized according to the encoding
-      in Section 8.2.2.
-
-   *  token_challenge: A randomly generated TokenChallenge structure,
-      represented as a hexadecimal string.
-
-   *  nonce: The 32-byte client nonce generated according to
-      Section 6.1, represented as a hexadecimal string.
-
-   *  blind: The blind used when computing the blind RSA blinded
-      message, represented as a hexadecimal string.
-
-   *  salt: The randomly generated 48-byte salt used when encoding the
-      blinded token request message, represented as a hexadecimal
-      string.
-
-   *  token_request: The TokenRequest message constructed according to
-      Section 6.1, represented as a hexadecimal string.
-
-   *  token_request: The TokenResponse message constructed according to
-      Section 6.2, represented as a hexadecimal string.
-
-   *  token: The output Token from the protocol, represented as a
-      hexadecimal string.
-
-   // Test vector 1
-   skS: 2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d49
-   4945765149424144414e42676b71686b6947397730424151454641415343424b6
-   3776767536a41674541416f49424151444c4775317261705831736334420a4f6b
-   7a38717957355379356b6f6a41303543554b66717444774e38366a424b5a4f764
-   57245526b49314c527876734d6453327961326333616b4745714c756b440a556a
-   35743561496b3172417643655844644e44503442325055707851436e6969396e6
-   b492b6d67725769744444494871386139793137586e6c5079596f784f530a646f
-   6558563835464f314a752b62397336356d586d34516a755139455961497138337
-   1724450567a50335758712b524e4d636379323269686763624c766d42390a6a41
-   355334475666325a6c74785954736f4c364872377a58696a4e394637486271656
-   76f753967654b524d584645352f2b4a3956595a634a734a624c756570480a544f
-   72535a4d4948502b5358514d4166414f454a4547426d6d4430683566672f43473
-   475676a79486e4e51383733414e4b6a55716d3676574574413872514c620a4530
-   742b496c706641674d4241414543676745414c7a4362647a69316a506435384d6
-   b562b434c6679665351322b7266486e7266724665502f566344787275690a3270
-   316153584a596962653645532b4d622f4d4655646c485067414c7731785134576
-   57266366336444373686c6c784c57535638477342737663386f364750320a6359
-   366f777042447763626168474b556b5030456b62395330584c4a5763475347356
-   1556e484a585237696e7834635a6c666f4c6e7245516536685578734d710a6230
-   644878644844424d644766565777674b6f6a4f6a70532f39386d4555793756422
-   f3661326c7265676c766a632f326e4b434b7459373744376454716c47460a787a
-   414261577538364d435a342f5131334c762b426566627174493973715a5a776a7
-   264556851483856437872793251564d515751696e57684174364d7154340a5342
-   5354726f6c5a7a7772716a65384d504a393175614e4d6458474c63484c4932367
-   3587a76374b53514b42675144766377735055557641395a325a583958350a6d49
-   784d54424e6445467a56625550754b4b413179576e31554d444e63556a71682b7
-   a652f376b337946786b68305146333162713630654c393047495369414f0a354b
-   4f574d39454b6f2b7841513262614b314d664f5931472b386a7a4258557042733
-   9346b353353383879586d4b366e796467763730424a385a6835666b55710a5732
-   306f5362686b686a5264537a48326b52476972672b5553774b426751445a4a4d6
-   e7279324578612f3345713750626f737841504d69596e6b354a415053470a7932
-   7a305a375455622b7548514f2f2b78504d376e433075794c494d44396c61544d4
-   8776e3673372f4c62476f455031575267706f59482f4231346b2f526e360a6675
-   77524e3632496f397463392b41434c745542377674476179332b6752775974534
-   33262356564386c4969656774546b6561306830754453527841745673330a6e35
-   6b796132513976514b4267464a75467a4f5a742b7467596e576e5155456757385
-   0304f494a45484d45345554644f637743784b7248527239334a6a7546320a4533
-   77644b6f546969375072774f59496f614a5468706a50634a62626462664b792b6
-   e735170315947763977644a724d6156774a6376497077563676315570660a5674
-   4c61646d316c6b6c7670717336474e4d386a6e4d30587833616a6d6d6e6665573
-   9794758453570684d727a4c4a6c394630396349324c416f4742414e58760a7567
-   5658727032627354316f6b6436755361427367704a6a5065774e526433635a4b3
-   97a306153503144544131504e6b7065517748672f2b36665361564f487a0a7941
-   7844733968355272627852614e6673542b7241554837783153594456565159564
-   d68555262546f5a6536472f6a716e544333664e6648563178745a666f740a306c
-   6f4d4867776570362b53494d436f6565325a6374755a5633326c6349616639726
-   2484f633764416f47416551386b3853494c4e4736444f413331544535500a6d30
-   31414a49597737416c5233756f2f524e61432b78596450553354736b75414c787
-   86944522f57734c455142436a6b46576d6d4a41576e51554474626e594e0a5363
-   77523847324a36466e72454374627479733733574156476f6f465a6e636d504c5
-   0386c784c79626c534244454c79615a762f624173506c4d4f39624435630a4a2b
-   4e534261612b6f694c6c31776d4361354d43666c633d0a2d2d2d2d2d454e44205
-   0524956415445204b45592d2d2d2d2d0a
-   pkS: 30820152303d06092a864886f70d01010a3030a00d300b06096086480165
-   03040202a11a301806092a864886f70d010108300b0609608648016503040202a
-   2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab
-   25b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4
-   b6c9ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c50
-   0a78a2f67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce4
-   53b526ef9bf6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c7
-   32db68a181c6cbbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b
-   1dba9e828bbd81e291317144e7ff89f55619709b096cbb9ea474cead264c2073f
-   e49740c01f00e109106066983d21e5f83f086e2e823c879cd43cef700d2a352a9
-   babd612d03cad02db134b7e225a5f0203010001
-   token_challenge: 0002000e6973737565722e6578616d706c65208e7acc900e
-   393381e8810b7c9e4a68b5163f1f880ab6688a6ffe780923609e88000e6f72696
-   7696e2e6578616d706c65
-   nonce:
-   aa72019d1f951df197021ce63876fe8b0a02dc1c31a12b0a2dd1508d07827f05
-   blind: 425421de54c7381864ce36473abfb988c454fe6c27de863de702a6a2ad
-   ca153fa2de47bd8fcd62734caa8ce1f920b77d980ab58c32d16dde54873f28ca9
-   68e8c125b8363514be68972f553655bcc7f80a284cc327e47e804a47333c5b3cd
-   f773312cc7ad9fda748aed0baa7e19c5a2d1dafda718f086d7fc0a4bc02d488e0
-   f20812daee335af7177b7a8369bd617066aed7a58f659f295c36b418827f67972
-   5b81ca14ea16fb82df21ad76da1ac38dcf24bf6252f8510e2308608ac9197f6cb
-   54fdcb19db17837302a2b87d659c5605f35f3709a130f0c3d50e172f0cae36cbc
-   9467f9914895a215a9e32443bcafff795273ccf8965a7eaa8c0b2184763e3e5c
-   salt: 3d980852fa570c064204feb8d107098db976ef8c2137e8641d234bbd88a
-   986fdb306a7af220cfadede08f51e1ef61766
-   token_request: 0002086a95be84b63cfed0993bb579194a72a95057e1548ac4
-   63a9a5b33b011f2b2011d59487f01862f1d8e4d5ea42e73a660fbc3d010b944a5
-   4da3a4e0942f8894c0884589b438cb902e9a34278970f33c16f351f7dae58d273
-   c3ab66ef368da36f785e89e24d1d983d5c34311cd21f290f9e89e8646ab0d0a48
-   988fcd46230de5e7603cd12cc95c7ec5002e5e26737aa7eb69c626476e6c8d465
-   10ee404a3d7daf3a23b7c66735d363ca13676925c6ed0117f60d165ce1f8ba616
-   d041b6384baf6da3e2f757cb18e879a4f8595c2dc895ddf1f4279c75768d108b5
-   c47f95f94e81e2d8b9c8b74476924ab3b7c45243fc99ac5466e8a3680ad37fa15
-   c96010b274094
-   token_response: 675d84b751d9e593330ec4b6d7ab69c9a61517e98971f4b73
-   6150508174b4335761464f237be2d72bbae4b94dffc6143413f6351f1aa4efde6
-   c32d4d6d9392a008290d56d1222f9b77a1336213e01934f7d972f3bf9ea5a5786
-   c321352f103b3667e605379a55f0fb925fbb09b8a9f85e7dd4b388a3b49d06fd7
-   0ba28f6a780e3bc8f6421554fd6c38b63ef19f84ccfcf14709dd0b4d72213c1f0
-   60893854eba0ea1a147e275da320db5e9849882d5f9179efa8a2d8d3b803f9d14
-   45ef5c1f660be08883ce9b29a0a992fc035d2938cbb61c440044438dbb8b3ce71
-   58a8f9827d230482f622d291406ab236b32b122627ae0fd36bd0d6b7607b8044a
-   ce404d44
-   token: 0002aa72019d1f951df197021ce63876fe8b0a02dc1c31a12b0a2dd150
-   8d07827f055969f643b4cfda5196d4aa86aeb5368834f4f06de46950ed435b3b8
-   1bd036d44ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f
-   71cd2708bc6a21b533d07294b5e900faf5537dd3eb33cee4e08c9670d1e5358fd
-   184b0e00c637174f5206b14c7bb0e724ebf6b56271e5aa2ed94c051c4a433d302
-   b23bc52460810d489fb050f9de5c868c6c1b06e3849fd087629f704cc724bc0d0
-   984d5c339686fcdd75f9a9cdd25f37f855f6f4c584d84f716864f546b696d620c
-   5bd41a811498de84ff9740ba3003ba2422d26b91eb745c084758974642a420782
-   01543246ddb58030ea8e722376aa82484dca9610a8fb7e018e396165462e17a03
-   e40ea7e128c090a911ecc708066cb201833010c1ebd4e910fc8e27a1be467f786
-   71836a508257123a45e4e0ae2180a434bd1037713466347a8ebe46439d3da1970
-
-   // Test vector 2
-   skS: 2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d49
-   4945765149424144414e42676b71686b6947397730424151454641415343424b6
-   3776767536a41674541416f49424151444c4775317261705831736334420a4f6b
-   7a38717957355379356b6f6a41303543554b66717444774e38366a424b5a4f764
-   57245526b49314c527876734d6453327961326333616b4745714c756b440a556a
-   35743561496b3172417643655844644e44503442325055707851436e6969396e6
-   b492b6d67725769744444494871386139793137586e6c5079596f784f530a646f
-   6558563835464f314a752b62397336356d586d34516a755139455961497138337
-   1724450567a50335758712b524e4d636379323269686763624c766d42390a6a41
-   355334475666325a6c74785954736f4c364872377a58696a4e394637486271656
-   76f753967654b524d584645352f2b4a3956595a634a734a624c756570480a544f
-   72535a4d4948502b5358514d4166414f454a4547426d6d4430683566672f43473
-   475676a79486e4e51383733414e4b6a55716d3676574574413872514c620a4530
-   742b496c706641674d4241414543676745414c7a4362647a69316a506435384d6
-   b562b434c6679665351322b7266486e7266724665502f566344787275690a3270
-   316153584a596962653645532b4d622f4d4655646c485067414c7731785134576
-   57266366336444373686c6c784c57535638477342737663386f364750320a6359
-   366f777042447763626168474b556b5030456b62395330584c4a5763475347356
-   1556e484a585237696e7834635a6c666f4c6e7245516536685578734d710a6230
-   644878644844424d644766565777674b6f6a4f6a70532f39386d4555793756422
-   f3661326c7265676c766a632f326e4b434b7459373744376454716c47460a787a
-   414261577538364d435a342f5131334c762b426566627174493973715a5a776a7
-   264556851483856437872793251564d515751696e57684174364d7154340a5342
-   5354726f6c5a7a7772716a65384d504a393175614e4d6458474c63484c4932367
-   3587a76374b53514b42675144766377735055557641395a325a583958350a6d49
-   784d54424e6445467a56625550754b4b413179576e31554d444e63556a71682b7
-   a652f376b337946786b68305146333162713630654c393047495369414f0a354b
-   4f574d39454b6f2b7841513262614b314d664f5931472b386a7a4258557042733
-   9346b353353383879586d4b366e796467763730424a385a6835666b55710a5732
-   306f5362686b686a5264537a48326b52476972672b5553774b426751445a4a4d6
-   e7279324578612f3345713750626f737841504d69596e6b354a415053470a7932
-   7a305a375455622b7548514f2f2b78504d376e433075794c494d44396c61544d4
-   8776e3673372f4c62476f455031575267706f59482f4231346b2f526e360a6675
-   77524e3632496f397463392b41434c745542377674476179332b6752775974534
-   33262356564386c4969656774546b6561306830754453527841745673330a6e35
-   6b796132513976514b4267464a75467a4f5a742b7467596e576e5155456757385
-   0304f494a45484d45345554644f637743784b7248527239334a6a7546320a4533
-   77644b6f546969375072774f59496f614a5468706a50634a62626462664b792b6
-   e735170315947763977644a724d6156774a6376497077563676315570660a5674
-   4c61646d316c6b6c7670717336474e4d386a6e4d30587833616a6d6d6e6665573
-   9794758453570684d727a4c4a6c394630396349324c416f4742414e58760a7567
-   5658727032627354316f6b6436755361427367704a6a5065774e526433635a4b3
-   97a306153503144544131504e6b7065517748672f2b36665361564f487a0a7941
-   7844733968355272627852614e6673542b7241554837783153594456565159564
-   d68555262546f5a6536472f6a716e544333664e6648563178745a666f740a306c
-   6f4d4867776570362b53494d436f6565325a6374755a5633326c6349616639726
-   2484f633764416f47416551386b3853494c4e4736444f413331544535500a6d30
-   31414a49597737416c5233756f2f524e61432b78596450553354736b75414c787
-   86944522f57734c455142436a6b46576d6d4a41576e51554474626e594e0a5363
-   77523847324a36466e72454374627479733733574156476f6f465a6e636d504c5
-   0386c784c79626c534244454c79615a762f624173506c4d4f39624435630a4a2b
-   4e534261612b6f694c6c31776d4361354d43666c633d0a2d2d2d2d2d454e44205
-   0524956415445204b45592d2d2d2d2d0a
-   pkS: 30820152303d06092a864886f70d01010a3030a00d300b06096086480165
-   03040202a11a301806092a864886f70d010108300b0609608648016503040202a
-   2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab
-   25b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4
-   b6c9ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c50
-   0a78a2f67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce4
-   53b526ef9bf6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c7
-   32db68a181c6cbbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b
-   1dba9e828bbd81e291317144e7ff89f55619709b096cbb9ea474cead264c2073f
-   e49740c01f00e109106066983d21e5f83f086e2e823c879cd43cef700d2a352a9
-   babd612d03cad02db134b7e225a5f0203010001
-   token_challenge: 0002000e6973737565722e6578616d706c6500000e6f7269
-   67696e2e6578616d706c65
-   nonce:
-   98c1345ff38a554b429b428b0f206cfe4f3892f8041995f2c24873d90e84488d
-   blind: 7bb85f89c9b83a0e2b02938b3396f06f8f3df0018a91f1a2cc5416aaa5
-   52994d063f634d50bea13bffe8d5e01431e646e2e384549cefd695ac3affff665
-   a1ebf0113df2520006bd66e468d37a58266daa8a3a75692535e1fc46d0c1d6fb6
-   f37c949808172e20c0b77a48570a1fcb474325bdd23cdbce52b5d6a9e39f7aec7
-   3b09004eae8c8bfff2b4b533ea63bcf467a4cd95ccfb0cb4e43bc4992c1fd0be7
-   a77a4475dbf8094cf25125ece901abbcea607a9050ad9f8ec3d0d66341f6eab40
-   ee9c9c22c0b560b8377f8543d8878c7458885fd285c7556cc88fc6021617075b4
-   2c83a86005169a6f13352e789b28fdbbe3d0288e1dd7c801497573893146aea3
-   salt: b6b4378421ab0ea677ce3f4036fd0489dee458ad81ea519c3e8bde3fcd5
-   ec1505d28e110d7b44dcac5e04ecedd54d11a
-   token_request: 00020892d26a271c0104657ba10c0b5cb2827bb209d86e8002
-   7f96bfb861e0f40cb897f0fc426498433141ce9bc8b4a95914fefe4e40bdd3802
-   a121cb0b59a4ae7e03255275c4abf071d991c82ead402606c0ef912178b0a0f68
-   d303e06a966079230592827b84979dbcb5f21ab8904e9908638ddf705c4f8af8a
-   053c19a66090726b60c6b4063976e4c66eab33522dd3f9d64828441db4aa82d55
-   adcc3d3920592884cd1e5a3f490d5c81f1306705dcc5c61d82373f1dbd7d2ae4b
-   2fea0f7339f5d868415f59312766e3074ee4a7305f5f053da82673ee6747a727a
-   26d8d10ea1b1a3491d26b0c38b962c02a774ac78932153aae9dcc98a9b1db1f53
-   89644682f7727
-   token_response: 113a5124c1aef6fc230d9fc42b789226f45ca941aad4da3f4
-   8cf37c7744a8d7fd1dcfd71cd39d09e9324760180ea0bade3360efaf7322a1fa1
-   5f41247be3857fde8c5c92ec6d67a7ee33be8fdadf8b27bb0db706117448e55bc
-   e9927cb6bfb1f87f9edb054181a4558af0c0d3973d7033b9599e674c20cf08a7b
-   bcf0da815a2edaab7c4fb80dee4ea2cc53576a9691e857da931c6c592d2c69dd2
-   1afda8ea653dd90157adfe80e2375c08e75beb497df8b7b73192fbbd4e80359d9
-   bbaecea14e0acebdda92596f71ec1d57e26b6497b3152976bc07a4409148cb843
-   89eb207fb8e841106012408c6e19b4f964008b6a909aaab767a661a061c97da16
-   43040455
-   token: 000298c1345ff38a554b429b428b0f206cfe4f3892f8041995f2c24873
-   d90e84488d11e15c91a7c2ad02abd66645802373db1d823bea80f08d452541fb2
-   b62b5898bca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f
-   71cd27083350a206c5e9b7c0898f97611ce0bb8d74d310bb194ab67e094e32ff6
-   da90886924b1b9e7b569402c1101d896d2fc3a7371ef77f02310db1dc9f81c853
-   5828c2d0e9d9051720d182cd54e1c2c3bf417da2fc7aa72bb70ccc834ef274a2e
-   809c9821b3d395d6535423f7428b3f29175d6eb840b4b7685336e57e2b6afeaab
-   c0c17ea4f557e8a9cc2f624e245c6ccd7cbdd6c32c97c5c6974e802f688e2d25f
-   0aba4215f609f692244517d5d3407e0172273982c001c158f5fcbe1b5d2447c26
-   a87e89f5a9e72b498b0c59ce749823d2cf253d3cf6cd4e64fa0e434d95e488789
-   247a9ceed756ff4ff33a8d2402c0db381236d331092838b608a42002552092897
-
-   // Test vector 3
-   skS: 2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d49
-   4945765149424144414e42676b71686b6947397730424151454641415343424b6
-   3776767536a41674541416f49424151444c4775317261705831736334420a4f6b
-   7a38717957355379356b6f6a41303543554b66717444774e38366a424b5a4f764
-   57245526b49314c527876734d6453327961326333616b4745714c756b440a556a
-   35743561496b3172417643655844644e44503442325055707851436e6969396e6
-   b492b6d67725769744444494871386139793137586e6c5079596f784f530a646f
-   6558563835464f314a752b62397336356d586d34516a755139455961497138337
-   1724450567a50335758712b524e4d636379323269686763624c766d42390a6a41
-   355334475666325a6c74785954736f4c364872377a58696a4e394637486271656
-   76f753967654b524d584645352f2b4a3956595a634a734a624c756570480a544f
-   72535a4d4948502b5358514d4166414f454a4547426d6d4430683566672f43473
-   475676a79486e4e51383733414e4b6a55716d3676574574413872514c620a4530
-   742b496c706641674d4241414543676745414c7a4362647a69316a506435384d6
-   b562b434c6679665351322b7266486e7266724665502f566344787275690a3270
-   316153584a596962653645532b4d622f4d4655646c485067414c7731785134576
-   57266366336444373686c6c784c57535638477342737663386f364750320a6359
-   366f777042447763626168474b556b5030456b62395330584c4a5763475347356
-   1556e484a585237696e7834635a6c666f4c6e7245516536685578734d710a6230
-   644878644844424d644766565777674b6f6a4f6a70532f39386d4555793756422
-   f3661326c7265676c766a632f326e4b434b7459373744376454716c47460a787a
-   414261577538364d435a342f5131334c762b426566627174493973715a5a776a7
-   264556851483856437872793251564d515751696e57684174364d7154340a5342
-   5354726f6c5a7a7772716a65384d504a393175614e4d6458474c63484c4932367
-   3587a76374b53514b42675144766377735055557641395a325a583958350a6d49
-   784d54424e6445467a56625550754b4b413179576e31554d444e63556a71682b7
-   a652f376b337946786b68305146333162713630654c393047495369414f0a354b
-   4f574d39454b6f2b7841513262614b314d664f5931472b386a7a4258557042733
-   9346b353353383879586d4b366e796467763730424a385a6835666b55710a5732
-   306f5362686b686a5264537a48326b52476972672b5553774b426751445a4a4d6
-   e7279324578612f3345713750626f737841504d69596e6b354a415053470a7932
-   7a305a375455622b7548514f2f2b78504d376e433075794c494d44396c61544d4
-   8776e3673372f4c62476f455031575267706f59482f4231346b2f526e360a6675
-   77524e3632496f397463392b41434c745542377674476179332b6752775974534
-   33262356564386c4969656774546b6561306830754453527841745673330a6e35
-   6b796132513976514b4267464a75467a4f5a742b7467596e576e5155456757385
-   0304f494a45484d45345554644f637743784b7248527239334a6a7546320a4533
-   77644b6f546969375072774f59496f614a5468706a50634a62626462664b792b6
-   e735170315947763977644a724d6156774a6376497077563676315570660a5674
-   4c61646d316c6b6c7670717336474e4d386a6e4d30587833616a6d6d6e6665573
-   9794758453570684d727a4c4a6c394630396349324c416f4742414e58760a7567
-   5658727032627354316f6b6436755361427367704a6a5065774e526433635a4b3
-   97a306153503144544131504e6b7065517748672f2b36665361564f487a0a7941
-   7844733968355272627852614e6673542b7241554837783153594456565159564
-   d68555262546f5a6536472f6a716e544333664e6648563178745a666f740a306c
-   6f4d4867776570362b53494d436f6565325a6374755a5633326c6349616639726
-   2484f633764416f47416551386b3853494c4e4736444f413331544535500a6d30
-   31414a49597737416c5233756f2f524e61432b78596450553354736b75414c787
-   86944522f57734c455142436a6b46576d6d4a41576e51554474626e594e0a5363
-   77523847324a36466e72454374627479733733574156476f6f465a6e636d504c5
-   0386c784c79626c534244454c79615a762f624173506c4d4f39624435630a4a2b
-   4e534261612b6f694c6c31776d4361354d43666c633d0a2d2d2d2d2d454e44205
-   0524956415445204b45592d2d2d2d2d0a
-   pkS: 30820152303d06092a864886f70d01010a3030a00d300b06096086480165
-   03040202a11a301806092a864886f70d010108300b0609608648016503040202a
-   2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab
-   25b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4
-   b6c9ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c50
-   0a78a2f67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce4
-   53b526ef9bf6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c7
-   32db68a181c6cbbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b
-   1dba9e828bbd81e291317144e7ff89f55619709b096cbb9ea474cead264c2073f
-   e49740c01f00e109106066983d21e5f83f086e2e823c879cd43cef700d2a352a9
-   babd612d03cad02db134b7e225a5f0203010001
-   token_challenge: 0002000e6973737565722e6578616d706c65000017666f6f
-   2e6578616d706c652c6261722e6578616d706c65
-   nonce:
-   9e7a22bdc5d715682434cebc07eb5fa53f622f776a17a6d91757af1592df0e71
-   blind: c52cabc5e4e131e0f5860cc4c486c5ee8a5fa8ae59484446121f87b0d8
-   ccd037f161a99ebcc57f79d05a2ffc852656ad2d0894fab8d1b0f998e6e678254
-   ed5778da98b137371320314d06c24276e35435bccffa49d257687f270f9ce1792
-   6a074737546d5415a4bb9e624a6302562b395856632efb6992f6593a4f95fb342
-   002efebc3046ca96bbc26edb2f1a1454a24ce7b9a7ec8e44fb9e99c8144d409d8
-   cd8a5903c0a3c0acbd9f82573ed1fc4a296e3eaf4867ade30110794678f422d36
-   bd103ea4617d2472cf58da3381e52e5be60f4acbf685e280648cef21211a796ec
-   d005ecbdaa1046c40950afca4c4e7dd4b8c19e504088489a15667b45895b6e92
-   salt: c847b5d0fa9101a1e09954ac9f3eed6600af58936295ad2e54274e13e64
-   0d59f732d07530c94c19c20668f03470c77ac
-   token_request: 0002080f6bd84fba1822c577c8cd670f1136cca107f84ddd9d
-   405d5ed22ad15da975538f031433bad4a2688999732927efe2928d4c132389a12
-   2f40b639b083d6fcbbed7a55fb18db536d2dcbaefe6dc0a70730e6565b08a7dfd
-   783913a59f37d798de0cfc262c9e90a7ee884a3ec355eacbd44e5f6779fea6a78
-   5b05ac352fdd51a116cf2be1d8e38b0bfacd6a3d53a88c99f747cce908f86b335
-   62691f540e3e88562092cd17cc2f78ce0fb53312a5f2dc918bdb1dc90d9d65091
-   c7ba9080ccc1755cb5437989364dc92f0e8fea18f66d631451feb02a3d68af41d
-   e1a3f9be925dda5c4ca0706fc4ca28b3317e939f6573442c6d03be17cd141fa82
-   60d382d134c6b
-   token_response: 2dd08ce89cf4f62bc236ab7b75266e13c57c750345e328e0b
-   ea107537c4cbeea5bfc990716950440628ea2e37dbc5c9c6d84f9a965cbf0cbff
-   fb89516b1fd19a90d69cc52a28890bbdcf782f56aefadad85b6e861a74170ce91
-   0891c89e4293f37978dbd41cc8b5c68802de3d86d9f0326b9c22b809512245896
-   6a6ddd1aeb3828d239c3b359efc9b375390eb19050d5656c2b084304d9bd8a816
-   14f631bf82a7e4588413b44a0cb6d94e942fa134790b396cb71e3ed33b557b5bd
-   0734e726fa79abdca8694703b81d0e289b749801d4383e0d4f825dcde0dd98c43
-   d3ba81c028dd8833a4fc24961f60e118d4421dce5b611d53e9ca96156a52509bf
-   a9afeb7e
-   token: 00029e7a22bdc5d715682434cebc07eb5fa53f622f776a17a6d91757af
-   1592df0e710042eee45ac4dd5acb8f6e65c4d8dd47504f73f7463507ef96a4d72
-   27d2774f3ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f
-   71cd270815b010bbc0d5f55e9c856d2e9ffaefba007d33c2d5452fbeb0b15919b
-   973e0dc9180aaeb18242043758d9fb0ac9ac5e04da9ff74ec93644ae6cdb7068e
-   a76ce2295b9b95e383ed3a9856e9f618dafdf4cec5d2b53ea4297c2f3990babca
-   71e3ccd6c07a437daae7ed27b6b81178fb7ce5fa5dd63781cc64ac1e410f441c0
-   34b0a5cc873a2ce875e8b38c92bab563635c4f8f4fa35d1f582ef19edf7da75aa
-   11a503a82e32a12bd4da41e0ca7ec7f451caf586f5b910003fcbbb9ff5ffa2408
-   c28d6807737d03da651ea9bfafcc2747a6830e19a1d160fcd5c25d2f79dad86a8
-   b3de8e926e08ca1addced72977f7b56398ef59c26e725df0a976a08f2a936ca42
-
-   // Test vector 4
-   skS: 2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d49
-   4945765149424144414e42676b71686b6947397730424151454641415343424b6
-   3776767536a41674541416f49424151444c4775317261705831736334420a4f6b
-   7a38717957355379356b6f6a41303543554b66717444774e38366a424b5a4f764
-   57245526b49314c527876734d6453327961326333616b4745714c756b440a556a
-   35743561496b3172417643655844644e44503442325055707851436e6969396e6
-   b492b6d67725769744444494871386139793137586e6c5079596f784f530a646f
-   6558563835464f314a752b62397336356d586d34516a755139455961497138337
-   1724450567a50335758712b524e4d636379323269686763624c766d42390a6a41
-   355334475666325a6c74785954736f4c364872377a58696a4e394637486271656
-   76f753967654b524d584645352f2b4a3956595a634a734a624c756570480a544f
-   72535a4d4948502b5358514d4166414f454a4547426d6d4430683566672f43473
-   475676a79486e4e51383733414e4b6a55716d3676574574413872514c620a4530
-   742b496c706641674d4241414543676745414c7a4362647a69316a506435384d6
-   b562b434c6679665351322b7266486e7266724665502f566344787275690a3270
-   316153584a596962653645532b4d622f4d4655646c485067414c7731785134576
-   57266366336444373686c6c784c57535638477342737663386f364750320a6359
-   366f777042447763626168474b556b5030456b62395330584c4a5763475347356
-   1556e484a585237696e7834635a6c666f4c6e7245516536685578734d710a6230
-   644878644844424d644766565777674b6f6a4f6a70532f39386d4555793756422
-   f3661326c7265676c766a632f326e4b434b7459373744376454716c47460a787a
-   414261577538364d435a342f5131334c762b426566627174493973715a5a776a7
-   264556851483856437872793251564d515751696e57684174364d7154340a5342
-   5354726f6c5a7a7772716a65384d504a393175614e4d6458474c63484c4932367
-   3587a76374b53514b42675144766377735055557641395a325a583958350a6d49
-   784d54424e6445467a56625550754b4b413179576e31554d444e63556a71682b7
-   a652f376b337946786b68305146333162713630654c393047495369414f0a354b
-   4f574d39454b6f2b7841513262614b314d664f5931472b386a7a4258557042733
-   9346b353353383879586d4b366e796467763730424a385a6835666b55710a5732
-   306f5362686b686a5264537a48326b52476972672b5553774b426751445a4a4d6
-   e7279324578612f3345713750626f737841504d69596e6b354a415053470a7932
-   7a305a375455622b7548514f2f2b78504d376e433075794c494d44396c61544d4
-   8776e3673372f4c62476f455031575267706f59482f4231346b2f526e360a6675
-   77524e3632496f397463392b41434c745542377674476179332b6752775974534
-   33262356564386c4969656774546b6561306830754453527841745673330a6e35
-   6b796132513976514b4267464a75467a4f5a742b7467596e576e5155456757385
-   0304f494a45484d45345554644f637743784b7248527239334a6a7546320a4533
-   77644b6f546969375072774f59496f614a5468706a50634a62626462664b792b6
-   e735170315947763977644a724d6156774a6376497077563676315570660a5674
-   4c61646d316c6b6c7670717336474e4d386a6e4d30587833616a6d6d6e6665573
-   9794758453570684d727a4c4a6c394630396349324c416f4742414e58760a7567
-   5658727032627354316f6b6436755361427367704a6a5065774e526433635a4b3
-   97a306153503144544131504e6b7065517748672f2b36665361564f487a0a7941
-   7844733968355272627852614e6673542b7241554837783153594456565159564
-   d68555262546f5a6536472f6a716e544333664e6648563178745a666f740a306c
-   6f4d4867776570362b53494d436f6565325a6374755a5633326c6349616639726
-   2484f633764416f47416551386b3853494c4e4736444f413331544535500a6d30
-   31414a49597737416c5233756f2f524e61432b78596450553354736b75414c787
-   86944522f57734c455142436a6b46576d6d4a41576e51554474626e594e0a5363
-   77523847324a36466e72454374627479733733574156476f6f465a6e636d504c5
-   0386c784c79626c534244454c79615a762f624173506c4d4f39624435630a4a2b
-   4e534261612b6f694c6c31776d4361354d43666c633d0a2d2d2d2d2d454e44205
-   0524956415445204b45592d2d2d2d2d0a
-   pkS: 30820152303d06092a864886f70d01010a3030a00d300b06096086480165
-   03040202a11a301806092a864886f70d010108300b0609608648016503040202a
-   2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab
-   25b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4
-   b6c9ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c50
-   0a78a2f67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce4
-   53b526ef9bf6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c7
-   32db68a181c6cbbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b
-   1dba9e828bbd81e291317144e7ff89f55619709b096cbb9ea474cead264c2073f
-   e49740c01f00e109106066983d21e5f83f086e2e823c879cd43cef700d2a352a9
-   babd612d03cad02db134b7e225a5f0203010001
-   token_challenge: 0002000e6973737565722e6578616d706c65000000
-   nonce:
-   494dae41fc7e300c2d09990afcd5d5e1fc95305337dc12f78942c45340bfe8e6
-   blind: 097cb17bcedecfe058dff5c4e517d1e36d7ab8f46252b1ac1933ba378c
-   32625c0dbc69f5655c2003bf39e75810796cd63675b223cf3162c57108d56e058
-   4cfce6cad829e74369ada38a095eb3012c912b31ccde7425f93464e353fb17552
-   be3a8df2913daca61543a33ae45058f218c471dfbc12fb304158e29b6ed35bc07
-   9e23f1e6173c5dec4545840bbe58e5ad37cbea0a10dca5d9df2781589d27c3410
-   8477b52c0d32a1370c17f703941fbb1a007a6794e7de2758709c9bbf80f21eec7
-   922b9bb491eb6aac8c1a14764e648e6be4fff0ae913797067aa0826f366c3103e
-   103b05653c73b52d7f825a185dccfb806da700db9f53abb848554b7d4f7c28f3
-   salt: 49912979f1bf528e5b8228ab1328df74319dce7bdaf45821ceb1100dcf0
-   42a2dfe852fc9db59b64a5f6493c282504240
-   token_request: 000208244840027ca8c620f8b14caded9a198ba388ccd8541e
-   962f68a0071535d958d18494afd0bc11da4da8c8b33864f5a8f623b697cd56348
-   594e11a75479048a72c0ed179b070506c09a7eb6ed3582f572df38cf60fcde11a
-   52c5ce6d7b23435b60200ad9f66d21f40f323c9aa54307d0b966d4457c37542b6
-   6bb183ddeafca914fc74831698b5d52f498ee3d165685f49a8d86e39fe6c4b7ec
-   678f5250908d25e5b873c69b422368121aa4210cadd6fc640907d3cb9a7a3e827
-   a0e742470f00c2f49dc6c0e8cc9470dbfd73df0ccbb96c10b02af0dd7dee719ec
-   a11ff8e1b4929e59f3cf319de9bda29a6d968b43083b5d4242f3448d76ada08b8
-   014f70b97e719
-   token_response: c2746ff644cffb28a2c19395fa19dfb61fd135daa837844fb
-   f9fbe06c253e64e69f53aefddc0fb4833b1b5e58f571134a34f245499c3e73419
-   549c2c9111cf94f2f68fea3996d47f71e8d8d6fc5b1c074bf74fa59de4cbf32f5
-   f08d45ea45492f0279c3b1a8d852698edbe1651eb8e09eb223a27386c0feb2f6a
-   8260235edb36cf433da518100829b63166284b325d87fc941ea3bafe7b6761b70
-   82e09397837f74b4f0fc838bce8af7242089dd5561f57735926bcbad219fc9fee
-   85ae49a8e8951f63ca194b7ff018c06ee02267e7267bb996432dc76973819da80
-   e3e86947b0a4b36d3a972dafaaa3db0e1044b325f02c679996d9bcd3ce51390d5
-   4bc10b8c
-   token: 0002494dae41fc7e300c2d09990afcd5d5e1fc95305337dc12f78942c4
-   5340bfe8e6b741ec1b6fd05f1e95f8982906aec1612896d9ca97d53eef94ad3c9
-   fe023f7a4ca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f
-   71cd2708a55c83dc04292b5d92add1a87b37e54f22f61c58840586f390c50b231
-   824423378ddcf50e69dc817d45bfad06c7f2a0ac35d2acd7f26b0bc9954c192b0
-   a0ef28a2a5650e390098dd3cb1166a7cb1716d3dd2d19dc5ca3b1ea6206359de0
-   002d82bc4fa7e69fb07214b06addcbd2203d1e17f57fc580bcc5a13e0ac15cf94
-   2182cc2b5d6eaa737a712704114e357e2ec2f10047463ded02a1a0766dc346dd7
-   212b9711e03ac95eb258ac1164104dc9a0d3e738ae742ab5ed8c5139fc07145a7
-   88b9f891741ee68f0a66782b7b84a9bb4cb4b3d1b26b67106f397b35b641d882d
-   7b0185168946de898ef72349a44a47dbdd6d46e9ba9ba543d5701b65c63d645c2
-
-   // Test vector 5
-   skS: 2d2d2d2d2d424547494e2050524956415445204b45592d2d2d2d2d0a4d49
-   4945765149424144414e42676b71686b6947397730424151454641415343424b6
-   3776767536a41674541416f49424151444c4775317261705831736334420a4f6b
-   7a38717957355379356b6f6a41303543554b66717444774e38366a424b5a4f764
-   57245526b49314c527876734d6453327961326333616b4745714c756b440a556a
-   35743561496b3172417643655844644e44503442325055707851436e6969396e6
-   b492b6d67725769744444494871386139793137586e6c5079596f784f530a646f
-   6558563835464f314a752b62397336356d586d34516a755139455961497138337
-   1724450567a50335758712b524e4d636379323269686763624c766d42390a6a41
-   355334475666325a6c74785954736f4c364872377a58696a4e394637486271656
-   76f753967654b524d584645352f2b4a3956595a634a734a624c756570480a544f
-   72535a4d4948502b5358514d4166414f454a4547426d6d4430683566672f43473
-   475676a79486e4e51383733414e4b6a55716d3676574574413872514c620a4530
-   742b496c706641674d4241414543676745414c7a4362647a69316a506435384d6
-   b562b434c6679665351322b7266486e7266724665502f566344787275690a3270
-   316153584a596962653645532b4d622f4d4655646c485067414c7731785134576
-   57266366336444373686c6c784c57535638477342737663386f364750320a6359
-   366f777042447763626168474b556b5030456b62395330584c4a5763475347356
-   1556e484a585237696e7834635a6c666f4c6e7245516536685578734d710a6230
-   644878644844424d644766565777674b6f6a4f6a70532f39386d4555793756422
-   f3661326c7265676c766a632f326e4b434b7459373744376454716c47460a787a
-   414261577538364d435a342f5131334c762b426566627174493973715a5a776a7
-   264556851483856437872793251564d515751696e57684174364d7154340a5342
-   5354726f6c5a7a7772716a65384d504a393175614e4d6458474c63484c4932367
-   3587a76374b53514b42675144766377735055557641395a325a583958350a6d49
-   784d54424e6445467a56625550754b4b413179576e31554d444e63556a71682b7
-   a652f376b337946786b68305146333162713630654c393047495369414f0a354b
-   4f574d39454b6f2b7841513262614b314d664f5931472b386a7a4258557042733
-   9346b353353383879586d4b366e796467763730424a385a6835666b55710a5732
-   306f5362686b686a5264537a48326b52476972672b5553774b426751445a4a4d6
-   e7279324578612f3345713750626f737841504d69596e6b354a415053470a7932
-   7a305a375455622b7548514f2f2b78504d376e433075794c494d44396c61544d4
-   8776e3673372f4c62476f455031575267706f59482f4231346b2f526e360a6675
-   77524e3632496f397463392b41434c745542377674476179332b6752775974534
-   33262356564386c4969656774546b6561306830754453527841745673330a6e35
-   6b796132513976514b4267464a75467a4f5a742b7467596e576e5155456757385
-   0304f494a45484d45345554644f637743784b7248527239334a6a7546320a4533
-   77644b6f546969375072774f59496f614a5468706a50634a62626462664b792b6
-   e735170315947763977644a724d6156774a6376497077563676315570660a5674
-   4c61646d316c6b6c7670717336474e4d386a6e4d30587833616a6d6d6e6665573
-   9794758453570684d727a4c4a6c394630396349324c416f4742414e58760a7567
-   5658727032627354316f6b6436755361427367704a6a5065774e526433635a4b3
-   97a306153503144544131504e6b7065517748672f2b36665361564f487a0a7941
-   7844733968355272627852614e6673542b7241554837783153594456565159564
-   d68555262546f5a6536472f6a716e544333664e6648563178745a666f740a306c
-   6f4d4867776570362b53494d436f6565325a6374755a5633326c6349616639726
-   2484f633764416f47416551386b3853494c4e4736444f413331544535500a6d30
-   31414a49597737416c5233756f2f524e61432b78596450553354736b75414c787
-   86944522f57734c455142436a6b46576d6d4a41576e51554474626e594e0a5363
-   77523847324a36466e72454374627479733733574156476f6f465a6e636d504c5
-   0386c784c79626c534244454c79615a762f624173506c4d4f39624435630a4a2b
-   4e534261612b6f694c6c31776d4361354d43666c633d0a2d2d2d2d2d454e44205
-   0524956415445204b45592d2d2d2d2d0a
-   pkS: 30820152303d06092a864886f70d01010a3030a00d300b06096086480165
-   03040202a11a301806092a864886f70d010108300b0609608648016503040202a
-   2030201300382010f003082010a0282010100cb1aed6b6a95f5b1ce013a4cfcab
-   25b94b2e64a23034e4250a7eab43c0df3a8c12993af12b111908d4b471bec31d4
-   b6c9ad9cdda90612a2ee903523e6de5a224d6b02f09e5c374d0cfe01d8f529c50
-   0a78a2f67908fa682b5a2b430c81eaf1af72d7b5e794fc98a3139276879757ce4
-   53b526ef9bf6ceb99979b8423b90f4461a22af37aab0cf5733f7597abe44d31c7
-   32db68a181c6cbbe607d8c0e52e0655fd9996dc584eca0be87afbcd78a337d17b
-   1dba9e828bbd81e291317144e7ff89f55619709b096cbb9ea474cead264c2073f
-   e49740c01f00e109106066983d21e5f83f086e2e823c879cd43cef700d2a352a9
-   babd612d03cad02db134b7e225a5f0203010001
-   token_challenge: 0002000e6973737565722e6578616d706c65208e7acc900e
-   393381e8810b7c9e4a68b5163f1f880ab6688a6ffe780923609e880000
-   nonce:
-   a1aa8b371c37c9a8ddbd7342ab4f9dd5227d5b1600dca6517b60f63143cd43a3
-   blind: ad7a32e1ac31b91daefd7042cc23d5621ab3e870d87297bbfe1ee8a518
-   ffc5b84770d3b77775c485b2d219954834868842d2f11877ac4bceb5da88944cc
-   a043a9afa52f9c9998a5dea7ab7c1f82662d0d327e29705a269ad221ae74a7c11
-   72ff89c48997a9fda08886d3998bb538868396c0ace71d260cc71f768001939b2
-   4d80d88979f0244a3dbc004eadfac81e138d430b9fa51c1aad21b957ff96b3123
-   c91c2fff362a386f0f99a3f9fc906ca626fd9107648f87532b44c4fe3856ecae1
-   f46d8ebf5d2f46e52034478e5e883015666574dd80bd5c036c4b55ebcc8b66068
-   8d23944cc1932d075b559dcdc269fae3511761f71c113634e60d67accc8875fb
-   salt: 35c04710ce866d879447b6230ce098a49e81be5c067881cce7bd5f92c1e
-   5bd9b3c7d4d795cfad134fdfe916d735a624a
-   token_request: 0002083d6495c72529bbc4f5c0b49e94e4561baec1ca638a93
-   b2940ea9e37b838db7b1a91ec1f257d49b45c4f75119c2ab9eb5578541ad2b9ba
-   c1bd627abc709097f503f83d98fed6dbeb615c3be9bf09cbf8ea25ea8026c1b8b
-   a1c704ff516ed87c3d7d85342fd00111d8a80492d4b8fdbb092a282f74f13901e
-   5edc1b3b02cfe24c950affe6130fbb57c1482d674db3c6944812ba081c2235a16
-   d01eeec0932a8619d85732fc3e36179f0b50377bf9cb7a50ce3abeb3f31ed5f0f
-   3deec7aae7290f5397cec61318357d652b029a0fda0f100a78e36c4ef56ba3779
-   963e8745fdf4e347763c63d825836878e249833a0f4bd315392cc06ccca2c955e
-   921efbc4f941d
-   token_response: 8db727000018a98a2fe9fda8bbde5b8e9cedc31efbcaed695
-   0eb1e0f8d9af9db632def52f74f07cdab304bbde40519080dd0388fb2b8900528
-   b4791d2bca40aa2c2a6d1b92f010c1849bfb781cc813cc204855dd05e8a2dd31e
-   a5220981b8ab6b008e153083dc8f594206440d66286fea9c21b56807be8655506
-   ab7818bb9c8c69489dda56fe6390a5397268c8b5711f9d2df6f2584740cccf034
-   5fd67f93f345426f33c078a0aceb90845df9eef74f6248d06c36d19e191da325b
-   721ddc12ea78ed37b0c3b6170590536e3aee7eb0efc7d11a2c9d072a394f12ffa
-   67ecf316c49efd8f31723b11fe46740636bd89ad4f7ef96bc38b2cb4916d9dc04
-   ba1b2fc6
-   token: 0002a1aa8b371c37c9a8ddbd7342ab4f9dd5227d5b1600dca6517b60f6
-   3143cd43a3bb8a8cf1c59e7a251358ed76fe0ccff61044bc79dd261f16020324d
-   22f2d434cca572f8982a9ca248a3056186322d93ca147266121ddeb5632c07f1f
-   71cd27082899f4bc385b4147a650a3e7efc7d23a743cb944bb53e2ed8b88ee03a
-   9c0b1cf1f73fd7f15c1bd1f850a5a96a34d4ee9f295543f30ac920825e9a0ce26
-   e924f2c145583019dd14408c565b660e8b702fbea559908b1a8c8f9d21ef22f7c
-   c6a4641c57c146e6c5497d2890ca230a6749f5f83a8fdd79eba0722f10dff9e81
-   a2fb2d05fa4d989acc2e93f595ae69c98c3daa3b169efcdd6e59596b2f049f16b
-   a49528761f661032da65a3ee0fe8a22409766e90daf8c60323c16522818c49273
-   c795f26bbab306dc63cfc16fe1702af2464028cf819cc647d6f9b8a8f54d7d658
-   5a268fdb8c75f76618c64aba266836a3b2db7cdd739815a021d7ff2b36ef91f23
-
-Authors' Addresses
-
-   Sofía Celi
-   Brave Software
-   Lisbon
-   Portugal
-   Email: cherenkov@riseup.net
-
-
-   Alex Davidson
-   Brave Software
-   Lisbon
-   Portugal
-   Email: alex.davidson92@gmail.com
-
-
-   Steven Valdez
-   Google LLC
-   Email: svaldez@chromium.org
-
-
-   Christopher A. Wood
-   Cloudflare
-   101 Townsend St
-   San Francisco,
-   United States of America
-   Email: caw@heapingbits.net
diff --git a/chris-wood-patch-8/index.html b/chris-wood-patch-8/index.html
deleted file mode 100644
index 0c349cea..00000000
--- a/chris-wood-patch-8/index.html
+++ /dev/null
@@ -1,55 +0,0 @@
-<!DOCTYPE html>
-<html>
-  <head>
-    <title>ietf-wg-privacypass/base-drafts chris-wood-patch-8 preview</title>
-    <meta name="viewport" content="initial-scale=1.0">
-    <style type="text/css">/*<![CDATA[*/
-      body { font-family: "Helvetica Neue","Open Sans", Helvetica, Calibri,sans-serif; }
-      h1, h2, td { font-family: "Helvetica Neue", "Roboto Condensed", "Open Sans", Helvetica, Calibri, sans-serif; }
-      h1 { font-size: 20px; } h2 { font-size: 16px; }
-      table { margin: 5px 10px; border-collapse: collapse; }
-      th, td { font-weight: normal; text-align: left; padding: 2px 5px; }
-      a:link { color: #000; } a:visited { color: #00a; }
-    /*]]>*/</style>
-  </head>
-  <body>
-    <h1>Editor's drafts for chris-wood-patch-8 branch of <a href="https://github.com/ietf-wg-privacypass/base-drafts/tree/chris-wood-patch-8">ietf-wg-privacypass/base-drafts</a></h1>
-    <table id="branch-chris-wood-patch-8">
-      <tr>
-        <td><a href="./draft-ietf-privacypass-protocol.html" class="html draft-ietf-privacypass-protocol" title="Privacy Pass Issuance Protocol (HTML)">Privacy Pass Issuance</a></td>
-        <td><a href="./draft-ietf-privacypass-protocol.txt" class="txt draft-ietf-privacypass-protocol" title="Privacy Pass Issuance Protocol (Text)">plain text</a></td>
-        <td>same as main</td>
-      </tr>
-      <tr>
-        <td><a href="./draft-ietf-privacypass-auth-scheme.html" class="html draft-ietf-privacypass-auth-scheme" title="The Privacy Pass HTTP Authentication Scheme (HTML)">Privacy Pass Authentication</a></td>
-        <td><a href="./draft-ietf-privacypass-auth-scheme.txt" class="txt draft-ietf-privacypass-auth-scheme" title="The Privacy Pass HTTP Authentication Scheme (Text)">plain text</a></td>
-        <td>same as main</td>
-      </tr>
-      <tr>
-        <td><a href="./draft-ietf-privacypass-architecture.html" class="html draft-ietf-privacypass-architecture" title="The Privacy Pass Architecture (HTML)">Privacy Pass Architecture</a></td>
-        <td><a href="./draft-ietf-privacypass-architecture.txt" class="txt draft-ietf-privacypass-architecture" title="The Privacy Pass Architecture (Text)">plain text</a></td>
-        <td>same as main</td>
-      </tr>
-    </table>
-    <script>
-window.onload = function() {
-  var referrer_branch = 'main';
-  // e.g., "https://github.com/user/repo/tree/main"
-  var chunks = document.referrer.split("/");
-  if (chunks[2] === 'github.com' && chunks[5] === 'tree') {
-    referrer_branch = chunks[6];
-  }
-  let branch = document.querySelector('#branch-' + referrer_branch);
-  let h = document.location.hash.substring(1);
-  if (h === 'show') {
-    document.location.hash = '#' + branch.id;
-  } else if (branch && h.startsWith('go')) {
-    let e = branch.querySelector(h.substring(2));
-    if (e && e.href) {
-      document.location = e.href;
-    }
-  }
-};
-    </script>
-  </body>
-</html>
diff --git a/draft-ietf-privacypass-architecture.html b/draft-ietf-privacypass-architecture.html
index 9b4f01f4..acfc20cf 100644
--- a/draft-ietf-privacypass-architecture.html
+++ b/draft-ietf-privacypass-architecture.html
@@ -1036,7 +1036,7 @@
 </tr></thead>
 <tfoot><tr>
 <td class="left">Davidson, et al.</td>
-<td class="center">Expires 5 May 2024</td>
+<td class="center">Expires 19 May 2024</td>
 <td class="right">[Page]</td>
 </tr></tfoot>
 </table>
@@ -1049,12 +1049,12 @@
 <dd class="internet-draft">draft-ietf-privacypass-architecture-latest</dd>
 <dt class="label-published">Published:</dt>
 <dd class="published">
-<time datetime="2023-11-02" class="published">2 November 2023</time>
+<time datetime="2023-11-16" class="published">16 November 2023</time>
     </dd>
 <dt class="label-intended-status">Intended Status:</dt>
 <dd class="intended-status">Informational</dd>
 <dt class="label-expires">Expires:</dt>
-<dd class="expires"><time datetime="2024-05-05">5 May 2024</time></dd>
+<dd class="expires"><time datetime="2024-05-19">19 May 2024</time></dd>
 <dt class="label-authors">Authors:</dt>
 <dd class="authors">
 <div class="author">
@@ -1101,7 +1101,7 @@ <h2 id="name-status-of-this-memo">
         time. It is inappropriate to use Internet-Drafts as reference
         material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
 <p id="section-boilerplate.1-4">
-        This Internet-Draft will expire on 5 May 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+        This Internet-Draft will expire on 19 May 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="copyright">
@@ -2615,7 +2615,7 @@ <h3 id="name-partitioning-by-issuance-me">
 additional bits provides an exponential increase in tracking granularity
 similarly to introducing more Issuers (though with more potential targeting).<a href="#section-6.1-1" class="pilcrow">¶</a></p>
 <p id="section-6.1-2">For this reason, deployments should take the amount of metadata used by an Issuer
-in creating redemption tokens must into account -- together with the bits
+in creating redemption tokens into account -- together with the bits
 of information that Issuers may learn about Clients otherwise. Since this
 metadata may be useful for practical deployments of Privacy Pass, Issuers
 must balance this against the reduction in Client privacy.<a href="#section-6.1-2" class="pilcrow">¶</a></p>
diff --git a/draft-ietf-privacypass-architecture.txt b/draft-ietf-privacypass-architecture.txt
index 485203c9..83af362a 100644
--- a/draft-ietf-privacypass-architecture.txt
+++ b/draft-ietf-privacypass-architecture.txt
@@ -5,10 +5,10 @@
 Network Working Group                                        A. Davidson
 Internet-Draft                                                       LIP
 Intended status: Informational                                J. Iyengar
-Expires: 5 May 2024                                               Fastly
+Expires: 19 May 2024                                              Fastly
                                                               C. A. Wood
                                                               Cloudflare
-                                                         2 November 2023
+                                                        16 November 2023
 
 
                      The Privacy Pass Architecture
@@ -39,7 +39,7 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on 5 May 2024.
+   This Internet-Draft will expire on 19 May 2024.
 
 Copyright Notice
 
@@ -1138,9 +1138,9 @@ Table of Contents
    Issuers (though with more potential targeting).
 
    For this reason, deployments should take the amount of metadata used
-   by an Issuer in creating redemption tokens must into account --
-   together with the bits of information that Issuers may learn about
-   Clients otherwise.  Since this metadata may be useful for practical
+   by an Issuer in creating redemption tokens into account -- together
+   with the bits of information that Issuers may learn about Clients
+   otherwise.  Since this metadata may be useful for practical
    deployments of Privacy Pass, Issuers must balance this against the
    reduction in Client privacy.
 
diff --git a/draft-ietf-privacypass-auth-scheme.html b/draft-ietf-privacypass-auth-scheme.html
index dab17560..73cdef1c 100644
--- a/draft-ietf-privacypass-auth-scheme.html
+++ b/draft-ietf-privacypass-auth-scheme.html
@@ -1037,7 +1037,7 @@
 </tr></thead>
 <tfoot><tr>
 <td class="left">Pauly, et al.</td>
-<td class="center">Expires 5 May 2024</td>
+<td class="center">Expires 19 May 2024</td>
 <td class="right">[Page]</td>
 </tr></tfoot>
 </table>
@@ -1050,12 +1050,12 @@
 <dd class="internet-draft">draft-ietf-privacypass-auth-scheme-latest</dd>
 <dt class="label-published">Published:</dt>
 <dd class="published">
-<time datetime="2023-11-02" class="published">2 November 2023</time>
+<time datetime="2023-11-16" class="published">16 November 2023</time>
     </dd>
 <dt class="label-intended-status">Intended Status:</dt>
 <dd class="intended-status">Standards Track</dd>
 <dt class="label-expires">Expires:</dt>
-<dd class="expires"><time datetime="2024-05-05">5 May 2024</time></dd>
+<dd class="expires"><time datetime="2024-05-19">19 May 2024</time></dd>
 <dt class="label-authors">Authors:</dt>
 <dd class="authors">
 <div class="author">
@@ -1101,7 +1101,7 @@ <h2 id="name-status-of-this-memo">
         time. It is inappropriate to use Internet-Drafts as reference
         material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
 <p id="section-boilerplate.1-4">
-        This Internet-Draft will expire on 5 May 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+        This Internet-Draft will expire on 19 May 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="copyright">
@@ -2337,7 +2337,7 @@ <h3 id="name-informative-references">
 <dl class="references">
 <dt id="COOKIES">[COOKIES]</dt>
         <dd>
-<span class="refAuthor">Bingler, S.</span>, <span class="refAuthor">West, M.</span>, and <span class="refAuthor">J. Wilander</span>, <span class="refTitle">"Cookies: HTTP State Management Mechanism"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-httpbis-rfc6265bis-12</span>, <time datetime="2023-05-10" class="refDate">10 May 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12">https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-12</a>&gt;</span>. </dd>
+<span class="refAuthor">Bingler, S.</span>, <span class="refAuthor">West, M.</span>, and <span class="refAuthor">J. Wilander</span>, <span class="refTitle">"Cookies: HTTP State Management Mechanism"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-httpbis-rfc6265bis-13</span>, <time datetime="2023-11-15" class="refDate">15 November 2023</time>, <span>&lt;<a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-13">https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-13</a>&gt;</span>. </dd>
 <dd class="break"></dd>
 <dt id="ISSUANCE">[ISSUANCE]</dt>
         <dd>
diff --git a/draft-ietf-privacypass-auth-scheme.txt b/draft-ietf-privacypass-auth-scheme.txt
index 4f8ba6b8..34e89957 100644
--- a/draft-ietf-privacypass-auth-scheme.txt
+++ b/draft-ietf-privacypass-auth-scheme.txt
@@ -5,10 +5,10 @@
 Network Working Group                                           T. Pauly
 Internet-Draft                                                Apple Inc.
 Intended status: Standards Track                               S. Valdez
-Expires: 5 May 2024                                           Google LLC
+Expires: 19 May 2024                                          Google LLC
                                                               C. A. Wood
                                                               Cloudflare
-                                                         2 November 2023
+                                                        16 November 2023
 
 
               The Privacy Pass HTTP Authentication Scheme
@@ -37,7 +37,7 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on 5 May 2024.
+   This Internet-Draft will expire on 19 May 2024.
 
 Copyright Notice
 
@@ -924,9 +924,9 @@ Table of Contents
 
    [COOKIES]  Bingler, S., West, M., and J. Wilander, "Cookies: HTTP
               State Management Mechanism", Work in Progress, Internet-
-              Draft, draft-ietf-httpbis-rfc6265bis-12, 10 May 2023,
+              Draft, draft-ietf-httpbis-rfc6265bis-13, 15 November 2023,
               <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-
-              rfc6265bis-12>.
+              rfc6265bis-13>.
 
    [ISSUANCE] Celi, S., Davidson, A., Valdez, S., and C. A. Wood,
               "Privacy Pass Issuance Protocol", Work in Progress,
diff --git a/draft-ietf-privacypass-protocol.html b/draft-ietf-privacypass-protocol.html
index 5d174687..3cb5c551 100644
--- a/draft-ietf-privacypass-protocol.html
+++ b/draft-ietf-privacypass-protocol.html
@@ -1035,7 +1035,7 @@
 </tr></thead>
 <tfoot><tr>
 <td class="left">Celi, et al.</td>
-<td class="center">Expires 5 May 2024</td>
+<td class="center">Expires 19 May 2024</td>
 <td class="right">[Page]</td>
 </tr></tfoot>
 </table>
@@ -1048,12 +1048,12 @@
 <dd class="internet-draft">draft-ietf-privacypass-protocol-latest</dd>
 <dt class="label-published">Published:</dt>
 <dd class="published">
-<time datetime="2023-11-02" class="published">2 November 2023</time>
+<time datetime="2023-11-16" class="published">16 November 2023</time>
     </dd>
 <dt class="label-intended-status">Intended Status:</dt>
 <dd class="intended-status">Standards Track</dd>
 <dt class="label-expires">Expires:</dt>
-<dd class="expires"><time datetime="2024-05-05">5 May 2024</time></dd>
+<dd class="expires"><time datetime="2024-05-19">19 May 2024</time></dd>
 <dt class="label-authors">Authors:</dt>
 <dd class="authors">
 <div class="author">
@@ -1102,7 +1102,7 @@ <h2 id="name-status-of-this-memo">
         time. It is inappropriate to use Internet-Drafts as reference
         material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
 <p id="section-boilerplate.1-4">
-        This Internet-Draft will expire on 5 May 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
+        This Internet-Draft will expire on 19 May 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="copyright">
diff --git a/draft-ietf-privacypass-protocol.txt b/draft-ietf-privacypass-protocol.txt
index 4922a2e6..1c3510b8 100644
--- a/draft-ietf-privacypass-protocol.txt
+++ b/draft-ietf-privacypass-protocol.txt
@@ -5,11 +5,11 @@
 Network Working Group                                            S. Celi
 Internet-Draft                                               A. Davidson
 Intended status: Standards Track                          Brave Software
-Expires: 5 May 2024                                            S. Valdez
+Expires: 19 May 2024                                           S. Valdez
                                                               Google LLC
                                                               C. A. Wood
                                                               Cloudflare
-                                                         2 November 2023
+                                                        16 November 2023
 
 
                      Privacy Pass Issuance Protocol
@@ -38,7 +38,7 @@ Status of This Memo
    time.  It is inappropriate to use Internet-Drafts as reference
    material or to cite them other than as "work in progress."
 
-   This Internet-Draft will expire on 5 May 2024.
+   This Internet-Draft will expire on 19 May 2024.
 
 Copyright Notice
 
diff --git a/index.html b/index.html
index a94ae4a3..fdcc30fb 100644
--- a/index.html
+++ b/index.html
@@ -38,24 +38,6 @@ <h1>Editor's drafts for main branch of <a href="https://github.com/ietf-wg-priva
         <td></td>
       </tr>
     </table>
-    <h2>Preview for branch <a href="chris-wood-patch-8">chris-wood-patch-8</a></h2>
-    <table id="branch-chris-wood-patch-8">
-      <tr>
-        <td><a href="chris-wood-patch-8/draft-ietf-privacypass-protocol.html" class="html draft-ietf-privacypass-protocol" title="Privacy Pass Issuance Protocol (HTML)">Privacy Pass Issuance</a></td>
-        <td><a href="chris-wood-patch-8/draft-ietf-privacypass-protocol.txt" class="txt draft-ietf-privacypass-protocol" title="Privacy Pass Issuance Protocol (Text)">plain text</a></td>
-        <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://ietf-wg-privacypass.github.io/base-drafts/draft-ietf-privacypass-protocol.txt&amp;url_2=https://ietf-wg-privacypass.github.io/base-drafts/chris-wood-patch-8/draft-ietf-privacypass-protocol.txt" class="diff draft-ietf-privacypass-protocol">diff with main</a></td>
-      </tr>
-      <tr>
-        <td><a href="chris-wood-patch-8/draft-ietf-privacypass-auth-scheme.html" class="html draft-ietf-privacypass-auth-scheme" title="The Privacy Pass HTTP Authentication Scheme (HTML)">Privacy Pass Authentication</a></td>
-        <td><a href="chris-wood-patch-8/draft-ietf-privacypass-auth-scheme.txt" class="txt draft-ietf-privacypass-auth-scheme" title="The Privacy Pass HTTP Authentication Scheme (Text)">plain text</a></td>
-        <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://ietf-wg-privacypass.github.io/base-drafts/draft-ietf-privacypass-auth-scheme.txt&amp;url_2=https://ietf-wg-privacypass.github.io/base-drafts/chris-wood-patch-8/draft-ietf-privacypass-auth-scheme.txt" class="diff draft-ietf-privacypass-auth-scheme">diff with main</a></td>
-      </tr>
-      <tr>
-        <td><a href="chris-wood-patch-8/draft-ietf-privacypass-architecture.html" class="html draft-ietf-privacypass-architecture" title="The Privacy Pass Architecture (HTML)">Privacy Pass Architecture</a></td>
-        <td><a href="chris-wood-patch-8/draft-ietf-privacypass-architecture.txt" class="txt draft-ietf-privacypass-architecture" title="The Privacy Pass Architecture (Text)">plain text</a></td>
-        <td><a href="https://author-tools.ietf.org/api/iddiff?url_1=https://ietf-wg-privacypass.github.io/base-drafts/draft-ietf-privacypass-architecture.txt&amp;url_2=https://ietf-wg-privacypass.github.io/base-drafts/chris-wood-patch-8/draft-ietf-privacypass-architecture.txt" class="diff draft-ietf-privacypass-architecture">diff with main</a></td>
-      </tr>
-    </table>
     <h2>Preview for branch <a href="draft-ietf-privacypass-auth-scheme-15">draft-ietf-privacypass-auth-scheme-15</a></h2>
     <table id="branch-draft-ietf-privacypass-auth-scheme-15">
       <tr>