xrogood overview of "Privacy Pass" - IETF zero-knowledge Authentification.
https://blog.kagi.com/kagi-privacy-pass
Privacy-Pass has been around for a while, but this is the first major webpage where I have encountered support.
Qiita - 人気の記事日刊IETF (2026-01-26)【PQC実装の本格化】JOSE/COSE対応とIoT環境への適用が加速
https://qiita.com/tetsuko_room/items/a23ff5effdeb41b714fc?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items
【IETF124現地参加】プライバシー保護型トークン認証技術の最前線 【ゼロ知識証明 登場!?】
https://qiita.com/yumi-sakemi/items/bb8f617145e35249685d?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items
Privacy GuidesWe all know services that require authentication can correlate your activity on that service with your account. This becomes particularly dangerous when that account is linked with payment information that could potentially link back to your real identity.
It doesn't have to be this way though: The Privacy Pass protocol presents a path forward for "blind" authentication, if more services adopt it. Our team member @fria walks us through how it works:
https://www.privacyguides.org/articles/2025/04/21/privacy-pass/
Csepp 🌢Interesting #cryptography thing I stumbled upon: the #RFC for #PrivacyPass.
https://www.rfc-editor.org/rfc/rfc9576.html
"Privacy Pass is an architecture for authorization based on #privacy-preserving authentication mechanisms. In other words, relying parties authenticate Clients in a privacy-preserving way, i.e., without learning any unique, per-Client information through the authentication protocol, and then make authorization decisions on the basis of that authentication succeeding or failing. Possible authorization decisions might be to provide Clients with read access to a particular resource or write access to a particular resource."
https://www.rfc-editor.org/rfc/rfc9576.html
"Privacy Pass is an architecture for authorization based on #privacy-preserving authentication mechanisms. In other words, relying parties authenticate Clients in a privacy-preserving way, i.e., without learning any unique, per-Client information through the authentication protocol, and then make authorization decisions on the basis of that authentication succeeding or failing. Possible authorization decisions might be to provide Clients with read access to a particular resource or write access to a particular resource."
RFC 9576: The Privacy Pass Architecture
This document specifies the Privacy Pass architecture and requirements for its constituent protocols used for authorization based on privacy-preserving authentication mechanisms. It describes the conceptual model of Privacy Pass and its protocols, its security and privacy goals, practical deployment models, and recommendations for each deployment model, to help ensure that the desired security and privacy goals are fulfilled.
HACK13Hmm.... this seems like an interesting idea and concept...
Privacy Pass: https://privacypass.github.io/
stfso #apple uses #privacypass from #cloudflare for their own #webenvironmentintegrity: https://developer.apple.com/news/?id=huqjyh7k - but according to the register: https://www.theregister.com/2023/07/27/google_web_environment_integrity/
> #Google considers Apple Private Access Tokens to be too private.
wtf. apparently they want "some" #privacy, but not too much.
Challenge: Private Access Tokens - Discover - Apple Developer
Private Access Tokens are powerful tools that prove when HTTP requests are coming from legitimate devices without disclosing someone's identity. They are simple to set up and test — and so, on Thursday, we're inviting you to try out Private Access Tokens on your own server.
I wonder, are these "Private Access Tokens" that #apple uses based on #cloudflare #privacypass? https://httptoolkit.com/blog/apple-private-access-tokens-attestation/ - going from not showing captchas to tor users to this is quite shocking.
Cory DoctorowToday, there's a cool remote attestation technology called "#PrivacyPass" that replaces #CAPTCHAs by having you prove to your own device that you are a human. When a server wants to make sure you're a person, it sends a random number to your device, which signs that number along with its promise that it is acting on behalf of a human being, and sends it back. CAPTCHAs are all kinds of bad - bad for accessibility and privacy - and this is really great.
49/
str4d 🛡️Apple requires clients to be authorized before using #PrivateRelay, but doesn't want to link that authorization to the client's relay activity. That's great! This is what #PrivacyPass enables you to do! More people should do this!
I'm sad that part of that authorization is baked-in geoblocking restrictions, but I'm guessing that was a necessary restriction in order for websites to not block the egress relay IPs (which does occur to #Tor exit nodes).
