| Internet-Draft | OHTTP Extended Key Configuration | July 2026 |
| Schinazi | Expires 7 January 2027 | [Page] |
Oblivious HTTP is a protocol for forwarding encrypted HTTP messages. This requires communicating the gateway's key configuration to clients. While a key configuration media type was defined for this purpose, it has some limitations such as the inability to convey key lifetimes and interoperability issues. This document defines a similar extensible key configuration format that addresses those issues.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://DavidSchinazi.github.io/draft-schinazi-httpbis-ohttp-ext-key-config/draft-schinazi-httpbis-ohttp-ext-key-config.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-schinazi-httpbis-ohttp-ext-key-config/.¶
Discussion of this document takes place on the HTTP Working Group mailing list (mailto:ietf-http-wg@w3.org), which is archived at https://lists.w3.org/Archives/Public/ietf-http-wg/. Working Group information can be found at https://httpwg.org/.¶
Source for this draft and an issue tracker can be found at https://github.com/DavidSchinazi/draft-schinazi-httpbis-ohttp-ext-key-config.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Oblivious HTTP ([OHTTP]) is a protocol for forwarding encrypted HTTP messages. This requires communicating the gateway's key configuration to clients. A key configuration media type was defined for this purpose in Section 3 of [OHTTP]. That format has the following limitations.¶
The security properties of OHTTP rely on periodic rotation of gateway keys. Many gateways rotate their keys on a weekly cadence. However, the original key configuration format has no way of informing the client of the lifetime of the keys it contains. Clients then need to assume an expiration time; if they didn't, they might keep using keys past when the gateway forgot them, or worse: they might encrypt sensitive data using a key that leaked after its expiration. Since those bounds aim to be conservative, clients can end up marking a key as expired even though it is still fresh on the gateway. This reduces reliability when periodic key fetch operations fail due to intermittent connectivity issues.¶
During the development of [OHTTP], the authors discovered a forward compatibility issue with the key configuration format: parsing multiple keys required explicit support for each included KEM because the length of the HPKE public key was not encoded in the format. This would prevent deploying new KEMs in a backwards-compatible way. The authors resolved this by adding a length prefix to each configuation entry. Unfortunately, they did not change the media type when doing so. Since this change to the format was made after the document's working group last call, there were already implementations in production. At the time of writing, there are multiple billions of devices in production that understand the "application/ohttp-keys" media type as not including the length prefix. Other client implementations support both formats by attempting to parse with the length prefix and falling back to the older format if that fails. This runs the risk of segregating clients, as described in Section 3.2 of [OHTTP].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses terminology from [QUIC]. Where this document defines protocol types, the definition format uses the notation from Section 1.3 of [QUIC]. This specification uses the variable-length integer encoding from Section 16 of [QUIC]. Variable-length integer values do not need to be encoded in the minimum number of bytes necessary.¶
This document defines a new media type (see Section 6.1 for its value). It represents a list of key configurations. It has the following format:¶
HPKE Symmetric Algorithms {
HPKE KDF ID (16),
HPKE AEAD ID (16),
}
Extension {
Extension ID (i),
Extension Length (i),
Extension Value (..),
}
Key Config {
Key Config Length (16),
Key Identifier (8),
HPKE KEM ID (16),
HPKE Public Key (Npk * 8),
HPKE Symmetric Algorithms Length (16) = 4..65532,
HPKE Symmetric Algorithms (32) ...,
Extensions (..) ...
}
Key Configs {
Key Config (..) ...
}
The "HPKE Symmetric Algorithms" struct consists of the following fields:¶
A 16 bit HPKE KDF identifier as defined in Section 7.2 of [HPKE] or the HPKE KDF IANA registry.¶
A 16 bit HPKE AEAD identifier as defined in Section 7.3 of [HPKE] or the HPKE AEAD IANA registry.¶
The "Extension" struct consists of the following fields:¶
A 62 bit OHTTP Key Configuration Extension identifier as defined in Section 3.¶
The length of the "Extension Value" field that follows it.¶
Extension-specific information, with encoding rules dependent on the value of the "Extension ID" field.¶
The "Key Config" struct consists of the following fields:¶
A 16 bit integer in network byte order that encodes the length, in bytes, of this "Key Config" struct, not including this field.¶
An 8 bit value that identifies the key used by the Oblivious Gateway Resource.¶
A 16 bit value that identifies the Key Encapsulation Method (KEM) used for the identified key as defined in Section 7.1 of [HPKE] or the HPKE KDF IANA registry.¶
The public key used by the gateway. The length of the public key is Npk, which is
determined by the choice of HPKE KEM as defined in Section 4 of [HPKE].¶
A 16 bit integer in network byte order that encodes the length, in bytes, of the HPKE Symmetric Algorithms field that follows.¶
One or more "HPKE Symmetric Algorithms" structs.¶
Zero or more "Extension" structs. This field continues until the end of this "Key Config" struct.¶
The new media type defined in this document represents a list of concatenated "Key Config" structs.¶
In addition to providing an extensible format for OHTTP key configurations, this document defines two extensions. The EXPIRATION extension indicates the date/time after which the key can no longer be used. The NOT_BEFORE extension indicates the date/time before which the key cannot yet be used. Both are encoded as QUIC variable-length integers representing UNIX timestamps (number of seconds since January 1, 1970, UTC -- see Section 4.2.1 of [TIMESTAMP]).¶
The NOT_BEFORE extension allows a gateway to publish public keys in advance of them being valid. Given that and the EXPIRATION extension, the bounds can then be tightenned on the validity of keys, increasing both security and reliability.¶
Gateways SHOULD provide some leeway between their stated times and the actual times to account for a few minutes of clock skew.¶
When parsing the list of key configurations, clients MUST silently skip any key configuration that carries a KEM ID unknown to the client. Clients MUST also silently skip over any extension for which the extension ID is unknown.¶
As mentioned in Section 3.2 of [OHTTP], a client that receives an list of key configuration object with encoding errors might be able to recover one or more key configurations. Differences in how key configurations are recovered might be exploited to segregate clients, so clients MUST discard the entire list if they encounter any encoding error in one of the key configurations or its extensions.¶
If an Extension Value field contains more data than expected for that Extension ID, the client MUST treat it as an encoding error. If the Extension Length field is such that the extension would extend past the end of the Key Config struct, clients MUST treat it as an encoding error.¶
The security considerations described in Section 6 of [OHTTP] apply to this document as well.¶
The "application/ohttp-keys-ext-00" media type identifies a key configuration used by Oblivious HTTP. Note that the sybtype is expected to be changed if non-backwards-compatible changes are made to the format. If this document is approved, the "-NN" suffix will be removed before publication.¶
application¶
ohttp-keys-ext-00¶
N/A¶
N/A¶
"binary"¶
N/A¶
this specification¶
This type identifies a key configuration as used by Oblivious HTTP and applications that use Oblivious HTTP.¶
N/A¶
see Authors' Addresses section¶
COMMON¶
N/A¶
see Authors' Addresses section¶
IETF¶
This document establishes a registry for extension IDs. The "OHTTP Key Configuration Extensions" registry governs a 62-bit space and operates under the QUIC registration policy documented in Section 22.1 of [QUIC]. This new registry includes the common set of fields listed in Section 22.1.1 of [QUIC]. In addition to those common fields, all registrations in this registry MUST include a "Name" field that contains a short name or label for the extension.¶
Permanent registrations in this registry are assigned using the Specification Required policy (Section 4.6 of [IANA-POLICY]), except for values between 0x00 and 0x3f (in hexadecimal; inclusive), which are assigned using Standards Action or IESG Approval as defined in Sections 4.9 and 4.10 of [IANA-POLICY].¶
Extensions with a value of the form 0x29 * N + 0x17 for integer values of N are reserved to exercise the requirement that unknown Extension IDs be ignored. These extensions have no semantics and can carry arbitrary values. These values MUST NOT be assigned by IANA and MUST NOT appear in the listing of assigned values.¶
This registry initially contains the following entries:¶
| Value | Name |
|---|---|
| 0x00 | EXPIRATION |
| 0x01 | NOT_BEFORE |
All of these new entries use the following values for these fields:¶
The "Not Before" and "Expiration" extensions were inspired by the "nbf" and "exp" claims in JSON Web Keys ([JWT]).¶