2026-06-07: Thibault Meunier (Cloudflare, co-author) opens 2 design issues June 5 on moq-wg/privacy-pass — #14 “MOqTokenChallenge should be base64 encoded” and #15 “Find how to pass MoQTokenChallenge in reply to a SETUP closure without using ReasonPhrase”. These move thibmeu’s issuer-aware challenge-reply concerns — first raised in his May 30 review of cloudflare/moq-rs PR #169 (the AuthHook trait) — from cross-impl review into the draft’s own issue tracker. The core wire question: a relay that wants to challenge a client must send a
MoQTokenChallengeback, but with draft-18 collapsing CLIENT_SETUP/SERVER_SETUP and using aReasonPhraseon session close, there is no clean carrier for a structured (base64) challenge in a SETUP-closure reply. Lands one week before the June-12 London Privacy Pass slot (Suhas); see interim-meetings + discussions-2026-06.
draft-ietf-moq-privacy-pass-auth-02 | 31 pages | Expires 2026-03-02
Authors
- suhas-nandakumar (Cisco)
- Cullen Jennings (Cisco)
- Thibault Meunier (Cloudflare)
Abstract
Integrates Privacy Pass tokens with moq-transport to enable privacy-preserving authentication for subscriptions, fetches, publications, and relay operations. Supports fine-grained access control through prefix-based track namespace and track name matching rules.
Key Features
- Privacy-preserving: Uses Privacy Pass tokens so relays learn minimal information about subscribers
- Fine-grained ACL: Prefix-based matching on track namespace and track name
- Multiple operations: Covers SUBSCRIBE, FETCH, PUBLISH, and relay forwarding
- Token-based: Leverages the IETF Privacy Pass architecture
Related
- moq-transport - Transport layer being authenticated
- moq-secure-objects - Complementary E2E encryption
- CAT-4-MOQT - Alternative auth approach using CTA WAVE Common Access Tokens