PATTERN Cited by 1 source
Issuer / attester / client / origin roles¶
The RFC 9576 four-role decomposition is the architectural pattern underlying Privacy Pass and its successors ARC / ACT. It splits the "anonymous + accountable" web-protection stack into four distinct parties, each with a narrow responsibility, so that no single party controls the ecosystem — a precondition for the open-Web guardrail.
The four roles¶
| Role | Responsibility |
|---|---|
| Issuer | Mints anonymous credentials after verifying (directly or via an attester) that the client passed a check. Publishes public keys used for verification. |
| Attester | Trusted by the issuer to perform the check: run a CAPTCHA, verify an attestation, confirm rate-limit history. May be the same entity as the issuer or distinct. |
| Client | Holds credentials. Decides when to present them and to which origin. Integrates the consent UX. |
| Origin | Consumes presented credentials. Chooses which issuers it trusts. Defines the meaning of a successful presentation (skip challenge, count against budget, serve resource). |
Cloudflare's 2026-04-21 framing:
"The issuer trusts one or more attesters to perform some checks before issuing credentials (tokens in the RFC case). The client holds these credentials and decides when to present them, within the right scope. The origin remains in control of which issuers it trusts and what each presentation means."
Why the split matters¶
The pattern's power comes from what each role does not do:
- Issuers don't identify clients — the blinding / OPRF primitives ensure issuance and redemption cannot be correlated at the protocol level.
- Attesters don't mint credentials — their job is attestation only; compromising an attester produces bad-quality tokens, not unauthorized tokens.
- Clients don't decide what means what — the origin defines the semantics of presentation; the client just holds and presents.
- Origins don't identify clients — they verify credentials, not identities; the anonymity budget is preserved by construction.
The result: no single role can unilaterally break anonymity, and no single role can unilaterally break accountability.
Attester-issuer split (split-trust deployments)¶
RFC 9576 explicitly permits split-trust deployments where attester and issuer are different entities. Canonical example (from real-world deployments like iCloud Private Relay):
- Apple acts as attester — verifies that a client is running on a genuine Apple device and associated with an Apple ID in good standing.
- A third-party (Cloudflare / Fastly / others) acts as issuer — mints tokens based on Apple's attestation, but does not itself learn the client's Apple ID.
- A Cloudflare-protected site acts as origin — accepts the tokens without needing to trust Apple directly for its own policy; just needs to trust the issuer.
The split prevents any single party from becoming a centralized tracker of the user's browsing.
Joint-deployment corner case¶
RFC 9576 §4.3 defines the joint issuer-origin deployment model where the issuer and origin are the same entity. The 2026-04-21 post notes that ACT is designed so that even in this case, issuance and presentation are not directly linkable at the protocol level. This is non-trivial: naive designs where the issuer can watch its own redemptions break unlinkability in this corner case.
The joint-deployment property is what makes the pattern deployable in the common operational reality where an infrastructure provider is both the protective edge (origin) and the CAPTCHA runner / attestation authority (attester / issuer).
Origin controls trust policy¶
The pattern's governance lever is at the origin side: origins decide which issuers to trust. This is the Privacy-Pass analog of browser root-store management in the Web PKI — the terminal enforcement is "origin stops trusting issuer X", which makes X's tokens worthless at that origin.
Load-bearing consequence: origins must have a way to stop trusting low-quality issuers for the pattern to converge to a healthy ecosystem. This is the core of the patterns/open-issuer-ecosystem governance pattern.
Known instantiations¶
- Base Privacy Pass (2019 deployment at Cloudflare) — the first production deployment; Cloudflare acted as all of attester / issuer / origin on its own zones.
- iCloud Private Relay — Apple as attester; third-party issuers; any HTTPS site on the public internet as origin. Runs at billions of tokens/day.
- ARC / ACT — successors sharing the same four-role decomposition, with extended presentation semantics.
Seen in¶
- sources/2026-04-21-cloudflare-moving-past-bots-vs-humans — canonical 2026 articulation with the four-role split and the joint-deployment unlinkability callout.
Related¶
- systems/privacy-pass — canonical instance; RFC 9576 defines the roles.
- systems/arc-anonymous-rate-limit-credentials — same role decomposition, rate-limit-specific semantics.
- systems/act-anonymous-credit-tokens — same role decomposition, preserved across multiple presentations.
- concepts/anonymous-credential — the primitive the roles produce / consume.
- patterns/anonymous-attribute-proof — the deployment pattern this four-role decomposition supports.
- patterns/open-issuer-ecosystem — the governance posture required for the pattern to work at Web scale.
- RFC 9576 — Privacy Pass Architecture.