RFC 9458 - Oblivious HTTP
Overview
RFC 9458 defines Oblivious HTTP (OHTTP), a protocol that allows a client to make HTTP requests without revealing the request contents to the relay or the client identity to the target.
Key Concepts
Participants
- Client: Makes requests, knows the target but hides identity
- Relay: Forwards requests, knows client but not request contents
- Gateway: Decrypts requests, knows contents but not client identity
- Target: Final destination, sees request as if from gateway
Encryption
OHTTP uses Hybrid Public Key Encryption (HPKE) from RFC 9180:
- KEM: X25519 with HKDF-SHA256
- KDF: HKDF-SHA256
- AEAD: AES-128-GCM
Message Format
Requests use Binary HTTP (RFC 9292) encapsulated in HPKE:
Encapsulated Request {
Key ID (8),
KEM ID (16),
KDF ID (16),
AEAD ID (16),
Encapsulated Key (Npk),
HPKE-encrypted Request (*)
}Related Specifications
| RFC | Title | Purpose |
|---|---|---|
| RFC 9458 | Oblivious HTTP | Core protocol |
| RFC 9292 | Binary HTTP Messages | Request encoding |
| RFC 9180 | HPKE | Encryption |
| RFC 9457 | Problem Details | Error format |
Key Configuration
The gateway publishes its public key at /.well-known/ohttp-gateway:
Key Configuration {
Key ID (8),
KEM ID (16),
Public Key (Npk),
Symmetric Algorithms Length (16),
Symmetric Algorithms (..),
}Each symmetric algorithm entry contains:
- KDF ID (16 bits)
- AEAD ID (16 bits)
Security Considerations
- Request Unlinkability: The relay cannot link requests to responses
- Client Anonymity: The gateway sees only the relay’s IP
- Content Privacy: The relay cannot read request/response contents
- Replay Protection: Built into HPKE
Limitations
- Single-shot request/response (no streaming in base spec)
- Requires trust in both relay and gateway operators
- Adds latency from extra hop
Future Work
draft-ietf-ohai-chunked-ohttp extends OHTTP to support streaming via chunked transfer.