@@ -579,7 +579,7 @@ to learn more information from such metadata, including, in some cases, applicat
579579never meant to see. Although privacy partitioning does not obviate such attacks, it does increase the cost
580580necessary to carry them out in practice. See {{security-considerations}} for more discussion on this topic.
581581
582- # Impacts of Partitioning
582+ # Partitioning Impacts
583583
584584Applying privacy partitioning to communication protocols lead to a substantial change in communication patterns.
585585For example, instead of sending traffic directly to a service, essentially all user traffic is routed through
@@ -590,19 +590,30 @@ and protocol). This has a number of practical implications, described below.
590590 network or metadata that has been unintentionally revealed to the service provider cannot be used anymore
591591 for e.g., existing security procedures such as application rate limiting or DDoS mitigation.
592592 However, network management techniques deployed at present often rely on information that is exposed by
593- most traffic but without any guarantees that the information is accurate. Privacy partitioning provides
594- an opportunity for improvements in these management techniques by providing opportunities to actively
595- exchange information with each entity in a privacy-preserving way and requesting exactly the information
596- needed for a specific task or function rather then relying on assumption that are derived on a limited
597- set of unintentionally revealed information which cannot be guaranteed to be present and may disappear
598- any time in future.
599-
600- 1. Varying performance effects. Depending on how context separation is done, privacy partitioning may
593+ most traffic but without any guarantees that the information is accurate.
594+
595+ Privacy partitioning provides an opportunity for improvements in these management techniques with
596+ opportunities to actively exchange information with each entity in a privacy-preserving way and requesting
597+ exactly the information needed for a specific task or function rather then relying on assumption that
598+ are derived on a limited set of unintentionally revealed information which cannot be guaranteed to be
599+ present and may disappear any time in future.
600+
601+ 1. Varying performance effects and costs. Depending on how context separation is done, privacy partitioning may
601602 affect application performance. As an example, Privacy Pass introduces an entire end-to-end round
602603 trip to issue a token before it can be redeemed, thereby decreasing performance. In contrast, while
603604 systems like CONNECT proxying may seem like they would regress performance, often times the highly
604- optimized nature of proxy-to-proxy paths leads to improved perforamnce. In general, while performance
605- and privacy tradeoffs are often cast as a zero sum game, in reality this is often not the case.
605+ optimized nature of proxy-to-proxy paths leads to improved perforamnce.
606+
607+ Performance may also push back against the desire to apply privacy partitioning. For example, HTTPS
608+ connection reuse {{?HTTP2=RFC9113, Section 9.1.1}} allows clients to use an existing HTTPS session created
609+ for one origin to interact with different origins (provided the original origin is authoritative for
610+ these alternative origins). Reusing connections saves the cost of connection establishment, but means that
611+ the server can now link the client's activity with these two or more origins together. Applying privacy
612+ partitioning would prevent this, while typically at the cost of less performance.
613+
614+ In general, while performance and privacy tradeoffs are often cast as a zero sum game, in practice this
615+ is often not the case. The relationship between privacy and performance varies depending on a number
616+ of related factors, such as application characteristics, network path properties, and so on.
606617
6076181. Increased attack surface. Even in the event that information is adequately partitioning across
608619 non-colluding parties, the resulting effects on the end-user may not always be positive. For example,
0 commit comments