[I implemented this at Kagi]

And you can validate this, if you try to issue a Privacy Pass search without a private token, you'll get a `WWW-Authenticate` header that kicks off the handshake, and that should be the same for all users for a given epoch (month). E.g.

    curl -v -H 'X-Kagi-PrivacyPass-Client: true' 'https://kagi.com/search?q=test'

But how do I validate that I’m actually getting the same value as everyone else? Is the value I should get published somewhere (in a verifiable and not editable way) so I can see that I’m not being tracked?

Or does the extension validate this and the correct value is hardcoded in the extension like stebalien suggested?

There's no auth required at this stage of the handshake, so you can test from any number of devices/locations/networks/etc and confirm you get the same value. We could publish it, but it will change every epoch/month. Plus, if you don't trust the service to not issue special key pairs to track you, you probably won't trust us to not do the same when publishing the key material. There are schemes involving third-parties we could employ, but it's trust and turtles all the way down.

A malicious server could maintain separate key pairs for users it wanted to track, but you can't do it for every user because 1) it'd be clear from the WWW-Authenticate header changing, and 2) you'd have to validate tokens against every key, which would quickly get too slow to work.

While it's relatively trivial to run something like:

  fetch(new Request("https://kagi.com/search?q=test", { method: "GET", headers: new Headers({ "X-Kagi-PrivacyPass-Client": true })})).then((r) => console.log(r.headers.get("www-authenticate")))

A simple response in the body to something like <https://kagi.com/privacypass> would be easier to check.

And you answered someone else:

> It is also something anyone else could do to keep us honest :)

While true I believe for such a feature making it as easy as possible for your users to check independently is just better.

Makes sense in general, but to make sure I understand it:

> Plus, if you don't trust the service to not issue special key pairs to track you, you probably won't trust us to not do the same publishing the key material.

You could publish it on some sort of blockchain to make sure it can’t be changed and is public for everyone, right?

> A malicious server could maintain separate key pairs for users it wanted to track, but you can't do it for every user because 1) it'd be clear from the WWW-Authenticate header changing, and 2) you'd have to validate tokens against every key, which would quickly get too slow to work.

Makes sense, thanks for explaining!

> You could publish it on some sort of blockchain to make sure it can’t be changed and is public for everyone, right?

Your understanding is correct, that's definitely something we could do. It is also something anyone else could do to keep us honest :)

Could you jam the bits into dummy ssl cert signing requests, then stick the result in the certificate transparency log?

Thanks for looking it up, that makes sense.