Requesting Network Extension Capability

I think I know the answer here, but I wanna check before I say anything definitive. I’ll get back to you on this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

any update @DTS Engineer

any update

Not really. I have a reminder to come back to this, but that’ll likely be after WWDC. Both myself and the person I’m talking with are buried in WWDC preparation right now.

Alternatively, you could ask this in the Networking Q&A during WWDC. It’s likely that the relevant folks will be there. See the link on Developer > WWDC26 > Schedule > Forums.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Both myself and the person I’m talking with are buried in WWDC preparation right now.

Thanks to a timely reminder from Quinn, I managed to pull my head up long enough to get an answer sorted out..

One thing I wanted to confirm, suppose i submit one request to onboard OHTTP relay for one organisation app and it gets approved, so can I re submit the request with different bundle ID for other organisation and same PIR server, same OHTTP server ? Or do we need different domain name ?

A lot of this depends on exactly what's being shared and way:

• If this is multiple apps from the same development team, then it's fine for all of those teams to use exactly the same configuration and infrastructure.

• If exactly the same data is being used by multiple development teams, then the team would prefer that each team have their own host names even if the underlying infrastructure is exactly the same. That is, you could do something like "team-a.vendor.com" and "team-b.vendor.com", with both of those DNS records actually pointing to the same underlying server infrastructure.

Note that this assumes that these apps will specifically be working of EXACTLY the same underlying data. If the data sets for individual teams are going to diverge, then you may want to use separate PIR servers to ensure that the datasets are strongly separated.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

@DTS Engineer So is it a restriction from apple side that is gone block/reject this entitlement request or is it a suggestion from your end in order to reduce the complexity and inter dependency.

So is it a restriction from apple side that is gone block/reject this entitlement request or is it a suggestion from your end in order to reduce the complexity and inter dependency.

I'm not sure why you're asking that. The data seperation requirement is fairly trivial (just make a new DNS entry and your done), so I'm not sure why it would be an issue. I honestly don't know how it would be handled during the entitlement process, but I expect they'd just ask for you to change it.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

@DTS Engineer I see there is a change in then entitlement request for NEURLFilter https://icloud.developer.apple.com/dashboard/identity/teams/9N738HVC7M/neurl-filter-form. I see previously Validation Test DNS Record section was asking for Update your domain DNS records. Add apple-url-filter=<bundle_identifier>, where <bundle_identifier> is replaced with your app bundle ID but in new flow they are asking where <bundle_identifier> is replaced with your extension's bundle identifier.

Please confirm If we need extension's bundle ID or only app's bundle ID

Can we keep Privacy Pass Token Issuer URL empty as we have not implemented anything for this ?

Please confirm if we need extension's bundle ID or only app's bundle ID.

Use the bundle ID. The form asking for the extension bundle ID is incorrect, and we're working on updating it.

Can we keep Privacy Pass Token Issuer URL empty as we have not implemented anything for this?

I'm not sure I understand this. Are you not planning to use any sort of authentication for your user(s)? I'm not sure the protocol can function without this.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

Thanks for your answer.

I'm not sure I understand this. Are you not planning to use any sort of authentication for your user(s)? I'm not sure the protocol can function without this.

No we are having PIR issuer token, currently passing directly to the framework. I am asking about field in the form for Privacy Pass Token Issuer URL. Because we reusing example PIR server from apple and not sure whether it has implementation for token URL or not to mention this in the form.

No we are having PIR issuer token, currently passing directly to the framework. I am asking about field in the form for Privacy Pass Token Issuer URL. Because we reusing example PIR server from apple and not sure whether it has implementation for token URL or not to mention this in the form.

You still need to implement the authentication service, which is that that URL is "for". See "Anonymous Authentication" for an overview of that's involved.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

You still need to implement the authentication service, which is that that URL is "for". See "Anonymous Authentication" for an overview of that's involved.

@DTS Engineer This link is not working, do we have any sample service or documentation. So that we can refer it for an implementation purpose,

@DTS Engineer This link is not working, do we have any sample service or documentation? So that we can refer to it for an implementation purpose.

I'm not sure what's going on there.

I know the link worked yesterday because that's how I found it, but I also watched it fail as I started writing your post... and now it appears to be working again. You can try the link above again or you can get to the same place by starting at the pir-service-example (note that this is the example project itself) page and clicking on "Documentation" in the right-hand column. The "Anonymous Authentication" article is the first article in the articles list on the left-hand side of the documentation page. I'm not sure if which of those links will work for you, but hopefully that's enough to get you to the right places.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

Hello @DTS Engineer, As I submitted my onboarding request last week and it gets reviewed and declined yesterday. Below are the main reasons of rejection

1. https://protectuswebfilter.com/.well-known/private-token-issuer-directory seems to redirect, it should contain a privacy pass issuer directory.
2. https://ohttp.protectuswebfilter.com/.well-known/ohttp-gateway is in json, that is not the correct format. See https://www.ietf.org/rfc/rfc9458.html#name-key-configuration

my configurations are

Provide your PIR server domain name pir.protectuswebfilter.com

Provide your Privacy Pass Token Issuer URL protectuswebfilter.com

Provide your Oblivious HTTP Gateway configuration resource https://ohttp.protectuswebfilter.com/.well-known/ohttp-gateway

Provide your Oblivious HTTP Gateway resource https://ohttp.protectuswebfilter.com

I understood the root cause of point number 1 as I need to use pir.protectuswebfilter.com as my privacy pass issuer is pointing to same pir service.

Can you please help me with, what exactly apple is expecting for point number 2

Can you please help me with what exactly Apple is expecting for point number 2?

You need to take a closer look at this document you were sent:

https://www.ietf.org/rfc/rfc9458.html#name-key-configuration

As the rejection said, the data format described there simply is not JSON[1]. The details depend on exactly what you're encoding, but the basic format is a series of fixed-size binary elements concatenated together. For example, this description from section "4.3. Encapsulation of Requests":

1. Construct a message header (hdr) by concatenating the values of key_id, kem_id, kdf_id, and aead_id as one 8-bit integer and three 16-bit integers, respectively, each in network byte order.

In other words, that creates a single "chunk" of binary data 56 (8+16+16+16) bytes long.

[1] FYI, JSON tends to be a particularly poor format for this kind of security data, as the format itself is relatively "wordy" and the fixed-size data elements mean that most of the data (key names, punctuation, etc.) tends to end up at exactly the same place, both of which greatly facilitate things like known plaintext attacks.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

Thanks for the answer @DTS Engineer, just to confirm for issue number 1,

When I try to hit below curl on my machine curl -v https://pir.protectuswebfilter.com/.well-known/private-token-issuer-directory

I am getting below response

racit@RACITs-MacBook-Pro ~ % curl -v https://pir.protectuswebfilter.com/.well-known/private-token-issuer-directory

• Host pir.protectuswebfilter.com:443 was resolved.
• IPv6: (none)
• IPv4: 13.74.252.44
• Trying 13.74.252.44:443...
• Connected to pir.protectuswebfilter.com (13.74.252.44) port 443
• ALPN: curl offers h2,http/1.1
• (304) (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/cert.pem
• CApath: none
• (304) (IN), TLS handshake, Server hello (2):
• (304) (OUT), TLS handshake, Client hello (1):
• (304) (IN), TLS handshake, Server hello (2):
• (304) (IN), TLS handshake, Unknown (8):
• (304) (IN), TLS handshake, Certificate (11):
• (304) (IN), TLS handshake, CERT verify (15):
• (304) (IN), TLS handshake, Finished (20):
• (304) (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
• ALPN: server accepted h2
• Server certificate:
• subject: CN=*.protectuswebfilter.com
• start date: May 14 00:00:00 2026 GMT
• expire date: Nov 28 23:59:59 2026 GMT
• subjectAltName: host "pir.protectuswebfilter.com" matched cert's "*.protectuswebfilter.com"
• issuer: C=FR; O=Gandi SAS; CN=GandiCert
• SSL certificate verify ok.
• using HTTP/2
• [HTTP/2] [1] OPENED stream for https://pir.protectuswebfilter.com/.well-known/private-token-issuer-directory
• [HTTP/2] [1] [:method: GET]
• [HTTP/2] [1] [:scheme: https]
• [HTTP/2] [1] [:authority: pir.protectuswebfilter.com]
• [HTTP/2] [1] [:path: /.well-known/private-token-issuer-directory]
• [HTTP/2] [1] [user-agent: curl/8.7.1]
• [HTTP/2] [1] [accept: /]

GET /.well-known/private-token-issuer-directory HTTP/2 Host: pir.protectuswebfilter.com User-Agent: curl/8.7.1 Accept: /

• Request completely sent off

< HTTP/2 200 < content-type: application/json; charset=utf-8 < date: Wed, 24 Jun 2026 12:48:36 GMT < server: nginx/1.24.0 (Ubuntu) < content-length: 1511 <

• Connection #0 to host pir.protectuswebfilter.com left intact

{"issuer-request-uri":"&#x2F;issue","token-keys":[{"token-key":"MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAqEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiAwIBMAOCAQ8AMIIBCgKCAQEAtX6p_XKIg8xY-EDlD4y06FeZZLPJShlRRH_vJYPGunXpYceKU5g61FSFhMGkrOdYfPCvlWCfSkw7oQxP8lWVXfkudyfhXfXEfcathI0K11kukG3SRao6thT25WJQHTyYA3qCOHTwDFKxPZKovhJPEm4Vh4Z2N79czb_FnJ38nUc08j9xZvU5A95rPhwRxhgjUJbEVXu30N18q_U9NbaqT7n5aQsIuXd8FJnOS4jxqDk6Bz3Rc2sWEYnOGFEDTkeBZUmpyESjzzAr6uqkGRsPEikwfDkfYhc7JAeTgGYIxzf6POWvkwqWq0BKGRSjzXyD2tXOj3DM1jlnmGuipkANVQIDAQAB","token-type":2},{"token-key":"MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAqEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiAwIBMAOCAQ8AMIIBCgKCAQEApx-w6NSCZYwjdGe-aYlyn7mAeeIi6VvwmS1C5ACdQciSA2fscOxv5YWBmPbYXAJSZ9ZnI_1OhrBS5l-45dugDSa4Ecoo7xntfUp72WC62MrLhJ-XcqwF8zjiso6DFYBNW8kfXjZNIHvg1Q91b8Rci4_2Lo95ULe_5mf3CmdsqeE8dY4quMM0e_nlXjxMgSWEaDmWDIiBGVHKTAhZxwEuGIkSfL6XjbVumcM5iapXr180dtna6Squi-vLcocOXal-G9zqw7JeOLDiQaRacF0IfxG-SptdfuwlyEUyhB8-drkbpvdZsodnAl3PbFoWTdOSoEi3N2gYkDcw87mX9KUyCQIDAQAB","token-type":2},{"token-key":"MIIBUjA9BgkqhkiG9w0BAQowMKANMAsGCWCGSAFlAwQCAqEaMBgGCSqGSIb3DQEBCDALBglghkgBZQMEAgKiAwIBMAOCAQ8AMIIBCgKCAQEA5XCgFDOQJwyvM_9DB4BBjlkphYvT1-2q0ZN45fUP3kVGQPTSUa40cL588u_QTG55HKc3BtLkk_n6BhjFIaKRnk8M-muh-_ytyi7lyp2g7L5rHXa-O6UqfY-6Nt-31l9RkQk1bP7Ccu-AtUUeuTnYoRThrJ_022OLwktnZfWetkwoMw9QaiM2NcAFb7pVTdvJ573S4AAN9hmoI82C49H1Cgjo3l9REDUrMougci_6ul3efFVsVf2dYKsxvddgw7Rp60p80tTKXhrVxyfSJvPgAYWbwfK-8mLEX72sLwIYhmx_D-imdWFE7KsQxTwpmYZCi6tF-yungRC3AxLXzgLDNQIDAQAB","token-type":2}]}%

So that is what review team is expecting correct ? where as in previous request I provided privacy pass issuer token url protectuswebfilter.com and it was responding 302 response code.