Requesting Network Extension Capability

I think I know the answer here, but I wanna check before I say anything definitive. I’ll get back to you on this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

any update @DTS Engineer

any update

Not really. I have a reminder to come back to this, but that’ll likely be after WWDC. Both myself and the person I’m talking with are buried in WWDC preparation right now.

Alternatively, you could ask this in the Networking Q&A during WWDC. It’s likely that the relevant folks will be there. See the link on Developer > WWDC26 > Schedule > Forums.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Both myself and the person I’m talking with are buried in WWDC preparation right now.

Thanks to a timely reminder from Quinn, I managed to pull my head up long enough to get an answer sorted out..

One thing I wanted to confirm, suppose i submit one request to onboard OHTTP relay for one organisation app and it gets approved, so can I re submit the request with different bundle ID for other organisation and same PIR server, same OHTTP server ? Or do we need different domain name ?

A lot of this depends on exactly what's being shared and way:

• If this is multiple apps from the same development team, then it's fine for all of those teams to use exactly the same configuration and infrastructure.

• If exactly the same data is being used by multiple development teams, then the team would prefer that each team have their own host names even if the underlying infrastructure is exactly the same. That is, you could do something like "team-a.vendor.com" and "team-b.vendor.com", with both of those DNS records actually pointing to the same underlying server infrastructure.

Note that this assumes that these apps will specifically be working of EXACTLY the same underlying data. If the data sets for individual teams are going to diverge, then you may want to use separate PIR servers to ensure that the datasets are strongly separated.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

@DTS Engineer So is it a restriction from apple side that is gone block/reject this entitlement request or is it a suggestion from your end in order to reduce the complexity and inter dependency.

So is it a restriction from apple side that is gone block/reject this entitlement request or is it a suggestion from your end in order to reduce the complexity and inter dependency.

I'm not sure why you're asking that. The data seperation requirement is fairly trivial (just make a new DNS entry and your done), so I'm not sure why it would be an issue. I honestly don't know how it would be handled during the entitlement process, but I expect they'd just ask for you to change it.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

@DTS Engineer I see there is a change in then entitlement request for NEURLFilter https://icloud.developer.apple.com/dashboard/identity/teams/9N738HVC7M/neurl-filter-form. I see previously Validation Test DNS Record section was asking for Update your domain DNS records. Add apple-url-filter=<bundle_identifier>, where <bundle_identifier> is replaced with your app bundle ID but in new flow they are asking where <bundle_identifier> is replaced with your extension's bundle identifier.

Please confirm If we need extension's bundle ID or only app's bundle ID

Can we keep Privacy Pass Token Issuer URL empty as we have not implemented anything for this ?

Please confirm if we need extension's bundle ID or only app's bundle ID.

Use the bundle ID. The form asking for the extension bundle ID is incorrect, and we're working on updating it.

Can we keep Privacy Pass Token Issuer URL empty as we have not implemented anything for this?

I'm not sure I understand this. Are you not planning to use any sort of authentication for your user(s)? I'm not sure the protocol can function without this.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

Thanks for your answer.

I'm not sure I understand this. Are you not planning to use any sort of authentication for your user(s)? I'm not sure the protocol can function without this.

No we are having PIR issuer token, currently passing directly to the framework. I am asking about field in the form for Privacy Pass Token Issuer URL. Because we reusing example PIR server from apple and not sure whether it has implementation for token URL or not to mention this in the form.

No we are having PIR issuer token, currently passing directly to the framework. I am asking about field in the form for Privacy Pass Token Issuer URL. Because we reusing example PIR server from apple and not sure whether it has implementation for token URL or not to mention this in the form.

You still need to implement the authentication service, which is that that URL is "for". See "Anonymous Authentication" for an overview of that's involved.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

You still need to implement the authentication service, which is that that URL is "for". See "Anonymous Authentication" for an overview of that's involved.

@DTS Engineer This link is not working, do we have any sample service or documentation. So that we can refer it for an implementation purpose,

@DTS Engineer This link is not working, do we have any sample service or documentation? So that we can refer to it for an implementation purpose.

I'm not sure what's going on there.

I know the link worked yesterday because that's how I found it, but I also watched it fail as I started writing your post... and now it appears to be working again. You can try the link above again or you can get to the same place by starting at the pir-service-example (note that this is the example project itself) page and clicking on "Documentation" in the right-hand column. The "Anonymous Authentication" article is the first article in the articles list on the left-hand side of the documentation page. I'm not sure if which of those links will work for you, but hopefully that's enough to get you to the right places.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware