Redemption token header and format

[chris-wood]

Redemption uses the "Sec-Private-State-Token" header to convey a base64-encoded token. This raises a couple of questions:

1. Why not use the HTTP authentication mechanism defined by Privacy Pass rather than provide a new header? Is the idea that one would want to do HTTP authentication alongside a redemption request, or something?
2. Why not use the Token format from Privacy Pass, using a new token type to distinguish PST issuance from other existing Privacy Pass issuance protocols? Converging on the format would make it much simpler for origins adopting this technology, as they wouldn't need two significantly different code paths -- one for PST and one for Privacy Pass.

[dvorak42]

1. This is somewhat the same as #229. From the Origin Trial and discussions with potential issuers, tying in redemption/issuance flows to existing requests was much easier than having to have a new sequenced request to trigger the authentication flow. It might be possible to migrate to the request-based flow.

2. Will centralize on #256 to track this.