You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Protected Audience API in Chrome sends encrypted data to trusted services such as the Bidding and Auction service and the Trusted Key Value Service. In today's implementation, a set of globally-scoped keys is used to encrypt all traffic.
To reduce the impact of a key compromise, we might consider encrypting traffic to different recipients (TEEs operated by different adtechs) using different keys.
In this proposal, Chrome would encrypt data in a Key-Value Server V2 API request using a key that is specific to the adtech operating the KV server.
Similarly, a ProtectedAudienceInput blob would be encrypted using a key specific to the SSP responsible for running the auction. Each BuyerInput sub-component would be encrypted using a key specific to the corresponding DSP. This way, IG data of a buyer participating in the auction are further protected should a compromise of a seller’s key occur.
Representing recipient identity
It might make sense to associate each HPKE key with the origin at which an instance of a trusted service is hosted. For example, the navigator.getInterestGroupAdAuctionData() method already accepts the origin of the seller and each interest group is associated with the origin of its 'owner'.
Some Open Questions
Is origin an appropriate scope? Should we consider e.g. a site (e.g. eTLD+1) or a URL scope instead?
Can multiple trusted service instances be hosted at the same origin? If yes, can these instances use the same HPKE key?
Example: a trusted key-value server instance is represented by a trustedBiddingSignalsURL attribute of an interestGroup or a trustedScoringSignalsURL attribute of an auctionConfig. This raises the possibility of hosting multiple trusted KV instances at the same origin.
Can an adtech operate trusted service instances at multiple origins? If yes, can each origin still be assigned a separate set of keys?
When provisioning private keys to a TEE instance, how can a Coordinator verify that the TEE instance is indeed associated with a given origin?
The text was updated successfully, but these errors were encountered:
The Protected Audience API in Chrome sends encrypted data to trusted services such as the Bidding and Auction service and the Trusted Key Value Service. In today's implementation, a set of globally-scoped keys is used to encrypt all traffic.
To reduce the impact of a key compromise, we might consider encrypting traffic to different recipients (TEEs operated by different adtechs) using different keys.
In this proposal, Chrome would encrypt data in a Key-Value Server V2 API request using a key that is specific to the adtech operating the KV server.
Similarly, a ProtectedAudienceInput blob would be encrypted using a key specific to the SSP responsible for running the auction. Each BuyerInput sub-component would be encrypted using a key specific to the corresponding DSP. This way, IG data of a buyer participating in the auction are further protected should a compromise of a seller’s key occur.
Representing recipient identity
It might make sense to associate each HPKE key with the origin at which an instance of a trusted service is hosted. For example, the
navigator.getInterestGroupAdAuctionData()method already accepts the origin of the seller and each interest group is associated with the origin of its 'owner'.Some Open Questions
Is origin an appropriate scope? Should we consider e.g. a site (e.g. eTLD+1) or a URL scope instead?
Can multiple trusted service instances be hosted at the same origin? If yes, can these instances use the same HPKE key?
Example: a trusted key-value server instance is represented by a
trustedBiddingSignalsURLattribute of an interestGroup or atrustedScoringSignalsURLattribute of an auctionConfig. This raises the possibility of hosting multiple trusted KV instances at the same origin.Can an adtech operate trusted service instances at multiple origins? If yes, can each origin still be assigned a separate set of keys?
When provisioning private keys to a TEE instance, how can a Coordinator verify that the TEE instance is indeed associated with a given origin?
The text was updated successfully, but these errors were encountered: