Add a new explainer for the FLEDGE Key/Value Server trust model #295
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michaelkleber
requested changes
May 6, 2022
| * _Client software_: shorthand for the implementation of FLEDGE in a browser or on a device (such as a [Chrome browser](https://www.google.com/url?q=https://github.com/WICG/turtledove/blob/main/FLEDGE.md%2331-fetching-real-time-data-from-a-trusted-server&sa=D&source=docs&ust=1651077929049635&usg=AOvVaw2mNLZwBgIzzYL7iUKJTUwb) or an [Android device](https://www.google.com/url?q=https://developer.android.com/design-for-safety/ads/fledge%23ad-selection-ad-tech-platform-managed-trusted-server&sa=D&source=docs&ust=1651077929049793&usg=AOvVaw19U97RKrvuOGjGH-tIk98Y)). | ||
| * _Attestation_: a mechanism to authenticate software identity, usually with [cryptographic hashes](https://en.wikipedia.org/wiki/Cryptographic_hash_function) or signatures. In this proposal, attestation matches the code running in the adtech-operated key/value service with the open source code. | ||
| * _Trusted Execution Environment (TEE)_: a dedicated, closed execution context that is isolated through hardware memory protection and cryptographic protection of storage. The TEE's contents are protected from observation and tampering by unauthorized parties, including the root user. | ||
| * _Key management service (KMS): _a centralized component tasked with provision of decryption keys to appropriately secured aggregation server instances. Provision of public encryption keys to end user devices and key rotation also fall under key management. |
There was a problem hiding this comment.
(Need to move an _ one character left, to get your italics to work right...)
|
|
||
|
|
||
|
|
||
|  |
There was a problem hiding this comment.
Is "FLEDGE Key Value Server system diagram" intended as alt text? Looks like it needs to be in the brackets in that case. It breaks the image embed as-is.
|
|
||
|
|
||
| 1. That the timestamp of the request could be used to correlate the lookup keys with the request of the top-level page and thus identify a user. This is mitigated by limiting the logs that are written. | ||
| 2. During the FLEDGE auction, a client asks a key/value server about an assortment of keys that were previously stored on the client — perhaps including keys that were stored in multiple different contexts (different sites or different apps, via [Shared Storage](https://github.com/pythagoraskitty/shared-storage)). That set of keys, therefore, risks leaking some information about the client's activity. The privacy goal of key/value server design is to give the client confidence that the set of keys cannot be used for tracking or profiling purposes. This threat is mitigated by the TEE protections to allow only pre-approved code. |
There was a problem hiding this comment.
I don't think Shared Storage is relevant here. The keys might come from different contexts because the same Interest Group owner might have called joinAdInterestGroup() (and set lookup keys) on multiple different domains.
There was a problem hiding this comment.
Thanks, I've removed the reference to Shared Storage there.
|
|
||
|
|
||
| 1. _Monitoring metrics_ - Only noised aggregate metrics will be available for monitoring and alerting. These will be aggregated to at least k size. | ||
| 1. For example, counting the approximate number of failed requests in the past n minutes is likely to be fine but doing so at millisecond granularity is not. |
There was a problem hiding this comment.
Formatting for nested lists is wrong — the "1." of the nested lists needs to be indented to be under the first character of the list item. See details here:
Remove reference to Shared Storage that was confusing
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.