01:42:14 <RRSAgent> RRSAgent has joined #trusttokens
01:42:14 <RRSAgent> logging to https://www.w3.org/2019/09/18-trusttokens-irc
01:42:21 <koalie> RRSAgent, make logs public
01:42:28 <koalie> koalie has changed the topic to: https://w3c.github.io/tpac-breakouts/sessions.html
01:42:30 <koalie> koalie has left #trusttokens
08:37:13 <RRSAgent> RRSAgent has joined #trusttokens
08:37:13 <RRSAgent> logging to https://www.w3.org/2019/09/18-trusttokens-irc
08:37:16 <Zakim> Zakim has joined #trusttokens
08:37:20 <toml> present+
08:37:23 <kleber> kleber has joined #trusttokens
08:37:24 <Ian> Scribenick: toml
08:37:25 <kleber> present+
08:37:27 <toml> scribenick: toml
08:37:28 <Ian> Meeting: Trust Tokens
08:37:36 <Ian> present+
08:37:56 <toml> kleber: Trust Tokens are an API from Chrome's Privacy Sandbox
08:38:25 <toml> …: history: build on Cloudflare's Privacy Pass
08:38:29 <Ian> -> https://github.com/dvorak42/trust-token-api Trust Token Explainer
08:38:30 <blassey> blassey has joined #trusttokens
08:38:36 <toml> …: want to extend to new uses in this privacy world
08:38:43 <MasayaIkeo> MasayaIkeo has joined #trusttokens
08:38:51 <toml> …: goal is to help prevent fraud & abuse
08:39:07 <toml> …: today, this involves detecting patterns of malicious behavior
08:39:17 <dave> dave has joined #trusttokens
08:39:20 <toml> …: if you can't recognize people, that ability vanishes
08:39:28 <weiler> weiler has joined #trusttokens
08:39:43 <johnwilander> johnwilander has joined #trusttokens
08:39:44 <toml> …: this is an attempt to retain some spam/fraud-fighting capabilities while also removing identification/tracking
08:39:58 <toml> …: core tech: blinded tokens which are crypto magic
08:40:24 <toml> …: an issuer mints tokens signed with a cryptographic key in a ritual between browser and issuer
08:41:32 <Ian> toml: Did you mean "indistinguishable from any token signed with the same key"
08:42:00 <Ian> ...I think they are distinguishable from one another, but you can't tell which one was emitted with a given issuing event
08:42:14 <wseltzer> wseltzer has joined #trusttokens
08:42:41 <Ian> toml: They are distinguishable, but not correlatable (across different sites)
08:43:00 <toml> …: tokens are cryptographically guaranteed to have been issued by the issuer, but each token
08:43:58 <toml> kleber: tokens are unique, but the issuer doesn't know which tokens it's issued, only how many it's issued and redeemed
08:44:13 <toml> [some clarification of token primitive]
08:44:42 <Ian> Chair: Michael Kleber
08:44:44 <toml> kleber: tokens represent one bit of information: "at some point in the past you trusted me"
08:44:53 <Ian> (Ian likes "a message to its future self" :)
08:45:09 <toml> …: way for issuer to send a message to self in future, and message is "you trust this person"
08:45:27 <toml> …: ex banks might issue tokens to their legit customers
08:45:37 <toml> …: or Google might give them to longtime search users
08:46:01 <toml> …: original use case was to represent having completed a CAPTCHA for anonymous user (via Tor)
08:47:04 <toml> …: Tor users saw dozens of CAPTCHA request on Cloudflare. TT/PP give you a stock of tokens whenever you complete a CAPTCHA, and then you can spend them to avoid future CAPTCHAS for a while
08:47:10 <toml> …: fine when there's one issuer
08:47:28 <toml> …: want this to be a web standard where many people can issue tokens in different cases, and no need to use an extension
08:47:52 <toml> …: needs some limits, imagine 100 issuers — which of those you're holding tokens from might constitute an ID
08:48:10 <toml> …: so some limit on how many issuers you can be asked to pend tokens from on the same site
08:48:27 <toml> tony: is this using any hardware based stuff for key storage
08:48:38 <toml> kleber: all important crypto is server side
08:48:44 <toml> tony: platform crypto?
08:48:47 <toml> kleber: yes
08:49:04 <toml> …: some browser crypto needed to verify the ZKP non-uniqueness key
08:49:12 <toml> tony: so what does it use today?
08:49:38 <toml> kleber: platform crypto rn. no in-browser/js impl. no webcrypto RN, who knows the future.
08:49:54 <toml> kleber: second capability for our use case: ads!
08:50:02 <toml> …: we want to avoid ads fraud
08:50:06 <toml> …: next slide please
08:50:15 <toml> …: ad companies work hard to fight fraud
08:50:23 <toml> …: want to keep doing that without 3p cookies
08:50:56 <toml> …: once you've been given and redeemed a trust token, it'd be useful for your browser on the redeeming site to be able to make requests with a proof of that trust
08:51:24 <toml> …: present token back to google as verifier, google passes back certificate indicating trust from google on NYtimes
08:51:43 <toml> …: then you have a persistent gesture of trust
08:51:59 <toml> …: persistant keypair used for this session transaction
08:52:07 <toml> tony: not bound to http session?
08:52:09 <Ian> q?
08:52:16 <toml> kleber: no, more like cookies?
08:52:22 <toml> +q to ask about certs
08:52:26 <toml> tony: how scoped?
08:52:34 <toml> kleber: haven't decided yet
08:53:08 <toml> …: probably origin tho? IDK? just use more tokens on more domains.
08:53:18 <Ian> scribenick: Ian
08:53:25 <Ian> toml: I want to review the transaction flow you outlined.
08:53:41 <Ian> ...I'm a browser; google issues trust tokens to me; I have them in the browser and visit news.example.
08:53:59 <Ian> ...they say "I want a trust token; we accept providers, A, B, and Google"
08:54:05 <Ian> ....the browser gives a trust token and then google verifies?
08:54:28 <Ian> Michael: Plausible but we were thinking of a different flow
08:54:35 <Ian> ...browser asks news.example with a cert
08:54:51 <Ian> toml: So when presented with a challenge from the news site, the browser does a redemption operation on the issuer site
08:55:21 <Ian> Michael: You provide a trust token (to the issuer), as well as intended scope (news.example), and if you want to use the feature we were discussing, you bind it to a fresh key pair
08:55:52 <Ian> toml: You take a pluripotent token and convert it to a scoped cert with a lifetime...and you use it on the site you are visiting, but the only thing it identifies is "I just redeemed a token"
08:56:08 <Ian> ...and when the user agent decides it's time to clear state,
08:56:27 <Ian> ..then a new request has to happen. That could happen N times with the identity provider (for N tokens) before a re-auth is required
08:56:33 <Ian> scribenick: Toml
08:56:55 <toml> kleber: looking for feedback here
08:57:18 <toml> …: deanon risk exists even though it's 1 bit at a time
08:57:46 <btidor> btidor has joined #trusttokens
08:57:47 <toml> …the sort of attacks are exactly the ones you'd expect
08:58:23 <toml> …i'm a first party you visit regularly, and i ask for many tokens from different providers; eventually, they can produce a cross-site id from those bits
08:58:48 <toml> …so you need to box the idp selection per site: can't change providers very often
08:59:04 <toml> …maybe if they change idps, you need to clear info about that site to avoid leakage
08:59:55 <toml> …likewise everything about tokens being fungible is dependent on a key being used to sign and redeem: malicious issuers could use unique keys for each visitor making a fungible token into a unique id
09:00:22 <urata_> urata_ has joined #trusttokens
09:00:29 <toml> …so like at redemption time you can ask the idp what keys it uses, and it can only tell you a couple of keys so you're not bucketed any more narrowly than that
09:00:46 <toml> ???: so the issuer could use certain keys per ip?
09:00:53 <melanierichards> melanierichards has joined #trusttokens
09:01:04 <toml> kleber: recognizing the user lets them do that
09:01:36 <toml> ???2: another attack surface — potentially revealing which IDPs you rely on
09:02:01 <toml> kleber: if you're not affiliated with the idps that a site trusts, then maybe you get a bunch of challenges
09:02:07 <toml> …seems unlikely
09:02:25 <toml> tony: is there crypto agility in this?
09:02:49 <RRSAgent> I have made the request to generate https://www.w3.org/2019/09/18-trusttokens-minutes.html Ian
09:02:53 <toml> ???3: the voprf spec is an individual draft submitted in the IETF
09:03:07 <toml> …not adopted yet
09:03:16 <toml> tony: pointer to the internet draft?
09:03:27 <Ian> s/???3/Brad_Lassey
09:04:07 <Ian> s/???3/Brad_Lassey/g
09:04:13 <toml> toml: there are also way old implementations of blind tokens with no ip implications imo
09:04:14 <btidor> q+
09:04:18 <toml> ack toml;
09:04:21 <toml> ack toml
09:04:21 <Zakim> toml, you wanted to ask about certs
09:04:32 <blassey> https://datatracker.ietf.org/doc/draft-irtf-cfrg-voprf/
09:05:05 <toml> ben: how does issuance work? a first party with lots of confidence in a user. for a payments use case with many different sources of trust? can you use that?
09:05:13 <toml> kleber: probs not, tbh
09:05:26 <toml> kleber: the issuer doesn't have to be someone you're visiting right now
09:06:05 <toml> kleber: news.example could ask for trust-r-us.example to issue stuff just on the basis on news.example activity!
09:06:09 <reillyg> reillyg has joined #trusttokens
09:06:16 <toml> …so can be single-domain
09:06:31 <toml> …cross-domain usage like that would require cross-domain tracking
09:06:43 <Ian> q+
09:07:10 <Ian> toml: You said "they need ot avoid linking you to the device"; that's not true...you just need to authenticate one time and you could potentially keep them around on the same or another device
09:07:25 <toml> …but maybe a credit-card company knows you real well
09:07:53 <wseltzer> ack ian
09:08:08 <toml> Ian: so suppose i go to make a payment, the payment handler goes to an issuing bank and gets trust tokens, and that's better than the alternative
09:08:33 <blassey> q?
09:08:37 <toml> ben: really thinking of payments without existing relationship
09:09:37 <Ian> toml: I think that that use case is weird. The issuing bank would issue a credential.
09:09:47 <Ian> ..and they would be worth money
09:09:54 <toml> mark: haven't read the proposal in a while
09:10:01 <toml> …so i'm browsing
09:10:02 <rbyers> rbyers has joined #trusttokens
09:10:11 <toml> …and sometimes i accumulate these tokens, just 'cause
09:10:24 <toml> …and sometimes i do other things, and have to spend those tokens
09:10:33 <toml> …can that site say which tokens they accept?
09:10:46 <toml> kleber: yes, can be multiple, can't be many
09:10:52 <toml> q+ to ask about issuer binding
09:11:01 <toml> mark: so the goal is for them to represent trust
09:11:08 <toml> …but they could represent something else
09:11:12 <jeffh> q?
09:11:25 <toml> kleber: behold the question: who can be an issuer?
09:11:41 <toml> …but if we allow anyone to issue them, maybe they're used for non-trust reasons?
09:11:45 <toml> …what even
09:11:53 <toml> …what restrictions do we need if we do that
09:12:11 <toml> mark: but when there's a privileged action, that sounds like consolidation of power
09:12:17 <toml> …v. interesting
09:12:31 <toml> kleber: yea, but i hope this sounds pretty benign
09:12:38 <toml> mark: IDK, you know
09:12:44 <toml> …could get weird
09:12:48 <Ian> q?
09:12:50 <toml> kleber:yeah
09:12:59 <toml> tony: can they be shared between browsers?
09:13:08 <toml> kleber: expect them to be browser-specific
09:13:24 <toml> …not accessible to js apis or ~~~~extensions~~~
09:13:45 <Ian> ack btidor
09:13:49 <toml> mwest: possible to for browsers to share if they want, possibly syncing.
09:13:50 <Ian> ack tom
09:13:50 <Zakim> toml, you wanted to ask about issuer binding
09:13:54 <Ian> scribenick: Ian
09:14:07 <rmondello> rmondello has joined #trusttokens
09:14:09 <Ian> toml: You mentioned (Michael) limiting a site to only accepting trust tokens from a couple of possible issuers
09:14:27 <Ian> ...but that seems like it would trap a site in the dilemma of which 3 companies it might rely on.
09:14:51 <Ian> ...I would suggest that it is innocuous to require a site to pick a small number of parties it is willing to rely on
09:15:00 <Ian> Michael: It's a tradeoff
09:15:08 <Ian> ...entropy leakage v. flexibility
09:15:26 <Rossen_> Rossen_ has joined #trusttokens
09:15:32 <Ian> toml: I am optimistic that there's an approach that can put a ceiling on the cross-site entropy by having some degree of negotiation between browsers and sites
09:15:39 <Rossen_> q?
09:15:46 <Ian> ...where browsers get to pick and may do things inconsistently (intentionally)
09:15:53 <toml> scribenick: toml
09:16:02 <toml> ???2: do tokens live forever?
09:16:14 <toml> kleber: only as long as those issuing keys are valid
09:16:22 <toml> …browsers could limit key lifetimes
09:16:30 <toml> …could be some lifetime for those things
09:16:39 <toml> …but evertokens seem fine too probably
09:17:05 <toml> …seems like fast rotation is also bad because revealing
09:17:08 <toml> ben: revocable?
09:17:10 <jeffh> q?
09:17:12 <toml> kleber: nope
09:17:30 <toml> kleber: so probably don't give out too many tokens
09:17:44 <Ian> toml: I propose "fungible" instead of "indistinguishable"
09:17:53 <Ian> michael: Sounds good
09:18:01 <toml> …but maybe that's why you rotate keys
09:18:18 <toml> kleber: what the browser knows is that the token is signed by a particular key
09:18:41 <toml> …or it could be signed by any of N keys! that's another neat trick!
09:18:41 <Ian> toml: Might be compatible with older versions of blind sigs
09:19:09 <toml> …before, it was signed with a particular key, now it might only be signed with one of several keys
09:19:22 <toml> …so now you can issue trust and distrust too!
09:19:36 <toml> …some of those keys are for the good bit, some for the bad bit
09:19:58 <toml> …so you can secretly issue people bad tokens when they think they're getting good tokens
09:20:12 <toml> …good for preventing fraud by lengthening the cycle
09:20:35 <toml> ???2: but presumably the relying site is going to give the game away
09:20:50 <toml> kleber: no, redemption happens on the issuer site to get that cert
09:21:08 <toml> …but yes you're right, they might give the game away
09:21:21 <toml> …but maybe they pretend to do the right thing, but secretly don't
09:21:29 <blassey> q?
09:21:45 <toml> john: can consume the tokens and claim legitimacy, but only the user is fooled
09:21:50 <wseltzer> q+
09:21:53 <RRSAgent> I have made the request to generate https://www.w3.org/2019/09/18-trusttokens-minutes.html Ian
09:22:04 <toml> kleber: relevance to conversion measurement
09:22:22 <toml> john: how to prevent fraud with non-identifying ad-click attribution
09:22:23 <wseltzer> q+ to ask where you/the room would like to see this go next
09:22:45 <toml> …soooo, maybe we use trust tokens with the attribution reports to anti-sibyl?
09:23:00 <toml> …two tokens, one at click time, and one from the advertiser when you convert
09:23:15 <toml> …but only when the browser associates those events are those things used
09:23:44 <toml> kleber: yes, multipurpose! can be used for many situations where a server wants to send fungible messages to future self
09:23:53 <toml> …might not be a single bit, might not need to be hidden
09:24:05 <toml> …might just want to report a conversion of type seventeen
09:24:14 <toml> …token wrapped around 17, blind sig on 17
09:24:26 <toml> …then those private tokens can be passed around like this
09:24:45 <toml> john: that would make all these advertisers and so on issuers of tokens
09:25:26 <RRSAgent> I have made the request to generate https://www.w3.org/2019/09/18-trusttokens-minutes.html Ian
09:25:28 <Ian> ack wsl
09:25:30 <toml> …one more thing: because of how it's specced for 24-48h delay before reports, proofs can be lazily checked to help prevent sneaky iding
09:25:31 <Ian> ack ws
09:25:31 <Zakim> wseltzer, you wanted to ask where you/the room would like to see this go next
09:25:46 <toml> wendy: where do you and the room see this going next?
09:26:05 <toml> kleber: for me, personally, most interested in the ad fraud use case as cookies stop being good for that
09:26:09 <toml> …but clearly lots of them
09:26:15 <toml> …just came up with another use case
09:26:32 <toml> …works with microsoft's auditability spec
09:26:44 <Ian> (Soft proposal: WICG)
09:26:46 <toml> ???3: so wicg?
09:27:06 <toml> ???4: does someone else want this?
09:27:14 <toml> kleber: cloudflare, for sure
09:27:17 <Ian> s/???3/blassey
09:27:18 <toml> john: apple too
09:27:30 <wseltzer> s/???4/rickbyers/
09:27:42 <Ian> toml: I am not sure WICG is the right venue
09:28:04 <Ian> wseltzer: WICG can be a place for collaborative development and is designed for that
09:28:09 <toml> wendy: wicg could support collaborative development!
09:28:32 <toml> …if there's a pattern of non-collaborative development, that shouldn't reflect the norm
09:28:50 <Ian> toml: Could be in the privacy CG
09:29:02 <toml> kleber: seems like wicg is right
09:29:45 <Ian> toml: My impression of the decision-making mechanic is wicg is that there's one author who writes the spec; that may not be a dynamic that solicits a lot of input
09:30:13 <Ian> toml: "Trust tokens, very exciting, lots of applications, ready for more work in group TBD!"
09:30:21 <RRSAgent> I have made the request to generate https://www.w3.org/2019/09/18-trusttokens-minutes.html Ian
09:33:21 <MasayaIk_> MasayaIk_ has joined #trusttokens
10:06:29 <MasayaIkeo> MasayaIkeo has joined #trusttokens
12:01:18 <dave> dave has joined #trusttokens
13:19:07 <Zakim> Zakim has left #trusttokens
13:35:56 <Ian> Ian has left #trusttokens