LGTM3 On Wed, Oct 9, 2024 at 8:36 AM Vladimir Levin <vmp...@chromium.org> wrote:
> LGTM2 > > On Sat, Oct 5, 2024 at 7:47 AM Yoav Weiss (@Shopify) < > yoavwe...@chromium.org> wrote: > >> LGTM1 >> >> On Fri, Oct 4, 2024 at 8:48 PM Dan McArdle <dmcar...@chromium.org> wrote: >> >>> No, the reporting endpoint can’t infer the number of null contributions. >>> Critically, the browser pads the payload before encrypting it with the >>> Aggregation Service’s public key. That ciphertext is sent to the reporting >>> endpoint, so the performance of HTTP compression won’t vary depending on >>> the number of null contributions. >>> >>> Thanks for the questions! >>> >>> On Friday, October 4, 2024 at 1:43:03 AM UTC-4 Yoav Weiss wrote: >>> >>>> On Thu, Oct 3, 2024 at 8:58 PM Dan McArdle <dmcar...@chromium.org> >>>> wrote: >>>> >>>>> That’s correct! In isolation, cleartext payloads will be ~5x larger. >>>>> >>>>> In terms of magnitude, typical report sizes will increase from ~1.5 >>>>> KiB to ~6 KiB. (Double these estimates when debug mode is enabled.) >>>>> >>>> >>>> OK, that's not awful. >>>> One more annoying question - can the reporting endpoint distinguish >>>> between actual payload and padding using compression? >>>> In other words, will the lengths differ if the payload was compressed? >>>> >>>> >>>>> >>>>> >>>>> On Wednesday, October 2, 2024 at 10:30:28 PM UTC-4 Yoav Weiss wrote: >>>>> >>>>>> That's extremely useful, thanks!! >>>>>> >>>>>> Can you expand on the size of the payloads in question? I'm assuming >>>>>> we'd now be seeing 5x larger payloads, but I'm not sure what's the order >>>>>> of >>>>>> magnitude we're talking about here. >>>>>> >>>>>> On Wed, Oct 2, 2024 at 10:57 PM Dan McArdle <dmcar...@chromium.org> >>>>>> wrote: >>>>>> >>>>>>> Hi, Daniel! >>>>>>> >>>>>>> First, a little background. Sites make Private Aggregation >>>>>>> contributions from within isolated contexts, where they have access to >>>>>>> cross-site data. The browser sends these contributions back to the site >>>>>>> that made them via a report’s encrypted payload. Although the site’s >>>>>>> reporting endpoint cannot decrypt incoming payloads (that is the >>>>>>> Aggregation Service’s job), it can still see the length of the >>>>>>> encrypted payloads. >>>>>>> >>>>>>> We need the encrypted payload to have a fixed size to prevent sites >>>>>>> from leaking cross-site data. To achieve a fixed size, we limit the >>>>>>> number >>>>>>> of contributions and pad >>>>>>> <https://github.com/patcg-individual-drafts/private-aggregation-api#padding> >>>>>>> reports with null contributions if the limit is not reached. >>>>>>> >>>>>>> As for the workaround that I mentioned in the first message — >>>>>>> sending more contributions in a second report — only Shared Storage >>>>>>> callers >>>>>>> can do this. That’s why this I2S proposes increasing the number of >>>>>>> contributions per report for Protected Audience callers alone. >>>>>>> >>>>>>> The increased costs come in because more contributions per report >>>>>>> means larger encrypted reports, and thus more computation/storage on the >>>>>>> Aggregation Service. >>>>>>> >>>>>>> Thanks for the questions! Hope this helps. >>>>>>> >>>>>>> -Dan >>>>>>> >>>>>>> On Wednesday, October 2, 2024 at 12:05:43 PM UTC-4 Daniel Bratell >>>>>>> wrote: >>>>>>> >>>>>>>> I admit to not being the most versed in Private Aggregation, but I >>>>>>>> wonder why there is a limit at all? You say it might "increase the >>>>>>>> cost of >>>>>>>> operating the Aggregation Service", but that connection is not clear >>>>>>>> to me >>>>>>>> when you also say that people could work around the limit already. >>>>>>>> >>>>>>>> /Daniel >>>>>>>> On 2024-09-24 17:26, Dan McArdle wrote: >>>>>>>> >>>>>>>> Contact emails dmcar...@chromium.org >>>>>>>> >>>>>>>> Explainer >>>>>>>> https://github.com/patcg-individual-drafts/private-aggregation-api/pull/138 >>>>>>>> >>>>>>>> Specification >>>>>>>> https://github.com/patcg-individual-drafts/private-aggregation-api/pull/150 >>>>>>>> >>>>>>>> Summary >>>>>>>> >>>>>>>> Enables Protected Audience script runners to make up to 100 >>>>>>>> contributions per Private Aggregation report, compared to the current >>>>>>>> limit >>>>>>>> of 20. Private Aggregation limits the number of histogram contributions >>>>>>>> that can be embedded in a single aggregatable report, dropping any >>>>>>>> additional contributions. Shared Storage callers can work around the >>>>>>>> limit >>>>>>>> by invoking another Shared Storage operation. However, Protected >>>>>>>> Audience >>>>>>>> callers have no persistent storage, so they lose their excess >>>>>>>> contributions >>>>>>>> at the end of their auction. Note that this change is privacy neutral >>>>>>>> as >>>>>>>> the API's contributions are still limited by the same privacy budget. >>>>>>>> Due >>>>>>>> to padding, each Protected Audience report will have a larger payload, >>>>>>>> even >>>>>>>> if it did not need the larger contribution limit. We expect that these >>>>>>>> larger reports will increase the cost of operating the Aggregation >>>>>>>> Service. >>>>>>>> Please reach out with any feedback. >>>>>>>> >>>>>>>> >>>>>>>> Blink component Blink>PrivateAggregation >>>>>>>> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EPrivateAggregation> >>>>>>>> >>>>>>>> TAG review https://github.com/w3ctag/design-reviews/issues/846 (We >>>>>>>> have not requested a signal for these changes specifically.) >>>>>>>> >>>>>>>> TAG review status Declined >>>>>>>> >>>>>>>> Risks >>>>>>>> >>>>>>>> >>>>>>>> Interoperability and Compatibility >>>>>>>> >>>>>>>> None >>>>>>>> >>>>>>>> >>>>>>>> *Gecko*: No signal ( >>>>>>>> https://github.com/mozilla/standards-positions/issues/805) We have >>>>>>>> not requested a signal for this change specifically. The Gecko >>>>>>>> position on >>>>>>>> Shared Storage (one of the ways Private Aggregation is exposed) is >>>>>>>> negative. >>>>>>>> >>>>>>>> *WebKit*: No signal ( >>>>>>>> https://github.com/WebKit/standards-positions/issues/189) We have >>>>>>>> not requested a signal for this change specifically. >>>>>>>> >>>>>>>> *Web developers*: Positive ( >>>>>>>> https://github.com/patcg-individual-drafts/private-aggregation-api/issues/81 >>>>>>>> ) >>>>>>>> >>>>>>>> *Other signals*: >>>>>>>> >>>>>>>> WebView application risks >>>>>>>> >>>>>>>> Does this intent deprecate or change behavior of existing APIs, >>>>>>>> such that it has potentially high risk for Android WebView-based >>>>>>>> applications? >>>>>>>> >>>>>>>> None >>>>>>>> >>>>>>>> >>>>>>>> Debuggability >>>>>>>> >>>>>>>> No new debug capabilities beyond the existing internals page ( >>>>>>>> chrome://private-aggregation-internals) and temporary debug mode. >>>>>>>> These capabilities will reflect the merged contributions. >>>>>>>> >>>>>>>> >>>>>>>> Will this feature be supported on all six Blink platforms (Windows, >>>>>>>> Mac, Linux, ChromeOS, Android, and Android WebView)? >>>>>>>> >>>>>>>> All but WebView >>>>>>>> >>>>>>>> >>>>>>>> Is this feature fully tested by web-platform-tests >>>>>>>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >>>>>>>> ? Yes >>>>>>>> >>>>>>>> Flag name on chrome://flags None >>>>>>>> >>>>>>>> Finch feature name >>>>>>>> PrivateAggregationApi100ContributionsForProtectedAudience >>>>>>>> >>>>>>>> Requires code in //chrome? False >>>>>>>> >>>>>>>> Tracking bug https://crbug.com/360160864 >>>>>>>> >>>>>>>> Launch bug https://launch.corp.google.com/launch/4336057 >>>>>>>> >>>>>>>> Estimated milestones >>>>>>>> Shipping on desktop 131 >>>>>>>> Shipping on Android 131 >>>>>>>> >>>>>>>> Anticipated spec changes >>>>>>>> >>>>>>>> Open questions about a feature may be a source of future web compat >>>>>>>> or interop issues. Please list open issues (e.g. links to known github >>>>>>>> issues in the project for the feature specification) whose resolution >>>>>>>> may >>>>>>>> introduce web compat/interop risk (e.g., changing to naming or >>>>>>>> structure of >>>>>>>> the API in a non-backward-compatible way). >>>>>>>> None >>>>>>>> >>>>>>>> Link to entry on the Chrome Platform Status >>>>>>>> https://chromestatus.com/feature/5114676393017344?gate=5096059924381696 >>>>>>>> >>>>>>>> This intent message was generated by Chrome Platform Status >>>>>>>> <https://chromestatus.com/>. >>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "blink-dev" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>>> To view this discussion on the web visit >>>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGmnN45m%3DJJ3ja7_zA71nOn%3DjiBw%2Br0uFQuR0hwqHxtXzuZf4g%40mail.gmail.com >>>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGmnN45m%3DJJ3ja7_zA71nOn%3DjiBw%2Br0uFQuR0hwqHxtXzuZf4g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>>> . >>>>>>>> >>>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "blink-dev" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to blink-dev+unsubscr...@chromium.org. >>>>>>> >>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1ded3947-aff7-4fd5-9b42-d11f72bc7997n%40chromium.org >>>>>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1ded3947-aff7-4fd5-9b42-d11f72bc7997n%40chromium.org?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+unsubscr...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2BHVK6NNkFH%2BDUgPneWqZjL9eyJ%2Bv4a8YL3eHNK7%2Bx1eg%40mail.gmail.com >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2BHVK6NNkFH%2BDUgPneWqZjL9eyJ%2Bv4a8YL3eHNK7%2Bx1eg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2M%3DBeag8BK9OO17Ss_P%2B4MJCPA%3DDZ74_LphUu7w3%2BMBrg%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXd2M%3DBeag8BK9OO17Ss_P%2B4MJCPA%3DDZ74_LphUu7w3%2BMBrg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw8QpkGePwqOec3NogjOjKdrkLPkiR%2B%3DYKnYWdrHNbWBBw%40mail.gmail.com.
