[Webkit-unassigned] [Bug 222838] New: PCM: Align fraud prevention token naming with issue 73 in the Privacy CG repo

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 5 15:31:04 PST 2021 

https://bugs.webkit.org/show_bug.cgi?id=222838

            Bug ID: 222838
           Summary: PCM: Align fraud prevention token naming with issue 73
                    in the Privacy CG repo
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: wilander at apple.com

The below names for fraud prevention token link attribute, well-known locations, and report fields were suggested in https://github.com/privacycg/private-click-measurement/issues/73 and we should update WebKit’s implementation accordingly.

# Link Attribute

attributionsourcenonce/attributionSourceNonce: This is the random nonce the click source provides so that subsequent requests for signing an unlinkable token can be done with knowledge of the context of the click even though the user has left the click source webpage.

Example: <a href="https://shop.example" attributionsourceid="55" attributeon="https://shop.example" attributionsourcenonce="ABCDEFabcdef0123456789">Link to be measured</a>


# Well-Known Locations

/.well-known/private-click-measurement/sign-unlinkable-token/: This is the well-known location where the browser sends an unlinkable token together with the attribution source nonce to get a token signature.

/.well-known/private-click-measurement/get-token-public-key/: This is the well-known location where the browser fetches the public key associated with the private key used for signing tokens. Note that this key is associated with signatures that validate both unlinkable and secret tokens.


# Attribution Report Fields

source_secret_token: This field in the JSON report will contain the secret token associated with the unlinkable token signed by the click source. Note that the source prefix is needed here to allow for a similar token from the attribute-on website.

source_secret_token_signature: This field in the JSON report will contain the secret token signature associated with the unlinkable token signature from the click source. Note that the source prefix is needed here to allow for a similar signature from the attribute-on website.

Example:

{
  "source_engagement_type": "click",
  "source_site": "https://news.example",
  "source_id": 55,
  "attributed_on_site": "https://shop.example",
  "trigger_data": 10,
  "source_secret_token": <encoded token>,
  "source_secret_token_signature": <encoded signature>,
  "version": 2
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210305/ca99a21d/attachment-0001.htm>

More information about the webkit-unassigned mailing list