[blink-dev] Intent to Ship: Private State Tokens API

Contact emails ayk...@google.com, sval...@chromium.org, kaustub...@chromium.org Explainer https://github.com/WICG/trust-token-api NB: We'll rename the repository to private-state-token-api when it's adopted by the antifraud CG. Specification https://wicg.github.io/trust-token-api Design docs

Re: [blink-dev] Intent to Ship: Private State Tokens API

(sending as a late FYI update as we discovered we never updated the blink-dev thread post ramp-up) Private State Tokens have been enabled for 100% of Chrome 114+ users. The feature is also enabled by default on the Chromium tip-of-tree as of July, which corresponds to the Chrome 117 release. On

Re: [blink-dev] Intent to Ship: Private State Tokens API

On Fri, Mar 17, 2023 at 5:35 PM Steven Valdez wrote: > Contact emails > > ayk...@google.com, sval...@chromium.org, kaustub...@chromium.org > > Explainer > > https://github.com/WICG/trust-token-api > > NB: We'll rename the repository to private-state-token-api when it's > adopted by the antifraud

Re: [blink-dev] Intent to Ship: Private State Tokens API

Private Access Tokens is roughly based on the Rate Limited privacy pass specification ( https://github.com/ietf-wg-privacypass/draft-ietf-privacypass-rate-limit-tokens/ ). It is primarily triggered via HTTP-Authentication headers and doesn't have a way of exposing that via a JS API. Developers are

Re: [blink-dev] Intent to Ship: Private State Tokens API

Thanks for linking to https://github.com/WICG/trust-token-api/blob/main/PST_VS_PAT.md - it's a really useful doc that I missed on my first read of this Intent. The API OWNERs (Yoav, Alex, Daniel, Philip, myself) were discussing this intent today and had some questions that are partially answer

Re: [blink-dev] Intent to Ship: Private State Tokens API

Re: Supporting multiple crypto versions, there's no real utility beyond compatibility because particular UAs will only select one of the versions (based on their preferences), rather than trying to negotiate the crypto version. There's some discussion on standardizing to a RFC version of privacypa

Re: [blink-dev] Intent to Ship: Private State Tokens API

Thanks for the response, appreciated. On 4/6/23 10:02 AM, Steven Valdez wrote: Re: Supporting multiple crypto versions, there's no real utility beyond compatibility because particular UAs will only select one of the versions (based on their preferences), rather than trying to negotiate the c

Re: [blink-dev] Intent to Ship: Private State Tokens API

One other comment, in https://github.com/w3ctag/design-reviews/issues/414#issuecomment-975743619 - the TAG requested that y'all ping the thread when the spec was more concrete (or open a new issue). Probably a good time to do so now. On 4/6/23 11:18 AM, Mike Taylor wrote: Thanks for the resp

Re: [blink-dev] Intent to Ship: Private State Tokens API

Whoops, that happened in https://github.com/w3ctag/design-reviews/issues/780#issuecomment-1422995031 - please ignore. :) On 4/12/23 2:37 PM, Mike Taylor wrote: One other comment, in https://github.com/w3ctag/design-reviews/issues/414#issuecomment-975743619 - the TAG requested that y'all pin

Re: [blink-dev] Intent to Ship: Private State Tokens API

Hi all, We wanted to provide an update after reviewing Mozilla’s feedback and a few rounds of good discussion in the threads. We are making several small but significant changes based on the suggestions, after which we’d like to launch Private State Tokens in order to support some anti-fraud use

Re: [blink-dev] Intent to Ship: Private State Tokens API

Thanks Eric! A couple of issues Martin Thomson filed and I don't think were addressed are #232 and #230 . It'd be good to address them in some way. I also noticed that a bunch of issues were ad

Re: [blink-dev] Intent to Ship: Private State Tokens API

Hey folks, Thanks for driving these improvements and taking Mozilla's feedback seriously. This seems almost ready to ship a V1 to me, modulo Yoav's last comment. Are there current docs somewhere for issuer registration? The chromestatus entry points to this google doc

Re: [blink-dev] Intent to Ship: Private State Tokens API

>From higher in the thread: The WIP registration document is at https://docs.google.com/document/d/1oB_YdRMvQWWAsqXsvxMr4FJCngcSBj2rLJzW15l8a_A/edit?usp=sharing . We're planning on hosting it on a Github repo and using that as the source of truth for issuer registrations. We have a slightly chic

Re: [blink-dev] Intent to Ship: Private State Tokens API

Hi Yoav and Rick, Thanks for pointing out that we were missing a few responses (sorry about that!), but we are all caught up now. We'll keep an eye out for further discussion within each issue. Please let us know if you have any other questions, and thanks all for the great feedback! Eric On W

Re: [blink-dev] Intent to Ship: Private State Tokens API

On 4/26/23 12:07 PM, Steven Valdez wrote: From higher in the thread: The WIP registration document is at https://docs.google.com/document/d/1oB_YdRMvQWWAsqXsvxMr4FJCngcSBj2rLJzW15l8a_A/edit?usp=sharing. We're planning on hosting it on a Github repo and using that as the source of truth for

Re: [blink-dev] Intent to Ship: Private State Tokens API

Thanks Steven, sorry I missed that. +1 to getting it on GitHub and links updated. Rick On Wed, Apr 26, 2023 at 3:09 PM Mike Taylor wrote: > On 4/26/23 12:07 PM, Steven Valdez wrote: > > From higher in the thread: > > The WIP registration document is at > https://docs.google.com/document/d/1oB_Y

Re: [blink-dev] Intent to Ship: Private State Tokens API

We've added this as a WIP document in the repository: https://github.com/WICG/trust-token-api/blob/main/REGISTRATION.md. While the WICG repo won't be the final resting place for the policy/registration hopefully that works as an interim until we've got the final repo/policy published. On Wed, Apr

Re: [blink-dev] Intent to Ship: Private State Tokens API

I just raised https://github.com/WICG/trust-token-api/issues/240 based on this. I had missed that you were planning to register issuers. See the issue for more. On Thu, Apr 27, 2023 at 6:31 AM Steven Valdez wrote: > We've added this as a WIP document in the repository: > https://github.com/WIC

Re: [blink-dev] Intent to Ship: Private State Tokens API

Thanks for the feedback, I've replied on Github with the reasoning and to continue the conversation. There's definitely some spec work to make the registration behavior clearer. -Steven On Wed, Apr 26, 2023 at 9:59 PM Martin Thomson wrote: > I just raised https://github.com/WICG/trust-token-api

Re: [blink-dev] Intent to Ship: Private State Tokens API

Looking through the open issues and Martin's great feedback, it seems pretty clear that there are some significant interoperability risks here still. That said, Chrome's inability to remove 3PCs until we can demonstrate adequate replacements is also an ongoing interop (and privacy) cost for the web

Re: [blink-dev] Intent to Ship: Private State Tokens API

I agree with Rick on the merits, but would point out one aspect of the enrollment mechanism that I think does have interop considerations that Chromium needs to consider. If embedders have a gate on issuance, we need to ensure that both sides of that gate have defined developer-facing behavior. It'

Re: [blink-dev] Intent to Ship: Private State Tokens API

Rick: For the spec work, we've merged the type parameter removal into the spec and have a PR to add the permission policy integration. We've already updated Chrome for both of those changes. Mike: We would be checking enrollment/attestation when t

Re: [blink-dev] Intent to Ship: Private State Tokens API

We've merged the permissions policy integration into the spec document. On Fri, May 5, 2023 at 1:14 PM Steven Valdez wrote: > Rick: For the spec work, we've merged the type parameter removal into the > spec and have a PR to > add the permission

Re: [blink-dev] Intent to Ship: Private State Tokens API

On Fri, May 5, 2023 at 7:14 PM Steven Valdez wrote: > Rick: For the spec work, we've merged the type parameter removal into the > spec and have a PR to > add the permission policy integration. We've already updated Chrome for > both of those chan

Re: [blink-dev] Intent to Ship: Private State Tokens API

We'll treat the fetch as if there weren't any issuer key commitments were empty (since technically we don't surface the difference between an issuer registration not being available due to the key endpoint not returning anything versus never being added in the first place because they didn't update

Re: [blink-dev] Intent to Ship: Private State Tokens API

LGTM1 % resolving the following spec issues: https://github.com/WICG/trust-token-api/issues/232 https://github.com/WICG/trust-token-api/issues/230 On Wed, May 10, 2023 at 5:52 AM Mike West wrote: Will devtools help guide developers towards enrollment? Also I think Mike's question on de

Re: [blink-dev] Intent to Ship: Private State Tokens API

Thanks, we'll work on fixing those two issues. I'm not sure what the general flow for enrollment in DevTools will look like, but if there's a general flow to detect when enrollment is missing for other APIs that check at runtime, we can try to integrate with that when PST calls are made with an un

Re: [blink-dev] Intent to Ship: Private State Tokens API

LGTM2, with the understanding that cleaning up the developer-facing story around this work is important. I think the unenrolled case probably falls into step ~8 of https://wicg.github.io/trust-token-api/#issue-request, in which case I think the web-facing behavior is clearly-enough specified. I'd

Re: [blink-dev] Intent to Ship: Private State Tokens API

We've filed crbug.com/1445984 to keep track of that and will update the developer articles to point more explicitly to the failure condition/requirements there. -Steven On Tue, May 16, 2023 at 5:30 AM Mike West wrote: > LGTM2, with the understanding that cleaning up the developer-facing story >

Re: [blink-dev] Intent to Ship: Private State Tokens API

LGTM3 On Tuesday, May 16, 2023 at 6:04:48 PM UTC+2 sva...@google.com wrote: > We've filed crbug.com/1445984 to keep track of that and will update the > developer articles to point more explicitly to the failure > condition/requirements there. > > -Steven > > On Tue, May 16, 2023 at 5:30 AM Mike

Re: [blink-dev] Intent to Ship: Private State Tokens API

LGTM4 FWIW. Thank you for working through these issues Steven! Rick On Wed, May 17, 2023 at 8:52 AM Yoav Weiss wrote: > LGTM3 > > On Tuesday, May 16, 2023 at 6:04:48 PM UTC+2 sva...@google.com wrote: > >> We've filed crbug.com/1445984 to keep track of that and will update the >> developer artic

Re: [blink-dev] Intent to Ship: Private State Tokens API

As an update, we're currently shipping to 1% to collect metrics to ensure this feature does not regress core web vitals , before ramping up the rollout to 100% in the coming weeks. On Wed, May 17, 2023 at 2:02 PM Rick Byers wrote: > LGTM4 FWIW. Thank you for working thro

Re: [blink-dev] Intent to Ship: Private State Tokens API

Side note: is there anything blocking https://github.com/WICG/trust-token-api/pull/257 from landing? On 6/8/23 9:28 AM, Steven Valdez wrote: As an update, we're currently shipping to 1% to collect metrics to ensure this feature does not regress core web vitals , before

Re: [blink-dev] Intent to Ship: Private State Tokens API

It looks like it needs review, and I'm one of the assigned reviewers... Sorry that I missed this. I'll take a look. On Thu, Jun 8, 2023 at 9:27 PM Mike Taylor wrote: > Side note: is there anything blocking > https://github.com/WICG/trust-token-api/pull/257 from landing? > On 6/8/23 9:28 AM, Stev