IETF Logo Mail Archive

[Ppm] Re: DAP and disagreements about the active VDAF

Martin Thomson <mt@lowentropy.net> Tue, 16 December 2025 00:57 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: ppm@mail2.ietf.org
Delivered-To: ppm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A615D9B042AF for <ppm@mail2.ietf.org>; Mon, 15 Dec 2025 16:57:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="DfpPzw+J"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="tuTpwqRz"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YRnGIkXS16gl for <ppm@mail2.ietf.org>; Mon, 15 Dec 2025 16:57:33 -0800 (PST)
Received: from fout-a6-smtp.messagingengine.com (fout-a6-smtp.messagingengine.com [103.168.172.149]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0F6D19B042AA for <ppm@ietf.org>; Mon, 15 Dec 2025 16:57:33 -0800 (PST)
Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44]) by mailfout.phl.internal (Postfix) with ESMTP id EF2E8EC01A6; Mon, 15 Dec 2025 19:57:32 -0500 (EST)
Received: from phl-imap-15 ([10.202.2.104]) by phl-compute-04.internal (MEProxy); Mon, 15 Dec 2025 19:57:32 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm2; t=1765846652; x=1765933052; bh=xT5BaaXp5bJ8+SFsgw6MAGOk+6Pw89ZG T2WKOATe3OM=; b=DfpPzw+Jc6GGOoS7OtvlHLoLchhSKLPovDXkb8TJ/diNUGsZ NYG5Ceh2Oxh/L1xHE2ahTC27mgzJucV4yUm0MM5VXFtb2d2DtEL4jl+cpAW4MCU7 GD+si9HPSJqsf8IOUj3b9VtAH8++cH++GqtpJ8wvEqymAdpSseXLP6jVv6d+2+7j I6EcWsduFrTM9s+mW77NQ13yNpW0CFL+qbb3PM9ms3VPQ4+EDscSlMvu1CHt5Dfl T7c2QYDD3ROdWm85Lds2kKWGBjA7+Qag4xhUTiZ/grYz75r4/flrUR5Xb84luO1q zAkvWr3vjUhyBmoWU/XnSnTu8gWKtt+fhWJetA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1765846652; x= 1765933052; bh=xT5BaaXp5bJ8+SFsgw6MAGOk+6Pw89ZGT2WKOATe3OM=; b=t uTpwqRzB3ju7p7q0GoK2UwDfNVaqgFEtvnVs8G1xUU7D5xca+z5udPxDaAl3tq2m 5sHJALGu6YW+Vx3YWbI2SmWNI3BonF+jw+i88egWmR/PDyw35eFnlY6aJzJi6ves c9UknWBWht9fDkreUowVqJtHSpBqRnR0vaYOt5TxbuuyMeesQExFzVi/p7xy2lae MH+PMIX1Nyfz2eXjZzn4cBQu5QidT8ThvAZ5z5lPwyhDAKG3W59gCg9UOcPVSzyQ 4FDWJBy5h3QmhOl/Yi04orko/IhcLaGpHU31o2/j8YlGGq8nMMk9XjWGL77K0ibn 4Uu0rwNIArfQ/XJrmezgQ==
X-ME-Sender: <xms:fK5AaQc54d9mMKacsGh2wFCAy0wbctFXkj4HfHeKHyGWR1gyxakFpw> <xme:fK5AadBlJCzKGG49C9WIWdwWBe1A99XUlIBjMK9sPgl96_nOe-IBTXyjWqR66XK3y 3YVcvulgQz0txgsRxt3O7yGUc7Mt_ayLeKhdZEazpsMj3lU5W0VAPg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdefkeefudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenogfuuh hsphgvtghtffhomhgrihhnucdlgeelmdenucfjughrpefoggffhffvvefkjghfufgtgfes thhqredtredtjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtse hlohifvghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepleeltddujeduvefg leekkeeuveejtdehteffveefgeffgeduiedtfeduhfektdelnecuffhomhgrihhnpehgih hthhhusgdrihhonecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhf rhhomhepmhhtsehlohifvghnthhrohhphidrnhgvthdpnhgspghrtghpthhtohepvddpmh houggvpehsmhhtphhouhhtpdhrtghpthhtoheptghprghtthhonhestghlohhuughflhgr rhgvrdgtohhmpdhrtghpthhtohepphhpmhesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:fK5AaQd0qB_2feusQ1zZ0VulJGtxnZq-oMLY7jqXU2N9Hx0wcTJc-Q> <xmx:fK5AaYNQ_7ObfFQ9bLRgcNb-UwLpbEmo1GuMNXhr5cw7EVp65JudLg> <xmx:fK5AafLvFw204uyUjA9gYoXi8xkU3D12DepCxQbI5oSi3ZglzRZC-w> <xmx:fK5AaRHftkvVuCo7U7cIDdyUbm00tvCx0oNlKnREytfwpVPcnt9SXw> <xmx:fK5AaZsYDEd1fJG-xz2bH8wonSdGinm3pabK8n72VLPaWbGdwFrJjG0C>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id BBDDB780054; Mon, 15 Dec 2025 19:57:32 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: AdBZsEgtnBuo
Date: Tue, 16 Dec 2025 11:57:12 +1100
From: Martin Thomson <mt@lowentropy.net>
To: Christopher Patton <cpatton@cloudflare.com>
Message-Id: <96bf7378-ba76-4978-bd20-1e268751daba@betaapp.fastmail.com>
In-Reply-To: <CAG2Zi20-DWUEBKm6B7WpuOqsp8K41peDC-z3_dstuOkByiJjaQ@mail.gmail.com>
References: <571c3755-1d0f-4769-9d8a-47a5d3ab01c4@betaapp.fastmail.com> <CAG2Zi20E_aL02wR6q+uxYdBGXnT_yG87QPiv1tOjgNu8bknW=w@mail.gmail.com> <86d6c0dc-e3cf-4334-8958-c3809aa0e46e@betaapp.fastmail.com> <CAG2Zi20ZKqSkoDwfR18E4uhfYLJVmq9PTz5HSC8+fD=yDisTgg@mail.gmail.com> <993e8775-7591-4ab6-8ba8-a1cd3aef186d@betaapp.fastmail.com> <CAG2Zi20xqx_GB3QC2hu_=ovgGMJpo7iK52N2iWpPjng+UYkXvQ@mail.gmail.com> <3db18c3f-3041-460a-a769-67162eec8725@betaapp.fastmail.com> <CAG2Zi20-DWUEBKm6B7WpuOqsp8K41peDC-z3_dstuOkByiJjaQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: VDZSFMVOXRSZBXGXB5LPZ4KIDJL47OVX
X-Message-ID-Hash: VDZSFMVOXRSZBXGXB5LPZ4KIDJL47OVX
X-MailFrom: mt@lowentropy.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ppm@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Ppm] Re: DAP and disagreements about the active VDAF
List-Id: Privacy Preserving Measurement technologies <ppm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ppm/6fAtUCyNdxsO6sO2QUHbYbAGZIQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppm>
List-Help: <mailto:ppm-request@ietf.org?subject=help>
List-Owner: <mailto:ppm-owner@ietf.org>
List-Post: <mailto:ppm@ietf.org>
List-Subscribe: <mailto:ppm-join@ietf.org>
List-Unsubscribe: <mailto:ppm-leave@ietf.org>

On Tue, Dec 16, 2025, at 04:27, Christopher Patton wrote:
> It sounds like Attribution would want to early-bind to all parameters 
> of the task config. Is that correct?

Only in the sense that we can do so in the specification.  For that case, it doesn't make sense to allow flexibility in time precision, to give a concrete example.

> What about the Collector? Is the HPKE config determined at upload time, 
> aggregation time, or collection time? I'm wondering if Attribution 
> needs to allow multiple Collectors to collect the same batch.

The Collector identity is supposed to be the website that registers conversions.  We could maybe fix that identity at the time of submission, but the initial thought was to make that a separate parameter and therefore a separate report extension: https://martinthomson.github.io/dap-dp-ext/draft-thomson-ppm-dap-dp-ext.html#name-requester-website-identity

No need for multiple collectors, but it's desirable to avoid delivering too many of the Collector details to Clients. This is not because it can't be known, but because deploying and synchronizing that configuration is undesirable for much the same reason that deploying task IDs to Clients.

Websites driving the API will have to distribute accurate information about aggregation to every load of pages that involve conversions.  The current design is geared toward having the aggregation service as a whole identified with a single identifier, having many parameters fixed, and having only items relevant to the action the site wants to record being added. Right now, this is limited to histogram size and epsilon budget.

Adding the Collector identity (which might be the HPKE public key) is probably feasible, but it does add complexity.  I can see how we might argue that it is useful, which is not the case for task ID, which will change far more frequently and could become a maintenance challenge.

The main reason I would prefer not to add something like Collector identity is not complexity, but the effect it would have on rotation of those keys.  Sites would be justifiably reluctant to rotate things that are deployed to millions of browsers.  That might motivate some sort of indirection (supplying a URL where the keys can be found, for example, or, though I feel dirty typing it, a /.well-known/ resource).
 
> Actually, the `TaskConfig` structure has a `start_time` field:
> https://ietf-wg-ppm.github.io/draft-ietf-ppm-dap-taskprov/draft-ietf-ppm-dap-taskprov.html#section-3.1-2

Reading comprehension failure on my part.  Why doesn't this use Interval?

It's still hard for Attribution to use times like this.  It might be that we fix these values to (0, →∞) to get them out of the way.

v2.39.1 | Report a Bug | By Email | System Status