diff --git a/api.bs b/api.bs
index e57a2c9..5f73acf 100644
--- a/api.bs
+++ b/api.bs
@@ -392,20 +392,12 @@ select a supported [=aggregation service=].
The page may select any of the supported services found in
aggregationServices.
The name of the selected service must be supplied as
-the `aggregator` member of the
+the {{PrivateAttributionConversionOptions/aggregator}} member of the
{{PrivateAttributionConversionOptions}} dictionary when calling the
measureConversion() method.
-
-This section needs to be more precise about [=site=] vs. [=origin=].
-
## Finding a Supported Aggregation Service ## {#find-aggregation-service}
-
Is any additional information required in the
-{{PrivateAttributionAggregationService}} dictionary? Do we want
-to rename `apiVersion` to `protocol`? And we should definitely
-define an enum for it.
-
The aggregationServices attribute
contains a list of aggregation services supported by the [=user agent=]. The page
must select and specify one of these services when calling the
@@ -416,14 +408,21 @@ but that is not required,
and impressions are not scoped to a single aggregation service.
<![CDATA[
+enum PrivateAttributionProtocol { "dap-12-histogram", "tee-00" };
+
dictionary PrivateAttributionAggregationService {
- required DOMString name;
- required DOMString apiVersion;
+ required DOMString url;
+ required DOMString protocol;
+};
+
+[SecureContext, Exposed=Window]
+interface PrivateAttributionAggregationServices {
+ readonly setlike<PrivateAttributionAggregationService>;
};
[SecureContext, Exposed=Window]
interface PrivateAttribution {
- attribute FrozenArray<PrivateAttributionAggregationService> aggregationServices;
+ readonly attribute PrivateAttributionAggregationServices aggregators;
};
]]>
@@ -431,21 +430,33 @@ The aggregationServices attribute
contains the following information about each supported aggregation service:
- - name
+ - url
-
- Name of the aggregation service. This is passed as the `aggregator`
- parameter to measureConversion().
+ A URL that identifies an [=aggregation service=].
+ This value is passed as the {{PrivateAttributionConversionOptions/aggregator}} parameter
+ to measureConversion() to select the identified aggregation service.
- - apiVersion
+ - protocol
-
- Version of the Private Attribution API supported by this aggregator. Even if
- an aggregator supports multiple versions of the API, it is expected to
- assign a unique aggregation service name for each supported version.
- Thus, the API version is implicit in the aggregator selection
- and does not need to be passed to measureConversion().
+ The {{PrivateAttributionProtocol|protocol}} that the [=aggregation service=] uses.
+ Different versions of the same protocol use different values.
+ Even if a single service provider supports multiple protocols,
+ each needs to use a different URL.
+ This ensures that each can be uniquely identified by URL
+ without also specifying the choice of protocol.
+The PrivateAttributionProtocol describes the submission protocol
+used by different [=aggregation services=]. This document defines two protocols:
+
+
+ - dap-12-histogram
+ - A DAP-based protocol [[DAP]] that uses [=MPC=]; see [[#s-mpc]].
+ - tee-00
+ - A protocol for submission to a [=TEE=]; see [[#s-tee]].
+
+
## Saving Impressions ## {#save-impression-api}
The saveImpression() method requests
@@ -591,7 +602,7 @@ The arguments to measureConversion() are as
aggregator
A selection from the [=aggregation services=] that can be found in aggregationServices.
+ attribute for=PrivateAttribution>aggregators.
epsilon
The amount of [=privacy budget=] to expend on this [=conversion report=].
@@ -889,7 +900,18 @@ The aggregation method also needs to define
how the aggregated result is obtained by a site.
-## Multi-Party Computation Aggregation ## {#mpc}
+## Multi-Party Computation Aggregation ## {#s-mpc}
+
+A Multi-Party Computation (MPC) system is one that
+involves multiple independent entities
+that cooperatively compute an agreed function.
+
+This specification uses an MPC system based on Prio [[PRIO]]
+and the Distributed Aggregation Protocol (DAP) [[DAP]].
+This is a two-party MPC system that is characterized by
+its reliance on client-provided proofs of correctness for inputs.
+This allows for very efficient MPC operation
+at a modest cost in the size of submissions to the system.
An aggregator that uses Multi-Party Computation (MPC)
comprises two or more independent services
@@ -904,7 +926,7 @@ a subset of the entities that participate are honest.
### Prio and DAP ### {#prio}
-The "prio3" aggregation method
+The "dap-12-histogram" aggregation method
uses Prio [[PRIO]]
and the Distributed Aggregation Protocol (DAP) [[DAP]].
Specifically, this aggregation method uses
@@ -940,24 +962,23 @@ User agents need to include all of these extensions in reports
that they generate.
+## Trusted Execution Environments ## {#s-tee}
-
-## Trusted Execution Environments ## {#tee}
+A Trusted Execution Environment (TEE) uses specialized hardware
+to ensure that computation is isolated
+from other programs that run on the same hardware.
TODO
-## Conversion Report Encryption ## {#encryption}
-
-TODO
-
## Anti-Replay Requirements ## {#anti-replay}
[=Conversion reports=] generated by browsers are bound
to the amount of [=privacy budget=]
that was expended by the site that requested the report.
-TODO
+An [=aggregation service=] MUST guarantee
+that it does not accept the same report more than once.
# Differential Privacy # {#dp}