Re: Call for Adoption: Private State Tokens/Private Tokens Work Stream from Chris Wood on 2022-12-06 (public-antifraud@w3.org from December 2022)

From: Chris Wood <chriswood@cloudflare.com>
Date: Tue, 6 Dec 2022 16:59:11 -0500
To: Sofía Celi <cherenkov@riseup.net>
Cc: public-antifraud@w3.org
Message-ID: <CAHOm9weoF4AzvupT5xLQftW4GfbdxFH=1tWo1kG43pqkuR0hMA@mail.gmail.com>

On Tue, Nov 22, 2022 at 12:10 PM Sofía Celi <cherenkov@riseup.net> wrote:

> Hi all,
>
> The chairs are starting an adoption process for the Private State Tokens
> proposal:
>
> https://github.com/WICG/trust-token-api/
> https://github.com/antifraudcg/proposals/issues/7
>
> Given the need for other types of privacy-preserving tokens for the
> various capabilities being discussed in the CG, the authors are asking
> to adopt this item as part of a more generic Private Tokens work stream,
> discussing and developing documents for various types of
> privacy-preserving tokens (based on privacypass and similar technology)
> that are useful in the anti-fraud space.
>
> Please respond with any further feedback or support for the document and
> work stream in the next two weeks (try to get your feedback in by
> December 7th in time for the next CG meeting), and the chairs will
> determine whether there is sufficient support for the document to adopt
> it as an official CG work stream.

I support establishing a work stream that's focused on requirements for
privacy-preserving tokens and their applications to anti-fraud use cases,
though I don't think we should adopt the Private State Tokens document at
this time, for three primary reasons:

1. As I understand the situation, Private State Tokens do not yet have wide
implementer interest, so it's not clear to me what is the purpose of this
group in adopting them. Do other User Agents intend to actually implement
them? If so, I'd be more inclined to support alignment here.
2. As Tommy pointed out, Private State Tokens diverge from related
standards being developed elsewhere, especially with respect to the
underlying protocols and cryptography. The underlying protocols and
cryptography need to be specified elsewhere such that it can receive proper
review, and I don't think this group is the right place to do it. In my
mind, this group -- and the W3C in general -- should focus on use of
technologies in a web context.
3. Taking a step back, I see this community group's primary value being in
the thoughtful exploration of the solution space and requirements for real
world applications. I don't think spending our time discussing mechanical
things like APIs helps advance that goal. That is, I think it would just be
a distraction and impede our overall progress.

I think Private State Tokens is a valuable contribution that helped shape
the community's approach and thinking around anti-fraud use cases, but
ultimately I think the document needs more work and overall support before
it's ready to be adopted by this group.

Best,
Chris

Received on Tuesday, 6 December 2022 21:59:36 UTC