It can take between 2 to 8 hours for browsers to pick up the new key commitments.
The recommended solution for rotating keys is to serve a key commitment with overlapping keysets. Chrome will use the oldest 3 (or 3 when using the VOPRF non-private metadata mode) non-expired keys. So if you have a key commitment with your previous keys that expire at 10 PM on Friday and also the new keys that expire next week, clients will keep using the first key set until 10 PM on Friday before dropping those keys and switching over to the new keyset atomically. On Wed, Nov 3, 2021 at 8:40 AM Tiago Vargas <tcominvar...@gmail.com> wrote: > Hi Guys, > > We are experimenting with Trust Token and we would like to continue to do > so for a little longer. > > Currently we do have performance problems whenever we change key > commitments. As it takes a while to change key commitments on browsers, we > get a lot of old token refresh and issuance error. Until it propagates, our > server literally explode. > > Do you know if there is a way to know when Key Commitments are updated on > the browser? > > Regards, > > Tiago > Em terça-feira, 28 de setembro de 2021 às 12:47:56 UTC-3, > rby...@chromium.org escreveu: > >> LGTM3 >> >> On Thu, Sep 23, 2021 at 1:51 PM Daniel Bratell <brat...@gmail.com> wrote: >> >>> With a gap, LGTM2 >>> >>> /Daniel >>> On 2021-09-23 14:14, Yoav Weiss wrote: >>> >>> As this is an atypical OT, this requires 3 LGTMs. >>> >>> *LGTM1* to extend to M101, conditional on a 2 weeks gap to demonstrate >>> that there's no premature reliance on the API. >>> >>> On Wed, Sep 22, 2021 at 10:26 PM Steven Valdez <sva...@chromium.org> >>> wrote: >>> >>>> Contact emails >>>> >>>> sva...@chromium.org, privacy...@chromium.org >>>> >>>> Spec >>>> >>>> >>>> https://docs.google.com/document/d/1TNnya6B8pyomDK2F1R9CL3dY10OAmqWlnCxsWyOBDVQ/edit >>>> <https://docs.google.com/document/d/1TNnya6B8pyomDK2F1R9CL3dY10OAmqWlnCxsWyOBDVQ/edit#> >>>> >>>> https://github.com/WICG/trust-token-api >>>> >>>> Summary >>>> >>>> This is a new API for propagating a notion of user authenticity across >>>> sites, without using cross-site persistent identifiers like third party >>>> cookies. Trust Token is built on Privacy Pass >>>> <https://privacypass.github.io/> for anonymous tokens that can't be >>>> tracked between issuance and redemption. >>>> >>>> An Origin Trial for Trust Token started in M84 and is scheduled to end >>>> in M94. Due to the shift in the API from a primarily first-party issuance >>>> model to a third-party issuance model, we've gotten feedback from partners >>>> that spinning up the complex infrastructure and models for third-party >>>> issuance is taking longer than anticipated, in order to give issuers more >>>> time to experiment with this model, we'd like to extend the Origin Trial to >>>> M101 (April 2022). >>>> >>>> Link to “Intent to Prototype” blink-dev discussion >>>> >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/X9sF2uLe9rA/ >>>> >>>> Previous Intent to Extend: >>>> >>>> >>>> https://groups.google.com/a/chromium.org/g/blink-dev/c/-W90wVkS0Ks/m/HyICZtuuBAAJ >>>> >>>> Goals for experimentation >>>> >>>> For the continuation of the origin trial, we hope to continue to get >>>> more experimental data on the value of these token-derived signals from >>>> issuance schemes that take place in the third-party context, rather than >>>> where a strong first-party signal is available. Additionally, we are >>>> continuing to iterate on the API shape and modes to bring it more in line >>>> with the underlying Privacy Pass work being standardized in the IETF. >>>> >>>> Experimental timeline >>>> >>>> We'd like to extend the Origin Trial again to run to the end of M101 >>>> (April 2022). >>>> >>>> Any risks when the experiment finishes? >>>> >>>> As this feature is only available via Origin Trials and doesn't affect >>>> any existing state, we don't believe there will be any risks once the >>>> experiment concludes. As we don't maintain backwards compatibility between >>>> different versions of Trust Token ( >>>> https://github.com/WICG/trust-token-api/blob/main/ISSUER_PROTOCOL.md#version-history), >>>> as we update it based on ecosystem feedback, we don't expect there to be >>>> ecosystem burn-in as the issuers and redeemers are still required to update >>>> their implementations to continue functioning in the latest version of >>>> Chrome (and the server-side components of the API provided by the component >>>> updater maintains minimal compatibility so that older versions of the API >>>> will cease to function within a version release or so). As an extra measure >>>> of safety, we can also disable the API for a couple weeks to ensure that >>>> the ecosystem is not burning in the availability of the API. >>>> >>>> Reason this experiment is being extended >>>> >>>> >>>> https://groups.google.com/a/chromium.org/forum/?oldui=1#!msg/blink-dev/UIvia1WwIhk/DuXLKdF7AgAJ >>>> >>>> Due to the complexities of issuance strategies involving purely >>>> third-party based issuance, we've seen that issuers are needing a longer >>>> time to spin up their infrastructure and experiment logic in order to >>>> verify the usefulness of the API. Due to the scope and shape of this API, >>>> we'd like to get data from issuers who are using this API before trying to >>>> launch it, to help understand the efficacy of the API and the parameters >>>> that the shipped version of the API should be using/allowing. >>>> >>>> Ongoing technical constraints >>>> >>>> None. >>>> >>>> Will this feature be supported on all five Blink platforms supported by >>>> Origin Trials (Windows, Mac, Linux, Chrome OS, and Android)? >>>> >>>> Yes. >>>> >>>> Link to entry on the feature dashboard <https://www.chromestatus.com/> >>>> >>>> https://chromestatus.com/feature/5078049450098688 >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to blink-dev+...@chromium.org. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANduzxCRQpheUxNs-o4YR_Z-9OoqjUhxMHWd3Lh01%2BTPyoZTgA%40mail.gmail.com >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANduzxCRQpheUxNs-o4YR_Z-9OoqjUhxMHWd3Lh01%2BTPyoZTgA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+...@chromium.org. >>> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUOO7cudQM4BiLOdGJb8FfQijkXQR2ue6Kd7GynSxDuhw%40mail.gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL5BFfUOO7cudQM4BiLOdGJb8FfQijkXQR2ue6Kd7GynSxDuhw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to blink-dev+...@chromium.org. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/35eac581-24a6-26c6-ea03-560fbe3408e2%40gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/35eac581-24a6-26c6-ea03-560fbe3408e2%40gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- Steven Valdez | Chrome Privacy Sandbox | sval...@google.com | 210-692-4742 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CANduzxCm%3Dap2psk9HV-a0WHQ80P5SqwQsZU4OyUPZz%2BfxvAPmg%40mail.gmail.com.
