Private State Token Issuer Request - hCaptcha

Question

Private State Token Issuer Request - hCaptcha

Closed this issue a year ago · 12 comments

aliaksei-imi commented a year ago

Issuer Name

hCaptcha Issuer

Purpose

To detect bots using trust signals

Disclosure and Acknowledgement

I understand the technical restrictions on key rotation frequency of 60 days in the PST API.
I understand that my issuer registration will be valid for a period of six months after the key commitment is accepted, and that I will need to re-register in this repository following that six-month period.
I understand that in the future renewing my registration for this API may have additional requirements, to reduce the risk of abuse by token issuers.

Answer 1 · 2023-06-13T16:06:18.000Z

The content looks good, however one of the changes that landed since the origin trial was to require an "application/pst-issuer-directory" content-type/media-type on the key commitments (https://github.com/WICG/trust-token-api/blob/main/spec.bs#L183) to confirm that they're intended to be interpreted as key commitments.

Let me know when you've updated the endpoint and we can rerun the configuration.

(we'll hopefully have some tooling soon to automatically verify that on issue submission)

Answer 2 · 2023-06-13T16:07:40.000Z

You'll also want to update the version name to "PrivateStateTokenV1VOPRF". (if you're using libtrusttoken pulling the latest version should have the right format)

Answer 3 · 2023-06-13T17:02:19.000Z

@dvorak42 thank you for the feedback,

fixed the media type
changed the version to be PrivateStateTokenV1VOPRF

We don't use libtrusttoken, we're using boringssl instead, the keys were generated with TRUST_TOKEN_experiment_v2_voprf and now the code is using TRUST_TOKEN_pst_v1_voprf. It seems like the keys are compatible or do we need to regenerate them using TRUST_TOKEN_pst_v1_voprf?

Answer 4 · 2023-06-13T17:06:49.000Z

The key format is compatible, however the issuance/redemption messages have a slightly different serialization/format to bring it closer in-line with the IETF drafts so you should be fine if they were generated with the previous value.

Answer 5 · 2023-06-13T17:08:54.000Z

Your keys have been successfully parsed, they should be available in Chrome via component updater in approximately 4 hours (you can force an update if you have an up-to-date M114 with the feature enabled by going to chrome://components/ and hitting "Check for update" under Trust Token Key Commitments).

Answer 6 · 2023-06-13T17:15:35.000Z

Appreciate it, thank you

Answer 7 · 2023-06-20T15:58:29.000Z

It appears your endpoint is starting to error out and not providing valid keys.

Answer 8 · 2023-06-20T16:23:09.000Z

@dvorak42 we are fixing it at the moment

Answer 9 · 2023-06-20T16:30:17.000Z

@dvorak42 We were having a network related issue, which is fixed now. The keys are the same as they used to be, sorry for the inconvenvience,

Answer 10 · 2023-06-20T18:01:26.000Z

No worries, we might make our fetcher fallback to previous results in case of a network error. If you could have your endpoint respond with a HTTP error code rather than a 200 (if it doesn't already do so) that would be good in case of future issues. We'll update our documentation if we support that fallback.

Answer 11 · 2023-06-20T18:14:46.000Z

Deal, I will double check that it returns non-20x code on error, thank you

Answer 12 · 2023-06-20T18:15:58.000Z

@dvorak42 by the way, is there some SLA on allowed downtime in key commitment?

Issuer Name

Origin

Contact Email

Key Commitment Endpoint URL

Purpose

Disclosure and Acknowledgement