WICG / trust-token-api

Trust Token API
https://wicg.github.io/trust-token-api/
Other
423 stars 83 forks source link

Protocol specification is incomplete #230

Closed martinthomson closed 1 year ago

martinthomson commented 1 year ago

The issuance procedures are described in a markdown document that only contains a pretty loose description of how things are expected to work. This is not precise enough for inclusion in an algorithm and is not up to the usual standards for W3C specifications in terms of error handling.

For instance, the document does not describe what a client needs to do in order to accept the tokens that an issuer produces. For instnace, the V in VOPRF is necessary here to ensure that the server has used one of the permitted keypairs, with similar checks needed for the PMB algorithms.

For instance, the request signing section contains a broken link.

dvorak42 commented 1 year ago

Hopefully as part of resolving #231, part of this can be resolved/redirected to the VOPRF draft. We'll work on integrating the specific callouts/checks from the IETF doc as part of the algorithm steps in the spec.

Request signing is a leftover from a previous version, I've removed it from that document.