winstrom
commented
1 year ago I think this is a good idea for enhancement. There is definitely an interesting question on who should host the mailbox since conversion measurements from the advertiser may give timing information to the ad-tech or publisher if they were to receive that information.
As an initial straw man for the anti-replay logic: the MPC nodes should be able to keep a small state regarding e.g. the last time they ran an aggregation and the reports consumed since then. Each report would then have a timestamp in the encrypted information for the MPC so that the MPC could ignore events created on the device before the closed aggregation period. I imagine more nuance may be needed...
Rather than sending reports directly to the MPC system, I want to consider routing them through an ingestion server, e.g. operated by the advertiser / publisher / ad tech. I believe this does not regress the security or privacy stance of this API, and it comes with a number of benefits:
We should figure out what anti-replay state management would look like in this system, but I think it will end up overall simplifying the system and making it more flexible.