Open eriktaubeneck opened 2 years ago
This relates to what is (newly) included in section 1.4:
All parties in a helper party network should be known a priori and web platform vendors should be able to evaluate risk of an attacker that is more powerful than our assumption, e.g., the attacker is able to control more than the (protocol specific) subset of helper parties in the network.
My contention is that the report collector isn't known a priori, and thus the vendor isn't able to evaluate the risk sufficiently. Moving this over to a new issue, as this is worth having a more detailed conversation on.
I don't feel too strongly on this point but it's worth mentioning a few options:
This still provides strictly more security than giving all the data to the semi-trusted party.
One of my working assumptions is that because this is an "open" API, we generally need to assume that report collectors are entirely untrusted, and we should defend against assume collusion with at least one helper party, which is how I arrived at the assumption that a single coordinator is insufficient. I agree that it is strictly more secure than a single semi-trusted party, but it seems to be very marginally so.
I would also say that with multiple coordinators, we are much more aligned in the threat model between the MPC and TEE instantiations, and the difference is almost entirely concentrated on the hardware vs crypto-software dimension. This seems like it would help minimize the layering we're attempting to do here.
I know you don't feel too strongly on this point, but I do think it's valuable to make an intentional decision on this point.
Those justifications sound good to me @eriktaubeneck. Happy to keep the doc as-is for now.
_Originally posted by @csharrison in https://github.com/patcg/docs-and-reports/pull/14#discussion_r1001879258_