Open eriktaubeneck opened 3 years ago
For question 7, unless I am misunderstanding something about the protocol, I believe that this needs to be random. The flow, as I understand the blind signature process is:
Blind(nonce)
, send to serverSign(Blind(nonce))
, send to clientUnblind(Sign(Blind(nonce)) -> Sign(nonce)
(Sign(nonce), nonce)
to serverSign(nonce)
is a valid signature of nonce
.If the nonce
is predictable, then the server would be able to effectively guess the nonce in Step 3, and if the server knows the nonce in Step 3, they can link a report sent in Step 5 back to the original signing request.
Please let me know if I'm potentially misunderstanding this. This is essentially the clarification/correction I'm proposing in #81.
cc @davidvancleve
cc @FredericJacobs
This is a break off from #41, specifically focused on the the requirements for using unlinkable tokens to prevent the submission of unauthorized (fraudulent) click reports. Summarizing the requirements from that thread:
Other remaining open questions:
trigger_site
as well as thesource_site
?Given that there is limited time in the F2F, it seems useful to see if we can answer some of these questions async and spend that limited F2F time for the most difficult questions. cc @johnwilander, @csharrison, and @chris-wood, I've pulled these requirements and questions from your comments on #41.