Git-Mirrors/privacyguides.org
1
0
Fork 0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2025-08-06 05:24:24 -04:00
Code Issues Projects Releases Packages Wiki Activity

add more private state token info

Browse source
This commit is contained in:
fria 2025-03-28 16:25:38 -05:00 committed by GitHub
parent 5694a04154
commit 1b0dab92e6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 18 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

21
blog/posts/privacy-pass.md
View file

@ -110,12 +110,27 @@ The landscape is very confusing right now so I'll try to illucidate what I've fo
It started out and is still an extension that can be installed on the [Chrome](https://chromewebstore.google.com/detail/silk-privacy-pass-client/ajhmfdgkijocedmfjonnpjfojldioehi) or [Firefox](https://addons.mozilla.org/en-US/firefox/addon/privacy-pass/) extension store, but it's since expanded to become an [IETF standard](https://datatracker.ietf.org/wg/privacypass/about/). Be warned that many reviews state the extension doesn't work anymore, if you were curious to try it out.
Privacy Pass utilizes [Ellyptical Curve Cryptography](https://pkic.org/2014/06/10/benefits-of-elliptic-curve-cryptography/), allowing for much more security than the RSA cryptography Chaum proposes in his original paper.
Unfortunately, the tokens issued using the Privacy Pass protocol need to be stored somewhere, so for the moment, a browser extension or some other storage mechanism is needed.
### Private State Tokens
[Private State Tokens](https://developers.google.com/privacy-sandbox/protections/private-state-tokens) are a [proposed browser API](https://github.com/WICG/trust-token-api) by Google as part of their [Privacy Sandbox](https://developers.google.com/privacy-sandbox). They're based on the Privacy Pass protocol.
The main benefit of PSTs is that they provide a secure place for websites to store their tokens so that you don't need a separate extension for every service, as well as providing all the needed APIs to securely store and access tokens without
The main benefit of PSTs is that they provide a secure place for websites to store their tokens so that you don't need a separate extension for every service.
The main actors at play with Private State Tokens are Issuers and Redeemers.
#### Issuers
Redeeemer websites must choose an Issuer to trust. They can even be the same company.
An issuer website will receive some signal about a user, be that a successful completion of a CAPTCHA challenge, account activity, or something else. They will then issue a token that's stored on the user's device.
#### Redeemers
A redeemer that needs to know something about a user, for example whether they're a bot or not, can request a token from an issuer they trust.
A device can store up to 500 tokens per top-level website and issuer, with metadata about the key that the issuer used to issue it.
### Private Access Tokens