From dcf1a7d1b69418a906a09c8348fd0685fbb8e91d Mon Sep 17 00:00:00 2001 From: Junye Chen Date: Fri, 28 Jun 2024 10:56:19 -0700 Subject: [PATCH] Issue 48: Acknowledge security consideration of having task Author --- draft-wang-ppm-dap-taskprov.md | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/draft-wang-ppm-dap-taskprov.md b/draft-wang-ppm-dap-taskprov.md index b6daaea..53c428c 100644 --- a/draft-wang-ppm-dap-taskprov.md +++ b/draft-wang-ppm-dap-taskprov.md @@ -570,13 +570,19 @@ Author to be under control of the adversary. It is therefore incumbent on protocol participants to verify the privacy parameters of a task before opting in. -Another risk is that a malicious coalition of Clients might attempt to pollute -an Aggregator's long-term storage by uploading reports for many (thousands or -perhaps millions) of distinct tasks. While this does not directly impact tasks -used by honest Clients, it does present a Denial-of-Service risk for the -Aggregators themselves. This can be mitigated by limiting the rate at which new -tasks or configured. In addition, deployments SHOULD arrange for the Author to -digitally sign the task configuration so that Clients cannot forge task creation. +One risk introduced by the addition of the Author is the Author can configure +tasks uniquely for a Client. If the Author colludes with the Leader, it can +track the uploading activities of that Client, which leaks information about +that Client, e.g., location. + +Another risk introduced by configuring tasks from the Clients is that a +malicious coalition of Clients might attempt to pollute an Aggregator's +long-term storage by uploading reports for many (thousands or perhaps millions) +of distinct tasks. While this does not directly impact tasks used by honest +Clients, it does present a Denial-of-Service risk for the Aggregators +themselves. This can be mitigated by limiting the rate at which new tasks or +configured. In addition, deployments SHOULD arrange for the Author to digitally +sign the task configuration so that Clients cannot forge task creation. # Operational Considerations