Make negative interest groups non-updatable

In a previous version of the negative targeting design, negative interest groups were updatable so that the additional bid key could be rotated more frequently than every 30 days. We've updated this design so that negative interest groups are non-updatable, and the additional bid key should be rotated exactly every 30 days.
WICG · Oct 5, 2023 · 7265cbe · 7265cbe
1 parent fdc51bb
commit 7265cbe
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/FLEDGE.md b/FLEDGE.md
@@ -995,7 +995,7 @@ We use a cryptographic signature mechanism to ensure that only the owner of a ne
 
 When a buyer joins a user into a negative interest group, they must provide their current 32-byte Ed25519 public key, expressed as a base64-encoded string, via the negative interest group's `additionalBidKey` field. This can be seen in the example above in section [6.2.1 Negative Interest Groups](#621-negative-interest-groups).
 
-When the buyer issues an additional bid, that bid needs to be signed using their current and previous Ed25519 secret keys. It's for this reason that additional bids may have more than one signature provided alongside the bid. The use of two keys here supports the 30-day key rotation: the previous key is used to verify negative interest groups stored on the user's device _prior_ to most recent key rotation, the current key is used to verify negative interest groups stored on the user's device _since_ the most recent key rotation. Only these two keys are needed, because all older keys will be at least 30 days old, and all negative interest groups stored prior to this date are guaranteed to have expired.
+When the buyer issues an additional bid, that bid needs to be signed using their current and previous Ed25519 secret keys. It's for this reason that additional bids may have more than one signature provided alongside the bid. The use of these two keys here supports the 30-day key rotation: the previous key is used to verify negative interest groups stored on the user's device _prior_ to most recent key rotation, the current key is used to verify negative interest groups stored on the user's device _since_ the most recent key rotation. Only these two keys are needed, because all previous keys will only have been used to join negative interest groups more than 30 days prior, and all of those negative interest groups are guaranteed to have expired.
 
 If the signature doesn't verify successfully, the additional bid proceeds as if the negative interest group is not present.  This "failing open" ensures that only the owner of the negative interest group, who created the additonalBidKey, is allowed to negatively target the interest group, and that nobody else can learn whether the interest group is present on the device.  Because the signature check "fails open", buyers should make sure they're using the right keys; for example it might be prudent to verify a bid signature before submitting the additional bid.