开源的匿名身份认证服务
- Meta has open-sourced Anonymous Credential Service (ACS), a highly available multitenant service that allows clients to authenticate in a de-identified manner.
- Meta公司已经开源了匿名凭证服务(ACS),这是一个高度可用的多租户服务,允许客户以去身份化的方式进行认证。
- ACS enhances privacy and security while also being compute-conscious.
- ACS增强了隐私和安全,同时也具有计算意识。
- By open-sourcing and fostering a community for ACS, we believe we can accelerate the pace of innovation in de-identified authentication.
- 通过开源和培养ACS的社区,我们相信我们可以加快去身份验证的创新步伐。
Data minimization — collecting the minimum amount of data required to support our services — is one of our core principles at Meta as we develop new privacy-enhancing technologies to protect user data on our family of products. The goal is to deliver valuable user experiences while collecting and using less data.
数据最小化--收集支持我们服务所需的最小数据量--是Meta公司的核心原则之一,因为我们正在开发新的增强隐私的技术,以保护我们产品系列的用户数据。我们的目标是提供有价值的用户体验,同时收集和使用更少的数据。
Our approach to logging is one important example of this practice. Logging helps our engineers and developers evaluate performance and reliability, improve product features, and generate reports.
我们对日志的处理方法就是这种做法的一个重要例子。日志帮助我们的工程师和开发人员评估性能和可靠性,改进产品功能,并生成报告。
User identities aren’t necessary in most logging use cases and should be excluded from logging data. Removing authentication is one way to remove identifiers. But doing so makes the system vulnerable to various attacks, including data injection.
在大多数日志用例中,用户身份是不必要的,应该从日志数据中排除。移除认证是移除标识符的一种方式。但这样做使系统容易受到各种攻击,包括数据注入。
At Meta, we’ve built a better way for clients to authenticate in a de-identified manner: Anonymous Credential Service (ACS). At a high level, ACS supports de-identified authentication by splitting authentication into two phases, token issuance and token redemption. In the token issuance phase, clients contact the server through an authenticated channel to send a token. The server signs the token and sends it back. Then, in the de-identified authentication (or token redemption) phase, clients use a de-identified channel to submit data and authenticate it utilizing...