Comparison to first-party cookies

[bakkot]

Sorry I wasn't able to attend the talk this morning. This seems like a useful API, but I want to check my understanding here: the readme talks about how historically sites could use third-party cookies to establish visitor age, which is becoming less viable. Great. But the examples presented (of the form "has this user made a purchase on this site before") could be done just as well with a first party cookie, which don't have the same issues as third-party cookies, and the readme doesn't talk about first-party cookies at all.

So what's the improvement in this API vs setting a server-signed first-party cookie holding a timestamp?

Is the idea that multiple different sites would embed a third-party iframe from a single provider and the iframes would all have unpartitioned access to these tokens, so that age from one site could be anonymously carried to another? Or can multiple sites share the same pool of tokens in some other way?

[SamuelSchlesinger]

Is the idea that multiple different sites would embed a third-party iframe from a single provider and the iframes would all have unpartitioned access to these tokens, so that age from one site could be anonymously carried to another?

Yes, this is exactly right.

Or can multiple sites share the same pool of tokens in some other way?

No, we currently only have a single-party model. We discussed in the meeting today that a single-issuer, multi-verifier model is possible, but there are technical aspects that make this as the first approach a bit simpler to deploy.