Summary
Make EC withdrawal tombstoning idempotent across parallel and repeated requests.
On an explicit withdrawal signal with a ts-ec cookie, EC finalization writes an unconditional 24-hour tombstone. Finalization is shared by many response paths, so parallel page subresources carrying the same cookie and withdrawal signal can repeatedly overwrite the same tombstone. There is no cross-request deduplication.
This is an exceptional privacy path, so correctness must remain stronger than the cost optimization: a withdrawal must still clear the cookie and establish the authoritative identity-graph tombstone.
Proposed direction
Introduce an idempotent tombstone operation or another reliable deduplication mechanism. Do not simply limit withdrawal handling to document navigations unless the product can guarantee that every authoritative withdrawal arrives on a navigation.
The design should continue to handle the cookie EC ID and a different active EC ID when both are valid.
Acceptance criteria
- The first explicit withdrawal establishes a 24-hour tombstone and expires the browser cookie.
- Repeated requests for an already-tombstoned EC do not keep issuing unconditional overwrite writes.
- Concurrent withdrawal requests cannot restore or repopulate partner IDs.
- Both valid IDs are withdrawn when cookie and active EC IDs differ.
- KV failure remains best-effort for response delivery while cookie deletion still occurs.
- Tests cover repeated withdrawal, differing IDs, missing/invalid IDs, and a concurrent-update race.
Relevant code
crates/trusted-server-core/src/ec/finalize.rs
crates/trusted-server-core/src/ec/kv.rs
Summary
Make EC withdrawal tombstoning idempotent across parallel and repeated requests.
On an explicit withdrawal signal with a
ts-eccookie, EC finalization writes an unconditional 24-hour tombstone. Finalization is shared by many response paths, so parallel page subresources carrying the same cookie and withdrawal signal can repeatedly overwrite the same tombstone. There is no cross-request deduplication.This is an exceptional privacy path, so correctness must remain stronger than the cost optimization: a withdrawal must still clear the cookie and establish the authoritative identity-graph tombstone.
Proposed direction
Introduce an idempotent tombstone operation or another reliable deduplication mechanism. Do not simply limit withdrawal handling to document navigations unless the product can guarantee that every authoritative withdrawal arrives on a navigation.
The design should continue to handle the cookie EC ID and a different active EC ID when both are valid.
Acceptance criteria
Relevant code
crates/trusted-server-core/src/ec/finalize.rscrates/trusted-server-core/src/ec/kv.rs