Chrome is interested in building an opt-in mode for the Protected Audience API that would require Key/Value servers to run inside of TEEs. We are interested in feedback on whether it would get any use.

Recall that Protected Audience API will eventually require K/V servers to run inside TEEs, but that this is not yet required. We are considering:

1. Making it possible for an IG to pick a K/V server which the browser can be sure is running in a TEE
2. Making it possible for a particular PA auction to declare "I am only willing to talk to TEE K/V servers" — which would mean the auction would exclude IGs that don't do 1
3. Making it possible for web pages to opt in to this behavior even before Chrome is ready to require it. That is,
   1. Letting a page allow only IG Join operations that do 1
   2. Letting a page allow only PA auctions that do 2

Once the K/V server is running inside a TEE, the browser can be more relaxed about information sent to the server. For example, K/V requests today only include the domain name of the site where the auction is happening. A K/V inside a TEE could safely receive the full page URL. (Although if your goal is more signals inside a TEE, consider the Bidding & Auction Services path — the Bidding Service will always have more signals available, since generateBid runs there.)

Question: Would anyone use this?

Of course this will take work from the Chrome team, and we don't want to spend our resources building something that nobody will use. We are interested in hearing expressions of interest from any part of the ecosystem — buy-side ad tech who might try 1, sell-side ad tech who might try 2, advertisers or other audience builders who might try 3(i), and publishers who might try 3(ii). (Note that there's no point in sites trying 3 unless some ad techs are trying 1 and 2.)