Describe per-context limits in explainer

patcg-individual-drafts · Jul 25, 2024 · 337a822 · 337a822
1 parent 9c32995
commit 337a822
Showing 1 changed file with 25 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -389,16 +389,31 @@ will merge any contributions that have the same bucket and [filtering
 ID](https://github.com/patcg-individual-drafts/private-aggregation-api/blob/main/flexible_filtering.md#proposal-filtering-id-in-the-encrypted-payload)
 before truncation.
 
-This limit may vary by caller. In particular, Protected Audience reports may
-benefit from a higher limit more than Shared Storage reports.
-
-More complex designs that enable callers to configure custom limits are also
-possible, but require further analysis (see [issue #81]).
-
-[issue #81]: https://github.com/patcg-individual-drafts/private-aggregation-api/issues/81
-
-Our implementation plan is to set the limit at 20 contributions per report for
-Shared Storage and 100 contributions per report for Protected Audience.
+There is a tradeoff to consider &mdash; larger reports are more costly for the
+aggregation service to process, but smaller reports have lower utility. There
+are several approaches to selecting a limit.
+
+- *Default limit:* The simplest strategy is to use one limit for all reports.
+  Our implementation currently enforces a limit of 20 contributions per report.
+
+- *Default limit per API:* The limit may be determined based on the calling API.
+  In particular, Protected Audience reports may benefit from a higher limit more
+  than Shared Storage reports. Our implementation plan is to set the limit at 20
+  contributions per report for Shared Storage and 100 contributions per report
+  for Protected Audience.
+
+- *Per-context limit:* Callers may request a different limit on each isolated
+  context they create. Callers that possess cross-site information cannot use
+  this mechanism. Consequently, Protected Audience buyers cannot set per-context
+  limits. The browser must clamp excessively large values to some maximum value.
+  Our implementation plan is to clamp the requested limit to a maximum of 1000
+  contributions per report.
+
+- *Per-site limit:* A more complex design that enables sites to configure a
+  global limit may also be possible, but requires further analysis. (See [issue
+  #81].)
+
+  [issue #81]: https://github.com/patcg-individual-drafts/private-aggregation-api/issues/81
 
 #### Padding