Describe per-context limits in explainer (#146)

patcg-individual-drafts · Nov 4, 2024 · 462d8ad · 462d8ad
1 parent 157b26e
commit 462d8ad
Showing 1 changed file with 23 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -443,16 +443,29 @@ will merge any contributions that have the same bucket and [filtering
 ID](https://github.com/patcg-individual-drafts/private-aggregation-api/blob/main/flexible_filtering.md#proposal-filtering-id-in-the-encrypted-payload)
 before truncation.
 
-This limit may vary by caller. In particular, Protected Audience reports may
-benefit from a higher limit more than Shared Storage reports.
-
-More complex designs that enable callers to configure custom limits are also
-possible, but require further analysis (see [issue #81]).
-
-[issue #81]: https://github.com/patcg-individual-drafts/private-aggregation-api/issues/81
-
-Our implementation plan is to set the limit at 20 contributions per report for
-Shared Storage and 100 contributions per report for Protected Audience.
+Although larger reports have higher utility, they are also more expensive for
+the aggregation service to process. To accommodate use cases with diverse
+utility requirements and cost tolerances, we will attempt to select reasonable
+defaults with optional overrides:
+
+- *Default limits:* The default limit may depend on the identity of the calling
+  API. In particular, Protected Audience reports may benefit from a higher limit
+  more than Shared Storage reports. Our implementation plan is to set the
+  default limit at 20 contributions per report for Shared Storage and 100
+  contributions per report for Protected Audience.
+
+- *Per-context limits:* Callers may request a different limit on each isolated
+  context they create. Since this affects the payload size, the requested limit
+  must be specified from outside an isolated context. Consequently, Protected
+  Audience buyers cannot set per-context limits. The browser must clamp
+  excessively large values to some maximum value. Our implementation plan is to
+  clamp the requested limit to a maximum of 1000 contributions per report.
+
+- *Global config:* A more complex design that enables sites to configure a
+  global limit may also be possible, but it requires further analysis. (See
+  [issue #81].)
+
+  [issue #81]: https://github.com/patcg-individual-drafts/private-aggregation-api/issues/81
 
 #### Padding