Ads.cert 2.0: Authenticated Connections is ready for adoption, read the blog post here to learn more
“ads.cert” is the umbrella marketing term for an IAB Tech Lab protocol suite that provides an open standard cryptographic security foundation for the programmatic advertising ecosystem. Using these solutions helps participants assure that they obtain genuine ad trade opportunities that have been secured against misrepresentation. Any party buying, selling, or facilitating ad trades can deploy the free ads.cert tools and protocols within their ad serving environment. Participants automatically and reliably discover each other within this scheme. Its federated nature creates no central authority that would become an arbiter of business identity within advertising.
ads.cert is developed by the Security Foundations Working Group (currently within the Programmatic Working Group)
The ads.cert 2.0 protocols focus solely on the businesses that buy/sell/measure/verify/facilitate programmatic advertising. All forms of consumer profile identifiers are completely out-of-scope. We are releasing a set of protocol specification documents, and also open source implementations to make it easier for the industry to deploy these protocols.The open source software solutions maintained by the working group participants facilitate both the public key distribution and security protocol processes.
We have divided the protocol suite into two main concepts:
The working group is introducing several protocols under the ads.cert umbrella:
In the future, this group aims to introduce additional protocols and open source implementations, to add security to other programmatic advertising use cases.
Note : Please review the ads.cert Primer for a summary of the ads.cert solutions.
The ads.cert Call Sign proposal provides a method to establish Internet domain names that formally identify a participating business to others. We use public keys and metadata published in DNS records as the mechanism for establishing a corporate presence in the online advertising space and letting other participants discover counterparties. It is a completely decentralized protocol, allowing any party to quickly and easily establish their presence using a correctly-configured Internet domain, publishing cryptographic public keys for use in advertising-related messages and transactions. The ads.cert Call Signs and their associated public keys are the basis on which the following security protocols are built. They provide continuity towards ongoing review of activity associated with a particular business.
This protocol defines the mechanism for adding origin authentication and tamper resistance to server-to-server HTTP requests between advertising entities with existing ads.cert Call Signs. This mechanism, which relies on cryptographic signing, is agnostic of any underlying messaging format, and it can be used for any arbitrary message type, such as bid requests, creative fetches, and impression pings. Parties receiving these cryptographically-signed requests can authenticate the sender to a specific domain, even if they don’t have a direct relationship with that party. Enhanced by compliance organizations and security vendors sharing the ads.cert Call Signs for reviewed business, recipients gain better visibility into the business originating these server-to-server communications and their underlying business practices.
When combined with the auditing and business reviews performed by compliance organizations and security vendors, ads.cert Call Signs and Authenticated Connections provide powerful tools for automatically and scalably enriching business processes with metadata reviewed by these outside organizations.
This protocol will add authentication and tamper resistance to bid requests and bid parameters as they traverse the supply path. While our initial release doesn’t focus on this protocol, the Call Signs and open source infrastructure will enable support for it in a future version.
This protocol will add a mechanism that will allow devices to attest that bid requests and other signals were sent from them, and help with IVT and other anti-fraud efforts. This will only be done in a manner that will ensure user privacy and not enable systems to track users.
Rather than require each ads.cert implementer to handle the low-level protocols from the ground up, we instead focus on building an IAB Tech Lab hosted, community-driven, production quality implementation of ads.cert infrastructure and protocols. We’ve taken into consideration the needs of all size organizations, whether you run a few application servers or a large fleet. The core components were built using the Go software language, and remote procedure call integration options allow for integration into a wide range of host environments. We’ve focused design on making a solution that’s easy to deploy in typical environments securely using various best practices. Monitoring, failure risk mitigation, and other productionization concerns are being addressed within a full solution that we hope will require minimal effort to integrate and leverage. We’ll also publish the core protocol specifications, but we believe most participants will prefer leveraging an off-the-shelf solution.
The Open Source Software library can be found here in the IAB Tech Lab Github repository.
The original ads.cert was focused purely on signing bid requests within OpenRTB 3.0. We are retaining the “ads.cert” branding established from the prior IAB Tech Lab initiative to develop an “ads.cert Signed Bid Requests” protocol, but readers should view the current 2021 “ads.cert 2.0” as a complete departure from the design and direction pursued in the original 2018 strategy.