Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Early Design Review for Device Bound Session Credentials #1052

Open
drubery opened this issue Feb 18, 2025 · 0 comments
Open

Early Design Review for Device Bound Session Credentials #1052

drubery opened this issue Feb 18, 2025 · 0 comments
Labels
Progress: untriaged

Comments

@drubery
Copy link

drubery commented Feb 18, 2025

こんにちは TAG-さん!

I'm requesting an early TAG design review of Device Bound Session Credentials.

Device Bound Session Credentials (DBSC) aims to reduce account hijacking caused by cookie theft. It does so by introducing a protocol and browser infrastructure to maintain and prove possession of a cryptographic key. The main challenge with cookies as an authentication mechanism is that they only lend themselves to bearer-token schemes. On desktop operating systems, application isolation is lacking and local malware can generally access anything that the browser itself can, and the browser must be able to access cookies. On the other hand, authentication with a private key allows for the use of system-level protection against key exfiltration.

Further details:

  • [y] I have reviewed the TAG's Web Platform Design Principles
  • The group where the incubation/design work on this is being done (or is intended to be done in the future): WebAppSec
  • The group where standardization of this work is intended to be done ("unknown" if not known): unknown
  • Existing major pieces of multi-implementer review or discussion of this design:
  • Major unresolved issues with or opposition to this design: None so far, some small questions about the degree of device binding per platform
  • This work is being funded by: Google
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Progress: untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@drubery