Second Origin Trial for Device Bound Session Credentials

[Daniel Rubery]

Hello Blink API Owners,

DBSC is wrapping up its Origin Trial as M139 finishes. We had some new design since the Origin Trial began that we think could impact the feature as a whole:

• Key sharing to support organizations running authentication over multiple sites
• Mitigations for a timing side channel due to refresh in 3rd party contexts
• Use of a .well-known to gate a subdomain registering a session on a parent domain

Rather than ship DBSC in its current state and try to ship these after, we'd prefer to run a second Origin Trial with the full implementation. Does that seem reasonable? We'll follow the Intent to Experiment process when that time comes, but I'd like a directional approval for a second Origin Trial before I communicate with partners.

Thanks,

Dan Rubery

[Domenic Denicola]

In general, substantial changes like these are a good sign, and make it easy for a second origin trial to get approved. That is, they provide clear evidence the origin trial system is working as intended, and not being used as a way to sort of soft-launch a feature. So I think you won't have a hard time getting approvals.

If you can also document progress on the requirements for extending an origin trial, then I think approving this will be a slam-dunk.

--
You received this message because you are subscribed to the Google Groups "blink-api-owners-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-api-owners-d...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-api-owners-discuss/efba9fd0-508e-4099-8843-4a179e7e90d2n%40chromium.org.