Intent to Prototype: Device Bound Session Credentials for SSO

[Chromestatus]

Contact emails

sant...@google.com, alex...@google.com

Explainer

https://github.com/lucasrsant/dbsc-sso

Specification

No information provided

Summary

The Device Bound Session Credentials for SSO feature is an enhancement to the novel DBSC protocol which prevents cross-origin device binding bypasses. It introduces new browser capabilities to generate keys for a given Relying Party that are cryptographically proven to be stored on the same device as the Identity Provider's. This way, the Identity Provider can bless a trusted key to the Relying Party, making cross-origin device binding bypasses impractical.

Blink component

Blink>SecurityFeature

Web Feature ID

Missing feature

Motivation

Close the existing security gap in DBSC when Single Sign-On authentication flows happen, as current protocol does not guarantee that both Identity Provider and Relying Party sessions are bound to the same device, which can lead to malware bootstrapping new RP sessions from bound IdP sessions.

Initial public proposal

https://github.com/WICG/proposals/issues/268

Requires code in //chrome?

False

Tracking bug

https://crbug.com/485514814

Estimated milestones

No milestones specified

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6051103412191232?gate=6256700510306304

This intent message was generated by Chrome Platform Status.