Intent to Prototype: Device Bound Session Credentials (DBSC)

940 views
Skip to first unread message

Kristian Monsen

unread,
Sep 27, 2023, 5:09:19 PM9/27/23
to blink-dev
Contact emails

kris...@chromium.org, arn...@chromium.org, chl...@chromium.org


Explainer

https://github.com/kmonsen/dbsc/blob/main/README.md


Specification

None


Summary

An API that will allow websites to securely bind a session to a single device. The browser will renew the session periodically as requested by the server, with proof of possession of a private key. It will not provide tracking ability beyond what cookies provide.



Blink component

Blink>SecurityFeature>DeviceBoundSessionCredentials


Motivation

Reduce session theft by offering an alternative to long-lived cookie bearer tokens, that allows session authentication that is bound to the user's device. This makes the web safer for users in that it is less likely their identity is abused, since malware is forced to act locally and thus becomes easier to detect and mitigate. At the same time the goal is to disrupt the cookie theft ecosystem and force it to adapt to tighter operating constraints.



Initial public proposal

https://github.com/WICG/proposals/issues/106


TAG review

TAG review status

Pending


Risks

Interoperability and Compatibility

Gecko: No signal


WebKit: No signal


Web developers: No signals


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No



Debuggability

Is this feature fully tested by web-platform-tests?

No


Flag name on chrome://flags
chrome://flags/#enable-bound-session-credentials

Finch feature name

None


Non-finch justification

None


Requires code in //chrome?

False


Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5140168270413824


Links to previous Intent discussions

This intent message was generated by Chrome Platform Status.


Reply all
Reply to author
Forward
0 new messages