Intent to Prototype: Device Bound Session Credentials (DBSC)
Kristian Monsen
kris...@chromium.org, arn...@chromium.org, chl...@chromium.org
Explainer
https://github.com/kmonsen/dbsc/blob/main/README.md
Specification
None
Summary
An API that will allow websites to securely bind a session to a single device. The browser will renew the session periodically as requested by the server, with proof of possession of a private key. It will not provide tracking ability beyond what cookies provide.
Blink component
Blink>SecurityFeature>DeviceBoundSessionCredentials
Motivation
Reduce session theft by offering an alternative to long-lived cookie bearer tokens, that allows session authentication that is bound to the user's device. This makes the web safer for users in that it is less likely their identity is abused, since malware is forced to act locally and thus becomes easier to detect and mitigate. At the same time the goal is to disrupt the cookie theft ecosystem and force it to adapt to tighter operating constraints.
Initial public proposal
https://github.com/WICG/proposals/issues/106
TAG review
TAG review status
Pending
Risks
Interoperability and Compatibility
Gecko: No signal
WebKit: No signal
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No
Debuggability
Is this feature fully tested by web-platform-tests?
No
Flag name on chrome://flags
Finch feature name
None
Non-finch justification
None
Requires code in //chrome?
False
Estimated milestones
No milestones specified
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5140168270413824
Links to previous Intent discussions
This intent message was generated by Chrome Platform Status.