DBSC Newsletter | December 2024

310 views
Skip to first unread message

dbsc-announce

unread,
Dec 18, 2024, 7:44:20 PM12/18/24
to dbsc-announce
Intro


Device Bound Session Credentials (DBSC) aims to disrupt the cookie theft industry. It works by creating a unique cryptographic key pair for each user session, stored securely on the user's device. This key pair allows the website to verify that subsequent requests are coming from the same device. The DBSC standard aims to be a drop-in replacement for existing authentication systems, offering a user-friendly and robust solution to a growing security problem.


Web Standardization Updates


Spec

The draft spec for DBSC has been published: https://wicg.github.io/dbsc/. Please review and provide feedback, comments and questions!


Enterprise DBSC

We want to thank our colleagues at Microsoft for contributing to the DBSC web standard and driving the enterprise version of DBSC. For those interested in enterprise applications, please refer to the explainer: https://github.com/WICG/dbsc/blob/main/DBSCE/Overview.md.


TPAC recap

In September 2024, we hosted a breakout session at TPAC. Refer to the breakout session link for all the materials that were presented and the session notes. We wanted to thank you all for all the great discussions that happened during then. Please feel free to continue asking questions and being involved by opening an issue on the github or continuing on an already open issue.


Trusted Platform Module (TPM) studies

TPMs are a central part of DBSC as we plan on using them for the key pair between the browser and website for Windows machines. However, they are known to have latency and reliability issues. Therefore, we’re conducting a study to understand TPM behavior on target devices. 


  • Overview: Hope to have more clarity on TPM suitability in Q4

  • Current status: Have TPM profile and early error reporting


Migration to JSON Web Key (JWK) for refreshes

As part of the active community discussion we have switched to using the JSON Web Key format to represent keys in the JWT. Thank you all for this suggestion, and thank you to the Microsoft Edge team for contributing to this update.


DBSC Components Status Updates

  • Registration: Completed
  • Create sessions: Completed
  • Persistence: Completed
  • Refreshes: Completed
  • Clearing sessions: In implementation - expected ETA end of Q4
  • Netlogging: Completed
  • Web Platform tests: Not started - expected in 2025 Q1


Origin Trials


With all the DBSC components close to being finalized, we’re on track to start origin trials in early 2025 Q1. Our initial plan is to make it available for the M134 release which hits the following channels:

  • Beta: Feb. 5, 2025

  • Stable: March 4, 2025.


We’ll keep this group updated once the date gets closer to confirm and in case there’s any changes to the release.


Participating in origin trials

We've been getting a lot of interest in how to participate in origin trials. We’ll have more specific details as the origin trial gets closer. In the meantime, if you aren’t familiar with the general process refer to this getting started guide with origin trials on how they are conducted and what to expect.

If you have any questions or comments, please reach out on the github project.

Thanks
DBSC team
Reply all
Reply to author
Forward
0 new messages