Intent to Experiment: Device Bound Session Credentials
Daniel Rubery
Contact emails
dru...@chromium.org , the...@chromium.org , arn...@chromium.org
Explainer
https://github.com/w3c/webappsec-dbsc/blob/main/README.md
Specification
https://w3c.github.io/webappsec-dbsc
Summary
A way for websites to securely bind a session to a single device.
It will let servers have a session be securely bound to a device. The browser will renew the session periodically as requested by the server, with proof of possession of a private key.
Blink component
TAG review
https://github.com/w3ctag/design-reviews/issues/1052
TAG review status
Pending
Origin Trial Name
Device Bound Session Credentials 2
Chromium Trial Name
DeviceBoundSessionCredentials2
Origin Trial documentation link
https://github.com/w3c/webappsec-dbsc/blob/main/README.md
WebFeature UseCounter name
kDeviceBoundSessionRegistered
Origin Trial documentation link
https://github.com/w3c/webappsec-dbsc/blob/main/README.md
Risks
Interoperability and Compatibility
Gecko : No signal ( https://github.com/mozilla/standards-positions/issues/912 )
WebKit : No signal ( https://github.com/WebKit/standards-positions/issues/281 )
Web developers : Positive ( https://github.com/mozilla/standards-positions/issues/912#issuecomment-2204012985 )
Other signals :
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
Goals for experimentation
We've added new functionality for securing SSO ( https://w3c.github.io/webappsec-dbsc/#federated-sessions ), along with a new cross-site side channel protection ( https://w3c.github.io/webappsec-dbsc/#json-session-instructions-allowed_refresh_initiators ). We'd like to validate that these features meet site owner needs before shipping DBSC.
Ongoing technical constraints
Debuggability
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
No
The initial support for TPMs is Windows-only. This feature will eventually support all platforms, as we integrate with the OS-specific key generation/usage mechanisms.
Is this feature fully tested by web-platform-tests ?
No
Flag name on about://flags
enable-standard-device-bound-session-credentials, enable-standard-device-bound-session-persistence, enable-standard-device-bound-session-credentials-refresh quota
Finch feature name
DeviceBoundSessions
Requires code in //chrome?
False
Estimated milestones
| Shipping on desktop |
145 |
| Origin trial desktop first |
135 |
|---|---|
| Origin trial desktop last |
139 |
| Origin trial desktop first |
142 |
| Origin trial desktop last |
144 |
| DevTrial on desktop |
135 |
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5140168270413824?gate=5111520589643776
Links to previous Intent discussions
Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/60bae138-43ee-4525-a549-461f241e9ae5n%40chromium.org
Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/515ba278-c5fc-4ee0-8e88-21f34851778an%40chromium.org
This intent message was generated by Chrome Platform Status .
Mike Taylor
LGTM to experiment from M142 to M144.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org .
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADsXLL9AD6SSyUXpDcSB9m8y9nVnnNzAMTK6qmui%3DzKnM8G_5A%40mail.gmail.com .
