dbsc
dbsc copied to clipboard
WICG
It seems like it would be beneficial for the OAuth 2 pattern of separate access and refresh flows to fit into the DBSC pattern. In this separation, the policy of...
As I understand it, refreshing the cookies requires the browser to acquire a new challenge, sign it, and then present it While the server can respond with a `Sec-Session-Challenge` header...
In the [high-level overview](https://github.com/WICG/dbsc/blob/main/README.md#high-level-overview) diagram explains that the Server returns the random challange value in `Sec-Session-Registration` response header and then the Browser generates the signed Registration JWT that should contain...
In the [high-level overview](https://github.com/WICG/dbsc/blob/main/README.md#high-level-overview) diagram there is example of Sec-Session-Registration header returned by the server which contains both `session_identifier` and `challange` as named parameters. However, further in more detailed description...
The current explainer says that when a session is being established, the JWT which contains the signed challenge is sent as the POST body data to the `/path+"/startsession"` endpoint. When...
The `Sec-Session-Registration` example response header is shown with several elements, separated by semi-colons: ``` Sec-Session-Registration: "path";challenge=:Y2hhbGxlbmdl:;es256;rs256;authorization=:YXV0aGNvZGU=: ``` The `Sec-Session-Challenge` example response header is shown with two elements, separated by a...
I've read the [estimated timeline](https://github.com/WICG/dbsc/wiki/DBSC-timeline), and looked at the flags available in Chrome Canary 125 on Mac. These don't line up - the estimated timeline suggests a flag called `#enable-standard-device-bound-session-credentials`...
hi! just some questions that I'm sure have already been addressed, but seeking confirmation / perhaps they could be in an FAQ? If a desktop OS does not have a...
Per JWT best practices explicitly type the JWT, such as `"typ":"dbsc+jwt"` see https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing
After taking a look at this, it seems it's overly-complex and not clear, for something that should only serve a simple purpose: "proving the user requests are coming from his...
