dbsc
dbsc copied to clipboard
WICG
It's not clear how the secure session endpoint(s) are to be conveyed from server to browser. Is this the purpose of the "path" part of the Sec-Session-Registration? I'm clearly missing...
A signed JWT is always a a series of three base64url-encoded values separated by a period ('.') character. It is not itself base64url-encoded. So saying things like `` and `Sec-Session-Response:...
JWS algorithms are case-sensitive, per the JWS/JWA specs[1], and DBSC should consistently use the defined ones `ES256` and `RS256` (rather than `es256` and `rs256` that currently sometimes are used). Doing...
Hello! If my understanding is correct, the temporary `auth_cookie` provided by the server is a short-lived opaque string that is used by the server to keep track of the authenticated...
I made a comment about how to significantly reduce the complexity of the flow here: https://github.com/WICG/dbsc/issues/23#issuecomment-2042252516 But the general response of #23 is "this is just the first step." However...
From the [Chromium blog](https://blog.chromium.org/2024/04/fighting-cookie-theft-using-device.html): >We are committed to developing this standard in a way that ensures it will not be abused to segment users based on client hardware. For example,...
unclear what the `excluded scope` property is in the credentials response from the server and how it applies to the cookies
An example JWT has `"jti": "nonce",` but the word nonce doesn't appear anywhere else. Is the value intended to be the challenge from the Sec-Session-Challenge header? This could use some...
Please consider using the `jwk` header parameter to convey the public key in the JWT sent by the browser. That would better leverage existing standards, be similar to how DPoP...