Warren Parad
Warren Parad
For clarity on terminology we have a few different types of credentials: * The `access token`, usually a JWT used by the site to provide identity of the caller (expires...
I think the easiest and forward capatible approach would be for the browser to just automatically create the DPoP signature and send it along with the cookies on every request....
I think the key here is this: > (side note: caching DPoP assertions or similar and reusing them across requests is functionally equivalent to the short-term cookie, in terms of...
I meant the former "a static header that would be recomputed on the order of minutes or realistically on the same order as the current DBSC proprosal's suggested `POST /securesession/refresh`...
I'm not sure why be stuck on malware on the device. Instead it makes sense to break this down into two level: * malware which steals the session token and...
I was using JS compromises as an easy to understand example, because it simply demonstrates to readers what an attack looks like. Most JS compromises are indistinguishable from Browser or...
correct, but in this case, the argument is that you already have something that cannot be predicted, the value of the Session Credential. Which often in itself is already a...
You have well laid out the attacks, nice job on that. However there is a flaw in the understanding here. This statement from "Scenario 2" is incorrect: > Attacker recognises...
> Does "the proposal" refer to the DBSC as described in the explainer, or one of the proposals in this issue and/or https://github.com/WICG/dbsc/issues/46? Current DBSC proposal. It sounds like there...
But it's worth maybe a couple more words. "How Body". Will it handle JSON, XML, gRPC, or some other binary format. While it is the one body thing, what happens...