DBSC (Device Bound Session Credentials) #106
Comments
|
Thanks @kmonsen. Microsoft has been working on something similar to secure the web artifacts in browser context. We propose a new protocol BPoP (similar to DPoP which binds the access tokens) to bind a browser artifact (such as a cookie) issued by a website. Our explainer can be accessed here: Binding Context. We are happy to collaborate in this space to arrive at a common proposal. Looking forward. |
|
Given the interest in this space from Microsoft and Google, this seems like something that could reasonably migrate to the WICG for incubation (which might also make it easier for others to comment). WDYT, @cwilso, @yoavweiss, @marcoscaceres? |
|
Yup. Transfer the repo over the me, and I can handle the rest. |
|
The repo now lives in https://github.com/WICG/dbsc |
Introduction
Device Bound Secure Credentials (DBSC) aims to reduce account hijacking caused by cookie theft. It does so by introducing a protocol and browser infrastructure to maintain and prove possession of a cryptographic key.
This proposal offers two important features that we believe makes it easier to deploy than previous proposals. DBSC provides application-level binding and browser initiated refreshes that can make sure devices are still bound to the original device.
Feedback
I welcome feedback in this thread, but encourage you to file bugs against Device Bound Secure Credentials.
The text was updated successfully, but these errors were encountered: