Re: [w3ctag/design-reviews] Early Design Review for Device Bound Session Credentials (Issue #1052) from Lola on 2025-04-09 (public-webapps-github@w3.org from April 2025)

From: Lola <notifications@github.com>
Date: Wed, 09 Apr 2025 10:59:45 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1052/2790525619@github.com>

lolaodelola left a comment (w3ctag/design-reviews#1052)

Thank you for submitting this design review and for your patience here! We had an opportunity to review it in our face to face meeting and spent some time after working things over. We appreciate the plan to improve first-party authentication by using high-security private keys as the main long-lived session credential with short-lived auto-refreshed cookies to help existing server frameworks work as-is. We have a few questions to help better understand the design and reasoning of this proposal:

1. Right now the enrolment uses a variety of headers in HTTP, which means that every fetch a browser makes is one you'd have to look out for in this API. We understand that the protection of requests needs to operate at the HTTP layer, but we don't see a clear reason that enrolment needs to operate over HTTP rather than JS. Is there a reason you've opted not to create a JS API for this instead?

2. We suspect that this overall design would be better if it could re-use a WebAuthn signing key. That's only possible if OSes implement [mediation](https://w3c.github.io/webappsec-credential-management/#dom-credentialrequestoptions-mediation)=["silent"](https://w3c.github.io/webappsec-credential-management/#dom-credentialmediationrequirement-silent), but if we imagine that they'll do that eventually, can you sketch a way to migrate to using it for this purpose?

3. It's a significant problem for the web that some services, like banks, that provide both websites and apps, sign out their web users much faster than they sign out users of their native apps. We hope that this API can give those services more confidence in the security of the web sessions. Do you think this API will change their behaviours as-is? Are there any changes to the API that would improve its chances?

4. How are you thinking about devices that don't have TPMs? Does this interact with your choices around TPM handling?

Additionally we're skeptical about the use of `Sec-` here, for the reasons elaborated in whatwg/fetch/pull/1818, and we're inclined to agree with Justin's suggestion in w3c/webappsec-dbsc/issues/112

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1052#issuecomment-2790525619
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1052/2790525619@github.com>

Received on Wednesday, 9 April 2025 17:59:49 UTC