Re: [w3ctag/design-reviews] Early Design Review for Device Bound Session Credentials (Issue #1052)

drubery left a comment (w3ctag/design-reviews#1052)

My point is that that deferral is a requirement for DBSC to be adoptable, and a Signed cookie attribute cannot provide that. The missing functionality accounts for some of the difference in complexity between our proposals.

The JSON schema for DBSC sessions does give us a lot of flexibility to add new behaviors if they prove useful. We believe the current functionality makes it easy for sites to achieve the security goals of DBSC, while also giving us the capability to extend/refactor behavior as needs become better understood.

As two examples of that, in the WebAppSec meeting we discussed having DBSC sign a broader range of requests and how to add a "stale-while-revalidate" approach that minimizes how often we're doing cookie rotation after auth cookies have expired.

For more signing, we currently only have one type of entry in the `credentials` array. If we want to sign all requests on a set of endpoints, we can add another type `assert_in_header`, with parameters `domain` and `path`. Browsers would also sign requests matching that domain pattern and path prefix.

For "stale-while-revalidate", the `cookie` credentials could have a new key `force_refresh_after`, specifying how old the cookie can be before we force a refresh in the background. If you set that 1 minute less than the cookie `Max-Age`, then as long as the site does a request in that minute, we will not have to defer any requests.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1052#issuecomment-3189092702
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1052/3189092702@github.com>