Re: [w3ctag/design-reviews] Device-Bound Session Credentials Analysis (PR #1094)

@martinthomson commented on this pull request.



> +
+A possible alternative is to define a new `Signature` field parameter,
+but that could be confused with `keyid`.
+
+One nice thing about this is that the server can choose the `keyid` value
+that is used when it sends `Accept-Signature`,
+which provides the server with certainty about how keys are identified.
+That key identifier is a form of cookie also;
+or an extension to the information stored for the `Signed` cookie.
+That means it needs to be cleared along with the cookie if someone asks the browser to clear state.
+Of course, state clearing already requires that the key pair also be cleared.
+
+The only thing remaining is to maybe avoid sending the public key
+when the browser sends a `Signed` cookie subsequent to enrollment.
+This can be as simple as remembering the last request that was made with that cookie.
+If the cookie has changed, or the last request made with that cookie received a 4x.

```suggestion
If the cookie has changed, or the last request made with that cookie received a 4xx
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/pull/1094#pullrequestreview-2890218992
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/pull/1094/review/2890218992@github.com>

Received on Monday, 2 June 2025 23:55:05 UTC