Re: [w3ctag/design-reviews] Device-Bound Session Credentials Analysis (PR #1094)

@martinthomson commented on this pull request.



> +thereby proving to the server that the browser still has access to the key pair.
+The response to the second request refreshes any of the affected cookies.
+
+This adds two round trips of latency every time that a cookie refresh is needed.
+While some amount of delay is likely unavoidable, having two additional requests is fairly heavyweight.
+
+We have an alternative below that doesn't require an interactive exchange.
+However, given that TPMs generally don't have a clock,
+you can't use the clock to ensure freshness.
+A non-interactive exchange might have been pre-generated by an attacker
+who temporarily had access to the TPM, unless it contains fresh entropy from the server.
+That's something we address in more detail in the alternative design below,
+noting that the alternative offers servers more options to combine requests to reduce latency,
+where the proposal cannot.
+
+The proposal includes a redundant new session identifier field in requests.

Fair.  My intent was to say that this was redundant with cookies.  The design isn't removing cookies, which could very easily identify a session, even when the session still requires a signature.

```suggestion
The proposal includes a new session identifier field in requests.
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/pull/1094#discussion_r2096712336
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/pull/1094/review/2852324594@github.com>

Received on Tuesday, 20 May 2025 01:58:35 UTC