Re: [w3ctag/design-reviews] Device-Bound Session Credentials Analysis (PR #1094)

@jyasskin commented on this pull request.



> +That attribute would request that, whenever the cookie is sent to the server,
+the client would cover that cookie with a signature.
+
+The use of the `Path` cookie parameter would ensure that
+`Signed` cookies are only sent when requests are made to specific resources.
+That would allow servers to limit how often they ask clients to generate signatures
+by limiting how often the client requests the identified resources.
+Those requests could be initiated through a redirect, fetch, or any other request, as needed.
+
+The choice of what fields to include under the signature is very important.
+It is not likely to be sufficient to just cover `Cookie` in the list of signed content in `Signature-Input`.
+Including a date (the `created` parameter), the method (`@method`), and the URL (`@target-uri`)
+seem to be the minimum set of things that will prevent the signature from being reused.
+It's possible that a more thorough security analysis will identifier other fields that need to be covered.
+
+## Some Challenges

This section should be about how to accomplish various use cases, and I think it should start with a demo of how to satisfy the single threat model that DBSC currently covers: you trust the client's clock but not their timestamps. Then we can follow up with the extra flexibility that re-using cookies allows.

```suggestion
## Implementing various use cases

### Interactive proof if the client knows when to refresh
```

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/pull/1094#pullrequestreview-2866496597
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/pull/1094/review/2866496597@github.com>