Re: 2025-07-16 WebAppSec WG Agenda from Daniel Rubery on 2025-07-14 (public-webappsec@w3.org from July 2025)

From: Daniel Rubery <drubery@google.com>
Date: Mon, 14 Jul 2025 12:31:40 -0700
To: Mike West <mkwst@google.com>
Cc: Web Application Security Working Group <public-webappsec@w3.org>, Dan Veditz <dveditz@mozilla.com>, Simone Onofri <simone@w3.org>
Message-ID: <CAB3P8h8srWrHB1GbjHzQWP4woixeh6d3bXCXAqC3s6GdaSWX6w@mail.gmail.com>
To give a little introduction on the feedback we'd like for DBSC: we'd like
to validate our beliefs about the requirements for the feature. Our
proposal attempts to emphasize adoptability for sites, and it would be
useful to hear from other site operators that those requirements are all
useful.

We believe that complex behavioral changes across all app endpoints are
unlikely to be feasible, and want to minimize the complexity of those
changes.  A browser with an active DBSC session, based on a server provided
configuration, maintains a set of short-lived cookies based on proving
possession of private key, against a dedicated new endpoint. All endpoints
will need to validate that the short-lived cookie is included and valid,
but otherwise doesn't need any behavioral changes. We believe existing auth
stacks can do that easily.

We have found that having most of the signature management done by the
browser makes it easier to manage the impact of TPM latency across multiple
sites, and reduces the effort of migrating existing web apps to use bound
sessions. DBSC naturally allows for the browser to proactively refresh when
a site is in use but the TPM is not, for example. Server operators don't
have the information or incentive to do that.

TAG has an alternative proposal for key binding which defines "Signed
cookies". Inclusion of a signed cookie causes the browser to sign the
request. This requires greater changes to all endpoints. Any request needs
to be able to redirect through the auth stack, instead of having the
browser defer the request to do some authentication. Distributed web
applications also require complexity to ensure they don't request
unnecessary signatures, which is critical since (e.g.) TPMs are a limited
resource.

We'd like to 1) discuss whether the browser management of state is indeed
an important requirement, and 2) whether explicit management of "sessions"
and registration of binding keys is better than implicit key creation or an
implied session construct via cookie semantics. We do recognize that
server-initiated signatures are simpler in many cases, and have a smaller
proposal for how to enable this in a simple manner that's compatible with
the existing DBSC proposal.

On Mon, Jul 14, 2025 at 12:54 AM Mike West <mkwst@google.com> wrote:

> Wednesday, July 16th: 16:00 UTC
> <https://www.timeanddate.com/worldclock/fixedtime.html?iso=20250716T1600> (09:00
> California, 12:00 Boston, 17:00 London, 18:00 Berlin)
> Draft Agenda
> <https://github.com/w3c/webappsec/blob/main/meetings/2025/2025-07-16-agenda.md#draft-agenda>
>
>    - DBSC: browser-initiated <https://w3c.github.io/webappsec-dbsc/> vs
>    server-initiated
>    <https://github.com/w3ctag/design-reviews/issues/1052#issuecomment-2946681508> flows
>    (@drubery)
>    - Discussing real world struggles with CSP
>    <https://github.com/w3c/webappsec-csp/issues/736> (@swijckmans)
>    - Discouraging permission prompts
>    <https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/no-prompts-please.md>
>     (@mharbach)
>    - SameSite=Strict and cross-app navigation (@kmonsen)
>    - CfCs:
>       - CfC to move CSP-3 to CR < 2025-07-16 - #682
>       <https://github.com/w3c/webappsec/issues/682>
>       - CfC to move Fetch Metadata to CR < 2025-07-16 - #681
>       <https://github.com/w3c/webappsec/issues/681>
>       - CfC to move SRI-2 to CR < 2025-07-16 - #680
>       <https://github.com/w3c/webappsec/issues/680>
>       - CfC to move WebCrypto-2 to CR < 2025-07-16 - #679
>       <https://github.com/w3c/webappsec/issues/679>
>       - CfC to publish Well-Known URL for Relying Party Passkey Endpoints
>       as a FPWD < 2025-07-16 - #678
>       <https://github.com/w3c/webappsec/issues/678>
>       - CfC to publish DBSC as a FPWD < 2025-07-12 - #677
>       <https://github.com/w3c/webappsec/issues/677>
>    - What does FPWD involve and how to prepare for CR?
>
> If you would like to add an item to the agenda, please open a PR against this
> document on GitHub
> <https://github.com/w3c/webappsec/new/main/meetings/2025/2025-07-16-agenda.md>
> .
> Logistics
> <https://github.com/w3c/webappsec/blob/main/meetings/2025/2025-07-16-agenda.md#logistics>
>
>    - Minutes: https://pad.w3.org/p/WebAppSec_2025-07-16 (Use your W3C
>    credentials)
>    - Add these events
>    <https://www.w3.org/groups/wg/webappsec/calendar#export> to your
>    calendar
>    - #webappsec on W3C's slack instance <https://w3ccommunity.slack.com/>
>       - https://www.w3.org/slack-w3ccommunity-invite if you haven't
>       already joined.
>    - Zoom:
>       - Details at
>       https://auth.w3.org/?url=https://www.w3.org/groups/wg/webappsec/calendar
>
>
> -mike
>
Received on Monday, 14 July 2025 19:31:57 UTC