RE: Formal Proposal: A Deterministic (No-Token) Alternative to DBSC from Thi Nguyen-Huu on 2026-03-02 (public-webappsec@w3.org from March 2026)

From: Thi Nguyen-Huu <thi.nh@winmagic.com>
Date: Mon, 2 Mar 2026 18:36:14 +0000
To: Daniel Rubery <drubery@chromium.org>
CC: "nadalin@microsoft.com" <nadalin@microsoft.com>, "dveditz@mozilla.com" <dveditz@mozilla.com>, "mwest@google.com" <mwest@google.com>, "public-webauthn@w3.org" <public-webauthn@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Sergei Nikitin <sergei.nikitin@winmagic.com>
Message-ID: <YTBPR01MB24153D0A26FFC508C3CE2C6FF97EA@YTBPR01MB2415.CANPRD01.PROD.OUTLOOK.COM>

Hi Dan and all,

Thank you very much for your feedback, Dan. I really appreciate it.

Can we wait for more feedback and comments before we can address more or all comprehensively?

We should have by tomorrow a video which might make this easier to understand. The video won’t answer Dan’s deeper question/comment though. And we will. Thanks.

Cheers

Thi Nguyen-Huu | CEO

Tel: +1 905.502.7000 x 3288  |  Toll Free: 888.879.5879
thi.nh@winmagic.com<mailto:thi.nh@winmagic.com> |  www.winmagic.com<http://www.winmagic.com/>

WinMagic Corp. | 11-80 Galaxy Blvd.
Toronto, ON  |  M9W 4Y8 |  Canada | www.winmagic.com<http://www.winmagic.com/>
[cid:image001.png@01DCAA48.85DBBD10]<http://www.facebook.com/WinMagicInc>  [cid:image002.png@01DCAA48.85DBBD10] <https://twitter.com/winmagic>   [cid:image003.png@01DCAA48.85DBBD10] <http://www.linkedin.com/company/winmagic>   [cid:image004.png@01DCAA48.85DBBD10] <https://www.winmagic.com/blog/>
[A person typing on a computer  AI-generated content may be incorrect.]<https://winmagic.com/en/zero-trust-mandates-next-gen-iam-here-is-why/>

From: Daniel Rubery <drubery@chromium.org>
Sent: Monday, March 2, 2026 1:20 PM
To: Thi Nguyen-Huu <thi.nh@winmagic.com>
Cc: nadalin@microsoft.com; dveditz@mozilla.com; mwest@google.com; public-webauthn@w3.org; public-webappsec@w3.org; Sergei Nikitin <sergei.nikitin@winmagic.com>
Subject: Re: Formal Proposal: A Deterministic (No-Token) Alternative to DBSC

You don't often get email from drubery@chromium.org<mailto:drubery@chromium.org>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
CAUTION:This email originated from outside of the organization. Do not click links, open attachments or respond unless you recognize the sender and know that the content is safe.

Hello,

Chiming in from the DBSC perspective. By giving up the regular challenges, I don't think you're getting the security properties you want. With pre-shared keys, local malware can steal the symmetric key and use it from a different device. That forces you to regularly rotate the symmetric key. Protecting that rotation is challenging and leads to exactly the complexity you claim to avoid.

At a high-level, it is definitely attractive to try to make an authenticated transport layer, and has been attempted before (you even mention Token Binding in your whitepaper). DBSC operates at the application layer because TLS termination frequently happens at a distance from authentication checks. Various enterprise middleware and reverse proxies do this, and need to be updated to propagate the identity information across the transport. Cookies are the current standard for authentication, and are transmitted at the application layer. That makes it significantly more feasible to attach the device binding at the application layer.

Thanks,
Dan Rubery


On Mon, Mar 2, 2026 at 8:40 AM Thi Nguyen-Huu <thi.nh@winmagic.com<mailto:thi.nh@winmagic.com>> wrote:
Dear Anthony, Dan, and Mike,

With the release of Chrome 145 and the graduation of DBSC to stable , we are submitting an alternative architectural approach that eliminates the "Procedural Ceremony" of session management.
Our proposal, PADIT (Post-Authentication Device Identity in Transaction), moves identity assurance from the application layer to a hardware-bound mTLS connection. By utilizing the FIDO2 PRF extension or TPM keys as entropy for a TLS 1.3 External PSK handshake, we establish a deterministic state where the existence of the communication is the mathematical proof of identity.

Attached for your review:

  *   Formal Letter: Outlining why the transport layer is the natural home for identity.
  *   The PADIT Whitepaper: A deep dive into the "No-Token" transport-layer approach.
  *   Whitepaper: "Architecting for a Secure Internet," detailing the roadmap for DIT (Device Identity) and LIT (Live Identity).

We have simultaneously reached out to the IETF TLS Working Group regarding the transport-layer implications and request the opportunity to present this model at an upcoming WebAuthn or WebAppSec meeting.

Sincerely,
Thi Nguyen-Huu
Founder and CEO, WinMagic Corp.

Tel: +1 905.502.7000 x 3288  |  Toll Free: 888.879.5879
thi.nh@winmagic.com<mailto:thi.nh@winmagic.com> |  www.winmagic.com<http://www.winmagic.com/>

WinMagic Corp. | 11-80 Galaxy Blvd.
Toronto, ON  |  M9W 4Y8 |  Canada | www.winmagic.com<http://www.winmagic.com/>
[cid:image001.png@01DCAA48.85DBBD10]<http://www.facebook.com/WinMagicInc>  [cid:image002.png@01DCAA48.85DBBD10] <https://twitter.com/winmagic>   [cid:image003.png@01DCAA48.85DBBD10] <http://www.linkedin.com/company/winmagic>   [cid:image004.png@01DCAA48.85DBBD10] <https://www.winmagic.com/blog/>
[A person typing on a computer    AI-generated content may be incorrect.]<https://winmagic.com/en/zero-trust-mandates-next-gen-iam-here-is-why/>

Attachments

image/png attachment: image001.png
image/png attachment: image002.png
image/png attachment: image003.png
image/png attachment: image004.png
image/png attachment: image005.png

Received on Monday, 2 March 2026 18:36:26 UTC