WICG/dbsc

Issues

• Public key in JWT

  #44 opened 25 days ago by bc-pi
  9

• HTTP 401 MUST return a WWW-Authenticate header

  #65 opened 2 months ago by danmarg
  9

• Is there a timeline for when DBSC will be available on OSX and other OSs?

  #64 opened 2 months ago by ahallsc
  0

• An attack vector for DBSC:

  #35 opened 6 months ago by maxhata
  9

• Refresh session performance 2: Fresh nonce prefetching.

  #61 opened 4 months ago by alextok
  1

• Refresh session performance 1: Waiting for response from the server.

  #60 opened 4 months ago by alextok
  1

• `Sec-` prefix for a server header

  #59 opened 4 months ago by yoavweiss
  5

• PoC using swtpm

  #63 opened 2 months ago by theMiddleBlue
  0

• Use Outside of Google

  #62 opened 3 months ago by amitassaraf
  1

• JWS algorithms are case-sensitive

  #41 opened 4 months ago by bc-pi
  14

• How can we tell when there is running code available in Chrome Canary

  #50 opened 4 months ago by sbweeden
  9

• Why send JWTs two different ways?

  #53 opened 5 months ago by sbweeden
  2

• Can DBSC stop common adversary in the middle attacks?

  #57 opened 5 months ago by RogerAGrimes
  2

• alignment with OAuth 2 flows for 1P authorization servers

  #31 opened 6 months ago by dickhardt
  3

• Reduce latency by including refresh challenge

  #29 opened 6 months ago by dickhardt
  1

• Where does the challenge value go in the Registration JWT?

  #56 opened 5 months ago by tblachowicz
  1

• Details on Session Identifier are not clear in the Explainer

  #55 opened 5 months ago by tblachowicz
  0

• Response headers should use consistent separators

  #54 opened 5 months ago by sbweeden
  0

• non-TPM devices? Android and iPhone / iOS | iPadOS TPM equivalents?

  #21 opened 6 months ago by anwarmahmood1
  7

• Explicitly type the JWT

  #27 opened 6 months ago by dickhardt
  2

• A simpler flow proposal

  #46 opened 6 months ago by el1s7
  56

• how are endpoints conveyed from server to browser?

  #45 opened 6 months ago by bc-pi
  13

• JWTs are not themselves base64url encoded

  #47 opened 6 months ago by bc-pi
  5

• Require request signing for proof-of-possession

  #23 opened 6 months ago by joaopenteado
  18

• MVP Recommendation: TOTP

  #36 opened 6 months ago by wparad
  9

• Need for attestation?

  #34 opened 6 months ago by jackevans43
  5

• explain `excluded scope`

  #30 opened 6 months ago by dickhardt
  3

• jti/nonce/challenge value?

  #43 opened 6 months ago by bc-pi
  2

• Insufficient rationale

  #13 opened 9 months ago by simon-friedberger
  13

• iat is a number

  #42 opened 6 months ago by bc-pi
  0

• Cluttering the TPM and potential denial of service ?

  #20 opened 6 months ago by HoLyVieR
  13

• What is the expectation of multi-site cross-site signatures?

  #40 opened 6 months ago by wparad
  0

• [Fetch] What's stopping us from using the Fetch API configuration to support this?

  #39 opened 6 months ago by wparad
  0

• Check/inform status of DBSC per session/site in Chrome UI

  #37 opened 6 months ago by GuiPoM
  4

• Login Status API?

  #32 opened 6 months ago by dickhardt
  1

• timed refresh mechanism

  #33 opened 6 months ago by dickhardt
  1

• Should this approach extend to native applications?

  #38 opened 6 months ago by NickBorgersOnLowSecurityNode
  2

• How do servers manage the public keys and the sessions?

  #26 opened 6 months ago by hdfrk
  4

• JWT clarifications needed

  #28 opened 6 months ago by dickhardt
  0

• IP binding with Cookies cant be enough ?

  #25 opened 6 months ago by threatdecoder
  2

• Question RE: Tracking and Identity Providers

  #24 opened 6 months ago by whitehatguy
  1

• Really supportive of this effort!

  #22 opened 6 months ago by miketheitguy
  0

• The scheme is a little bit redundant for a redirect-based auth

  #12 opened 9 months ago by alextok
  13

• In startsession we deliver authorization artifact in two different ways

  #19 opened 6 months ago by alextok
  2

• Diagram mismatch

  #16 opened 6 months ago by alextok
  3

• Origin trial updates

  #17 opened 6 months ago by kmonsen
  0

• key_registration_header.svg is hard to read when the reader's browser is dark mode.

  #15 opened 9 months ago by aawc
  2

• Clarification of BFCache handling

  #14 opened 9 months ago by simon-friedberger
  0

• Support of different types of tokens is not clear

  #11 opened 9 months ago by alextok
  5

• Start session can result in security bugs during implementation.

  #7 opened 9 months ago by alextok
  17