Support for Software Defined Authenticators and Credential Managers

[nicksteele]

Hey folks, in the current draft of DBSC, there seems to be explicit callouts that this credential should be created and bound to a TPM, but the credential could also be capable of being made and managed by a credential manager or software-defined authenticator. I'd like to explicitly call that out in the proposed work, because I think it will not only help in scenarios such as when a TPM is not present but allow users to manage session credentials, which could be an extremely helpful feature.

One could imagine a use-case of this for users would be that they no longer wish to associate with a certain device. If there are existing sessions backed by a DBSC token on that device, they could inform the credential manager to remove the DBSC tokens on the device, potentially ending the sessions that were using the tokens stored in that manager. This way, if the device has a new user, they would be unable to re-authenticate (assuming the credential manager is locked) and more importantly, they wouldn't have access to pre-existing user sessions backed by DBSC.

[davidldennison]

Would like to second @nicksteele here. With something as crucial and important as credentials, more options are needed other than TPM.

[kmonsen]

Thank you for the comment, we have updated the explainer with a better goal and threat model, and are focusing less on TPMs and more on what we want to achieve. We are planning to use Secure Enclave on Mac and support VBS keys on Windows, neither technically are TPMs.

Have you had a look at the enterprise addition to the explainer? https://github.com/WICG/dbsc/blob/main/DBSCE/Overview.md. There is a concept of a local key helper there, which I think would do what you want.

For consumer DBSC we are not ready to open this up yet to third parties. We have some long term plans that it would be good, but it has to be balanced with privacy concerns and would most likely be a user opt-in.