Dick Hardt

Let's get language from our AD. Agree we want a complete list of what is being impacted.

I think the diagram is correct in the steps as an abstract flow -- the descriptions of each step is confusing. I'm confused by what "preferably indirectly via the authorization...

character by character comparison? byte for byte can be challenging as different byte arrangements can represent the same character. I do think we are intending a case sensitive string comparison.

The diagram is an abstract protocol flow of who talks to who. I do agree it is confusing as drawn, and the description is quite confusing.

My off the cuff thinking on how DBSC would align with OAuth 2 refresh is to for the browser to manage the access token rather than the SPA. A new...

To provide a little more background on @bc-pi comments, a JWT is the[ compact serialization](https://www.rfc-editor.org/rfc/rfc7515.html#section-3.1) (base64 URL encoded) of a JWS. There is also a [JSON serialization format](https://www.rfc-editor.org/rfc/rfc7515.html#section-3.2) that I...

wrt. `store session attributes inside an encrypted+signed cookie` I believe @arnar is referring to existing practices of encrypting and signing cookies that are done by servers

Rather than having an API that can be used for gathering 1 bit of data, it would have the same result if invoking the API was a UX no-op if...

> Yeah we've explored that (it was actually our original chromium implementation). The problem is that it's trivial for a site to make a pretty reliable prediction on whether UX...

It certainly helps in the near future when no one has a credential. I would be very reluctant to use the API if 99.99% of the time no one has...