Daniel Rubery

@bc-pi - let me know if you have a preferred location for the challenge value. I'm going to close this out since the explainer is clear about the intention now.

This is already possible with `Sec-Session-Challenge`, since we always sign the most recently provided challenge. If session registration serves a `Sec-Session-Challenge`, then every refresh has a cached challenge available. Now...

This made it into the [spec](https://w3c.github.io/webappsec-dbsc/#format-jwt), so all that needs fixing here is the explainer. https://github.com/w3c/webappsec-dbsc/pull/127 will do that.

Thanks for all the discussion in this bug. I think it should all be much clearer in the spec today, so feel free to reopen if anything did not get...

I think your suggestion is very dependent on you having a strong client side SDK. Given a raw TPM API, it's certainly possible to write DBSC in the client. The...

Sorry about the long delay here. `excluded _scope` is no longer in the explainer. I hope the current structure of `scope_specifications` is clear. Let me know if you think there's...

We now have https://w3c.github.io/webappsec-dbsc/#format-jwt which should make the format very clear. Though I am leaning towards removing that section in favor of an HTTPSig integration (requested in https://github.com/w3c/webappsec-dbsc/issues/112). Either way,...

Sorry for the delay here. I think a lot of this is covered by https://github.com/WICG/dbsc/commit/684fb4d0676a6f2a2c40fca35f6741667eeb6341. Can you rebase on top of that change if there's anything you still want to...

Thanks for the feedback! https://github.com/w3c/webappsec-dbsc/pull/130 will now explicitly state that the TPM requirement comes from Chrome's current implementation and not from the protocol. We are indeed interested in other OS-mediate...

Sorry this remained unfixed so long! Described in https://github.com/w3c/webappsec-dbsc/pull/179