https://w3c.github.io/webappsec-dbsc/

Device bound session credentials are now supported by the most recent versions of chromium (135+), firefox and safari (137+).

It builds on top of cookies. So cookies are still the transport mechanism but for those client-server pairs that make use of it they can make secure session cookies (short lived and possible to revoke for sensitive requests) that are device bound.

https://github.com/w3c/webappsec-dbsc/blob/main/README.md

More complete description including graphs ☝️

Goal is to implement this in rama-http for both client and server side.

However before we start this we first need to add decent and complete cookie support (#44 etc)

NOTE: not available for pickup, this is here for now just as tracking purposes