w3c
diff --git a/‎DBSC-E/DeviceRegistration.svg
+1 b/‎DBSC-E/DeviceRegistration.svg
+1
diff --git a/‎DBSC-E/DeviceRegistration.txt
+10 b/‎DBSC-E/DeviceRegistration.txt
+10
diff --git a/‎DBSC-E/IDPCallsPrivateLocalKeyHelper.svg
+1 b/‎DBSC-E/IDPCallsPrivateLocalKeyHelper.svg
+1
diff --git a/‎DBSC-E/IDPCallsPrivateLocalKeyHelper.txt
+92 b/‎DBSC-E/IDPCallsPrivateLocalKeyHelper.txt
+92
diff --git a/‎DBSC-E/IDPCallsPublicLocalKeyHelper.svg
+1 b/‎DBSC-E/IDPCallsPublicLocalKeyHelper.svg
+1
diff --git a/‎DBSC-E/IDPCallsPublicLocalKeyHelper.txt
+48 b/‎DBSC-E/IDPCallsPublicLocalKeyHelper.txt
+48
diff --git a/‎DBSC-E/IDPSameAsRP-CallsPublicLocalKeyHelper.svg
+1 b/‎DBSC-E/IDPSameAsRP-CallsPublicLocalKeyHelper.svg
+1
diff --git a/‎DBSC-E/IDPSameAsRP-CallsPublicLocalKeyHelper.txt
+45 b/‎DBSC-E/IDPSameAsRP-CallsPublicLocalKeyHelper.txt
+45
@@ -0,0 +1,10 @@
+title Device registration
+
+autonumber 1
+participant "Device registration client" as D
+participant "Attestation service" as A
+
+note over D, A: Provisioning ...
+D->>A: Register device (DeviceKey, AIK for KG, AIK for TPM, AIK for Software)
+A->>D: 200 OK
+
@@ -0,0 +1,92 @@
+title IdP calls a private Local Key Helper
+
+autonumber 1
+participant "Relying Party" as W
+participant "IdP" as I
+participant "Browser" as B
+participant "Local Key Helper" as P
+
+note over W, P: IdP life...
+B->>I: Any request
+I->>B: Any response\nSec-Session-HelperIdList: [HelperId1, HelperId2], HelperCacheTime
+B->>B: Cache HelperId for IDPURL for HelperCacheTime
+
+note over W, P: Sign in...
+W->>B: Start sign in (302)\nSec-Session-Registration: path, RPChallenge,... \nSec-Session-GenerateKey: RPURL, IDPURL, extraParams
+B->>B: Check for cached HelperId for IDPURL
+
+alt Cached HelperId present (99.99% cases)
+
+    B->>B: currentHelperId = Evaluate policy for (IdP, [HelperId1, HelperId2...])
+
+    B->>P: Pre-gen key and attest (RPURL, IDPURL, extraParams...)
+
+    P->>P: Generate Key
+
+    loop For each device
+        P->>P: create binding statement S(publicKey, AIK)
+    end
+
+    P->>B: Return: KeyId, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
+    B->>B: Remember this key is for RP (and maybe path)
+
+    B->>I: Load sign-in (follow the 302)\n\nx-ms-RefreshTokenCredential1{nonce}\nx-ms-DeviceCredential1{nonce}\nx-ms-RefreshTokenCredential2{nonce}\nx-ms-DeviceCredential2{nonce} ...\n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
+
+    opt nonce is stale
+        I->>B: 302 to IdP with qs parameter sso_nonce=new_nonce\nSec-Session-GenerateKey: RPURL, IDPURL, extraParams
+        B->>I: Load sign-in\n\nx-ms-RefreshTokenCredential1{new_nonce}\nx-ms-DeviceCredential1{new_nonce}\nx-ms-RefreshTokenCredential2{new_nonce}\nx-ms-DeviceCredential2{new_nonce} ...\n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
+    end
+
+else No cached HelperId present
+
+
+    B->>I: Load sign-in (follow the 302)\n\nx-ms-RefreshTokenCredential1{nonce}\nx-ms-DeviceCredential1{nonce}\nx-ms-RefreshTokenCredential2{nonce}\nx-ms-DeviceCredential2{nonce} ... \n\nSec-Session-HelperDiscoveryNeeded: RPURL, IDPURL, extraParams
+
+    note over I, B: No binding info present, but the reequest has GenerratKey, so IdP issues helper id list
+
+    I->>B: 302 to IdP with qs parameter sso_nonce=new_nonce\n\nSec-Session-GenerateKey: RPURL, IDPURL, extraParams\nSec-Session-HelperIdList: [HelperId1, HelperId2], HelperCacheTime
+    B->>B: Cache HelperId for IDPURL for HelperCacheTime
+
+    B->>B: currentHelperId = Evaluate policy for (IdP, [HelperId1])
+    B->>P: Pre-gen key and attest (RPURL, IDPURL, extraParams...)
+
+    P->>P: Generate Key
+
+    loop For each device
+        P->>P: create binding statement S(publicKey, AIK)
+    end
+
+    P->>B: Return: KeyId, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
+    B->>B: Remember this key is for RP (and maybe path)
+
+    B->>I: Load sign-in\n\nx-ms-RefreshTokenCredential1{new_nonce}\nx-ms-DeviceCredential1{new_nonce}\n x-ms-RefreshTokenCredential2{new_nonce}\n x-ms-DeviceCredential2{new_nonce} ... \n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
+
+
+end
+
+opt SSO information is not sufficient
+    I->>B: Sign in ceremony
+    B->>I: Sign done
+end
+
+I->>B: Authorization code, KeyId
+
+
+note over W, B: Since DBSC session has been initialized already for RP, browser needs to generate JWT on redirect back
+B->>P: Request Sign JWT (path, RPChallenge, extraParams)
+P->>B: Return JWT Signature
+note over W, B: JWT is appended by the browser before returning the response from IDP back to the RP
+B->>W: Authorization code, KeyId, JWT
+W->>I: (confidential client request) redeem authorization code
+I->>W: (confidential client response) return id_token
+W->>W: parse id_token and validate binding, match with the JWT from the previous
+W->>B: Bound AuthCookie
+
+note over W, P: Refresh DBSC...
+B->>W: GET /securesession/refresh (sessionID)
+W->>B: Challenge, **extraParams**
+B->>P: Request Sign JWT (sessionID, RPChallenge, **extraParams**)
+P->>B: Return JWT Signature
+B->>W: GET /securesession/refresh (JWT)
+W->>W: Validate JWT (w/public key on file)
+W->>B: AuthCookie
@@ -0,0 +1,48 @@
+title IdP calls a public Local Key Helper
+
+autonumber 1
+participant "Relying Party" as W
+participant "IdP" as I
+participant "Browser" as B
+participant "Local Key Helper" as P
+participant "AttestationService" as A
+
+note over W, A: Sign in...
+W->>B: Start sign in (302)
+B->>I: Load sign-in (follow the 302)
+
+I->>B: Sec-Session-GenerateKey: \nRPUrl, IDPUrl, challenge=nonce, extraParams...\n\nSec-Session-HelperIdList: \n[HelperId1, HelperId2], HelperCacheTime
+B->>B: currentHelperId = \nEvaluate policy for (IdP, [HelperId1, HelperId2,...])
+B->>P: Pre-gen key and \nattest (RPUrl, IDPUrl, \nchallenge=nonce, extraParams...)
+
+P->>P: Generate Key
+
+P->>A: Get Binding Statement \n(publicKey, AIK, challenge=nonce)
+A->>P: Return binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
+P->>B: KeyId, \nReturn binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
+B->>B: Remember this key is for RP (and maybe path)
+B->>I: Sec-Session-Keys: KeyId, \nBinding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
+I->>I: validate signature on the binding statement \n& nonce, store thumbprint
+
+I->>B: Sign in ceremony
+B->>I: Sign done
+
+I->>B: Auth tokens (with thumbprint), \nKeyId
+B->>W: Auth tokens (with thumbprint), \nKeyId
+
+note over W, A: Initiate DBSC ...
+W->>B: StartSession \n(challenge=nonce, token?, KeyId?, **extraParams...**)
+B->>P: Request Sign JWT \n(uri, challenge=nonce,\n token?, keyId?, **extraParams...**)
+P->>B: Return JWT Signature
+B->>W: POST /securesession/startsession (JWT, tokens)
+W->>W: Validate JWT, \n(w/ match thumbprint \nin the tokens)
+W->>B: AuthCookie
+
+note over W, A: Refresh DBSC...
+B->>W: GET /securesession/refresh (sessionID)
+W->>B: Challenge, **extraParams...**
+B->>P: Request Sign JWT (sessionID, **extraParams...**)
+P->>B: Return JWT Signature
+B->>W: GET /securesession/refresh (JWT)
+W->>W: Validate JWT \n(w/public key on file)
+W->>B: AuthCookie
@@ -0,0 +1,45 @@
+title IdP same as RP, calls a public Local Key Helper
+
+autonumber 1
+participant "Relying Party" as W
+participant "IdP" as I
+participant "Browser" as B
+participant "Local Key Helper" as P
+participant "AttestationService" as A
+
+note over W, A: Sign in...
+W->>B: Start sign in (302) \n\nSec-Session-GenerateKey: \nRPUrl, IDPUrl, challenge=nonce, extraParams...\n\nSec-Session-HelperIdList: \n[HelperId1, HelperId2], HelperCacheTime
+
+B->>B: currentHelperId = \nEvaluate policy for (IdP, [HelperId1, HelperId2,...])
+B->>P: Pre-gen key and \nattest (RPUrl, IDPUrl, challenge=nonce, extratParams...)
+
+P->>P: Generate Key
+
+P->>A: Get Binding Statement \n (publicKey, AIK, challenge=nonce)
+A->>P: Return binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
+P->>B: KeyId, \nReturn binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
+B->>B: Remember this key is for RP (and maybe path)
+B->>I: Load sign-in \nSec-Session-Keys: KeyId, \nBinding statement \n{ nonce,  thumbprint(publicKey), extraClaims... }
+I->>I: validate signature \non the binding statement and nonce, \nstore thumbprint
+
+I->>B: Sign in ceremony
+B->>I: Sign done
+
+I->>W: API(Auth tokens with thumbprint, KeyId)
+
+note over W, A: Initiate DBSC ...
+W->>B: 200 OK \nSec-Session-Registration: \npath, RPChallenge, token?, KeyId, extraParams
+B->>P: Request Sign JWT (uri, challenge, token?, keyId?, **extraParams...**)
+P->>B: Return JWT Signature
+B->>W: POST /securesession/startsession (JWT, tokens)
+W->>W: Validate JWT, \n(w/ match thumbprint in the tokens)
+W->>B: AuthCookie
+
+note over W, A: Refresh DBSC...
+B->>W: GET /securesession/refresh (sessionID)
+W->>B: Challenge, **extraParams...**
+B->>P: Request Sign JWT (sessionID, **extraParams...**)
+P->>B: Return JWT Signature
+B->>W: GET /securesession/refresh (JWT)
+W->>W: Validate JWT (w/public key on file)
+W->>B: AuthCookie