W3C home > Mailing lists > Public > public-webcrypto@w3.org > May 2013

Re: Follow-up. Re: Use case: Authenticate using eID

From: Ryan Sleevi <sleevi@google.com>
Date: Wed, 15 May 2013 01:14:16 -0700
Message-ID: <CACvaWvbJjv7UG_Acz3FWCPJWj07ivS=J3ASh2PpgyyLCkGk9ZA@mail.gmail.com>
To: "mountie.lee@gmail.com" <mountie@paygate.net>
Cc: arun@mozilla.com, Aymeric Vitte <vitteaymeric@gmail.com>, "public-webcrypto@w3.org Group" <public-webcrypto@w3.org>
Have origin B load Origin A in an iframe, postMessage the message to be
signed to via the iframe Origin A, have Origin A perform the signature, and
postMessage it back to origin B via parent.

The actual message is never sent remotely - postMessage is entirely within
the UA. As long as you trust Origin A, this remains true.

This is the exact same security assumption when you deploy native
middleware apps - you trust the middleware vendor to not include back doors.
On May 15, 2013 12:53 AM, "Mountie Lee" <mountie@paygate.net> wrote:

> Hi.
> let me rewrite my understanding for postMessage.
>
> let's assume
> Key-A has origin-A and no Key is associated with origin-B.
>
> if an user visit origin-A
> user is able to generate signature with Key-A
> and send it to origin-B via postMessage.
>
> if an user visit origin-B
> user is unable to generate signature with Key-A
> and has nothing to send via postMessage.
>
> normally original text for signature will be prepared by origin-B.
>
> I'm not trying to be negative attitude.
> just I'm trying to find acceptable solution for my use case.
>
> still I need help.
>
> regards
> mountie.
>
>
> On Wed, May 15, 2013 at 5:00 AM, Arun Ranganathan <arun@mozilla.com>wrote:
>
>> On May 13, 2013, at 4:38 PM, Aymeric Vitte wrote:
>>
>> In another email, you wrote "2. The key can be shared with origin 2 via
>> cross-origin messaging." (
>> http://lists.w3.org/Archives/Public/public-webcrypto/2013May/0036.html),
>> I don't see how CORS could apply here, withCredentials or not, CORS is only
>> about sending/receiving things to/from other origins and sharing some
>> stringyfiable things or cookies uses, you can not share keys, the best you
>> can do is to send some information to allow another origin to find the keys.
>>
>> Maybe I am missing something but what is the idea here?
>>
>>
>>
>> (I was responding to your point about IndexedDB being a "mega-Cookie" and
>> unwisely elected to discuss differences in how Cookies can be used vs.
>> client-side stores.  I'm sorry if this was confusing.  These technologies
>> are unrelated to our discussion of Crypto and cross-origin messaging.)
>>
>>
>
>
> --
> Mountie Lee
>
> PayGate
> CTO, CISSP
> Tel : +82 2 2140 2700
> E-Mail : mountie@paygate.net
>
>  =======================================
> PayGate Inc.
> THE STANDARD FOR ONLINE PAYMENT
> for Korea, Japan, China, and the World
>
>
>
Received on Wednesday, 15 May 2013 08:14:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:17 UTC