origin free key access in web security model

I'm Member of WebCrypto WG.
the working group is trying to define crypto related APIs in user agents.

one of my issue is about origin-free key access.

the key is important material in WebCrypto API which can be used for
encrypting, signing, verifying and so on.
and the key is bound to same-origin policy that is one of important web
security models.

when we review the policy with key ownership issue,
it has some conflict with current security model.

if the key is owned by provisioner mostly like web applications or service
provider as server side,
same-origin policy has no issue.


if the  key is owned by user (as the human), same-origin policy has some
conflict with current use cases.

key means certificate and it's binded private key.

normally certificate key pair owner will think "this is MY KEY"
in some case, it is stored in secure token like smartcard and possessed in
user's pocket.

with current TLS client certificate key pair, the key can be used on any
sites with user's decision

WebCrypto API is trying to control TLS session and certificate key pair
with API.

but between participants, still we fail to get agreement for origin-free
security model for certificate key pair.

my suggestion was
when the certificate is valid and has trust chain up to browser's trusted
root CA, the certificate key pair should be origin free.

I have reviewed many countermeasures of same-origin policy like CORS,
script-src, postMessage
those are not match our non-US banking use cases (Korea and EU...)

is my suggestion acceptable in web security model?


Mountie Lee

Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

PayGate Inc.
for Korea, Japan, China, and the World

Received on Wednesday, 1 May 2013 03:21:42 UTC