- From: Mountie Lee <mountie@paygate.net>
- Date: Thu, 9 May 2013 11:19:03 +0900
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAE-+aYLNS62EXpXz=MbsyZRMAdDkZ1SFK8JkZ2bWEmy0x25tPQ@mail.gmail.com>
Hi. thanks. I think cross-origin key sharing will be discussed in WebCrypto WG more. my question for WebAppSec is does the Resource of CORS stands for remote Resource only? can the local resources (not just for cryptography key) be in scope of CORS? regards mountie. On Thu, May 9, 2013 at 11:02 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Wed, May 8, 2013 at 6:43 PM, Mountie Lee <mountie@paygate.net> wrote: > > WebCrypto API specification follow same-origin security policy for > > cryptography key. > > > > the cryptography key which will be symmetric or asymmetric key is > currently > > origin-specific and stored in local indexDB of UA. > > > > but > > > > by considering UseCases of EU (eID..) or Korea (National Certificate) > > we need cross-origin operation. > > > > I think, > > if "Access-Control-Allow-Origin" header has the list of URLs, > > the origin-specific local keys can be shared on the URLs of CORS header. > > does it make sense? > > Okay, so > https://dvcs.w3.org/hg/webcrypto-api/raw-file/tip/spec/Overview.html#dfn-Key > is tied to an origin? That does not seem very well defined in the > specification apart from in some notes around the subject. In any > event, CORS is not going to help you sharing that key with other > origins. You need a different solution. E.g. a way to obtain a key > that's not tied to an origin. > > > -- > http://annevankesteren.nl/ > -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : mountie@paygate.net ======================================= PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the World
Received on Thursday, 9 May 2013 02:19:47 UTC