- From: Mountie Lee <mountie@paygate.net>
- Date: Wed, 12 Feb 2014 09:05:55 +0900
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAE-+aYK_1e1DffqOKZ+NZ9d02NtAQy24XJrfCq5cnvizm=88bw@mail.gmail.com>
Hi. I have some questions. do we(these WebAppSec members) have discussed CORS for local resources? Web Storage (IDB, LocalStorage...) or other origin specific resources are bound to same origin. in the WebCryptoWG, they are starting to touch certificate issues. one of the problem occurred is Same-Origin-Policy. current API design idea is that the cryptography keys are bound to same origin. but the keys are escalated to certificate level, SOP has conflict with existing user experience of TLS client certificate. common use cases with certificate are as following. 1. user generate keypair on site-A 2. user send certificate signing request via PKCS#10 or CMP mechanism to CA(site-B) on CA(site-B) ==> first conflict (can not generate CSR on site-B because of SOP) 3. anyway after installing certificate to UA, user visit site-C and send signature to site-C ==> second conflict (can not approach to certificate keypair which was generate on site-A or get certificate from site-B) I already reviewed postMessage or other cross-origin mechanisms. but those are not the best. any comment? -- Mountie Lee PayGate CTO, CISSP Tel : +82 2 2140 2700 E-Mail : mountie@paygate.net ======================================= PayGate Inc. THE STANDARD FOR ONLINE PAYMENT for Korea, Japan, China, and the World
Received on Wednesday, 12 February 2014 00:06:41 UTC