Re: Follow-up. Re: Use case: Authenticate using eID

let me rewrite my understanding for postMessage.

let's assume
Key-A has origin-A and no Key is associated with origin-B.

if an user visit origin-A
user is able to generate signature with Key-A
and send it to origin-B via postMessage.

if an user visit origin-B
user is unable to generate signature with Key-A
and has nothing to send via postMessage.

normally original text for signature will be prepared by origin-B.

I'm not trying to be negative attitude.
just I'm trying to find acceptable solution for my use case.

still I need help.


On Wed, May 15, 2013 at 5:00 AM, Arun Ranganathan <> wrote:

> On May 13, 2013, at 4:38 PM, Aymeric Vitte wrote:
> In another email, you wrote "2. The key can be shared with origin 2 via
> cross-origin messaging." (
> I don't see how CORS could apply here, withCredentials or not, CORS is only
> about sending/receiving things to/from other origins and sharing some
> stringyfiable things or cookies uses, you can not share keys, the best you
> can do is to send some information to allow another origin to find the keys.
> Maybe I am missing something but what is the idea here?
> (I was responding to your point about IndexedDB being a "mega-Cookie" and
> unwisely elected to discuss differences in how Cookies can be used vs.
> client-side stores.  I'm sorry if this was confusing.  These technologies
> are unrelated to our discussion of Crypto and cross-origin messaging.)

Mountie Lee

Tel : +82 2 2140 2700
E-Mail :

PayGate Inc.
for Korea, Japan, China, and the World

Received on Wednesday, 15 May 2013 07:52:32 UTC