Re: Follow-up. Re: Use case: Authenticate using eID

Hi.
let me rewrite my understanding for postMessage.

let's assume
Key-A has origin-A and no Key is associated with origin-B.

if an user visit origin-A
user is able to generate signature with Key-A
and send it to origin-B via postMessage.

if an user visit origin-B
user is unable to generate signature with Key-A
and has nothing to send via postMessage.

normally original text for signature will be prepared by origin-B.

I'm not trying to be negative attitude.
just I'm trying to find acceptable solution for my use case.

still I need help.

regards
mountie.


On Wed, May 15, 2013 at 5:00 AM, Arun Ranganathan <arun@mozilla.com> wrote:

> On May 13, 2013, at 4:38 PM, Aymeric Vitte wrote:
>
> In another email, you wrote "2. The key can be shared with origin 2 via
> cross-origin messaging." (
> http://lists.w3.org/Archives/Public/public-webcrypto/2013May/0036.html),
> I don't see how CORS could apply here, withCredentials or not, CORS is only
> about sending/receiving things to/from other origins and sharing some
> stringyfiable things or cookies uses, you can not share keys, the best you
> can do is to send some information to allow another origin to find the keys.
>
> Maybe I am missing something but what is the idea here?
>
>
>
> (I was responding to your point about IndexedDB being a "mega-Cookie" and
> unwisely elected to discuss differences in how Cookies can be used vs.
> client-side stores.  I'm sorry if this was confusing.  These technologies
> are unrelated to our discussion of Crypto and cross-origin messaging.)
>
>


-- 
Mountie Lee

PayGate
CTO, CISSP
Tel : +82 2 2140 2700
E-Mail : mountie@paygate.net

=======================================
PayGate Inc.
THE STANDARD FOR ONLINE PAYMENT
for Korea, Japan, China, and the World