Intent to Prototype: Web Smart Card API

483 views
Skip to first unread message

Daniel d'Andrada

unread,
Sep 21, 2022, 11:00:34 AM9/21/22
to blin...@chromium.org

Contact emails

dand...@google.com

Explainer

https://github.com/dandrader/web-smart-card/blob/main/README.md

Summary

Enables smart card (PC/SC) applications to move to the Web platform. It gives them access to the PC/SC implementation (and card reader drivers) available in the host OS.



Blink component

Blink

Motivation

While there are other APIs that provide the right level of abstraction and security properties for identity on the Web, such as WebAuthn, there are domain-specific functions which can't be captured by such higher-level APIs. A remote access (aka "remote desktop") web app letting the remote machine access the host's card reader as if it were directly connected to it. Enabling PC/SC applications on that remote machine to work without modification, unaware that the card reader is not local. A web-based kiosk could read even simple RFID badges via PC/SC and then display relevant information on a screen. It's also not uncommon for such readers to need control commands to put them into the proper state for reading the particular type of card the application supports.



Initial public proposal

https://github.com/WICG/proposals/issues/64


TAG review status

Pending

Risks



Interoperability and Compatibility



Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals: PC/SC developers. Generally positive. (see e-mail thread)

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No



Debuggability



Is this feature fully tested by web-platform-tests?

No

Flag name

SmartCard

Requires code in //chrome?

Yes. Similarly to other device APIs like WebHID and WebUSB.

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6411735804674048

This intent message was generated by Chrome Platform Status.

Reilly Grant

unread,
Sep 21, 2022, 2:41:56 PM9/21/22
to Daniel d'Andrada, blin...@chromium.org
Not mentioned above but included in the explainer: To mitigate some of the obvious security concerns this API will only be available to Isolated Web Apps.
Reilly Grant | Software Engineer | rei...@chromium.org | Google Chrome


--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BenBd9j9Ucy-BKqfQSk9hZxVG6-qm4H6X3%3DxT9U86KpiOpKeA%40mail.gmail.com.

agowa338

unread,
Sep 21, 2022, 5:13:38 PM9/21/22
to blink-dev, rei...@chromium.org, blin...@chromium.org, dand...@google.com
What's the difference between this proposal to just using HTTPS client auth with a certificate on a smartcard? That's basically what we've been using for decades now...

Thomas Duboucher

unread,
Sep 22, 2022, 11:44:03 AM9/22/22
to blink-dev, agowa338, rei...@chromium.org, blin...@chromium.org, dand...@google.com
Hi,

Client side-TLS is the web client performing the authentication of the TLS session with a client certificate and private key stored on a smartcard available through a PKCS#11 middleware. This functionality is exclusively limited to the authentication of the session, and the web application has no interaction at all with the smartcard, except from getting the client certificate to identify the user.

Here, the web application and service provider would be able to discuss directly with an application on a smartcard. There are _many_ applications, so there can be many usages:
- card present web payment,
- updating subscription in a transit card,
- authentication with an eId card,

Best regards,

Christian Biesinger

unread,
Sep 23, 2022, 12:09:50 PM9/23/22
to agowa338, rei...@chromium.org, blin...@chromium.org, dand...@google.com
While I don't know if this specific proposal would support it, things like the various EU countries' citizen cards (using their national IDs for authenticating to government services) do not use TLS client certs, instead relying on other software that needs to be installed.

Christian

Tom Jones

unread,
Sep 23, 2022, 12:22:02 PM9/23/22
to Christian Biesinger, agowa338, rei...@chromium.org, blin...@chromium.org, dand...@google.com
It is not possible to get onto DOD sites today without loading certs, so there are lots of hills to climb.
I would like to start testing this asap - what do I need to do?
..tom


Reply all
Reply to author
Forward
0 new messages