Intent to Prototype: Web Smart Card API

Skip to first unread message

Daniel d'Andrada

Sep 21, 2022, 11:00:34 AM9/21/22

Contact emails



Enables smart card (PC/SC) applications to move to the Web platform. It gives them access to the PC/SC implementation (and card reader drivers) available in the host OS.

Blink component



While there are other APIs that provide the right level of abstraction and security properties for identity on the Web, such as WebAuthn, there are domain-specific functions which can't be captured by such higher-level APIs. A remote access (aka "remote desktop") web app letting the remote machine access the host's card reader as if it were directly connected to it. Enabling PC/SC applications on that remote machine to work without modification, unaware that the card reader is not local. A web-based kiosk could read even simple RFID badges via PC/SC and then display relevant information on a screen. It's also not uncommon for such readers to need control commands to put them into the proper state for reading the particular type of card the application supports.

Initial public proposal

TAG review status



Interoperability and Compatibility

Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals: PC/SC developers. Generally positive. (see e-mail thread)

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?



Is this feature fully tested by web-platform-tests?


Flag name


Requires code in //chrome?

Yes. Similarly to other device APIs like WebHID and WebUSB.

Estimated milestones

No milestones specified

Link to entry on the Chrome Platform Status

This intent message was generated by Chrome Platform Status.

Reilly Grant

Sep 21, 2022, 2:41:56 PM9/21/22
to Daniel d'Andrada,
Not mentioned above but included in the explainer: To mitigate some of the obvious security concerns this API will only be available to Isolated Web Apps.
Reilly Grant | Software Engineer | | Google Chrome

You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit


Sep 21, 2022, 5:13:38 PM9/21/22
to blink-dev,,,
What's the difference between this proposal to just using HTTPS client auth with a certificate on a smartcard? That's basically what we've been using for decades now...

Thomas Duboucher

Sep 22, 2022, 11:44:03 AM9/22/22
to blink-dev, agowa338,,,

Client side-TLS is the web client performing the authentication of the TLS session with a client certificate and private key stored on a smartcard available through a PKCS#11 middleware. This functionality is exclusively limited to the authentication of the session, and the web application has no interaction at all with the smartcard, except from getting the client certificate to identify the user.

Here, the web application and service provider would be able to discuss directly with an application on a smartcard. There are _many_ applications, so there can be many usages:
- card present web payment,
- updating subscription in a transit card,
- authentication with an eId card,

Best regards,

Christian Biesinger

Sep 23, 2022, 12:09:50 PM9/23/22
to agowa338,,,
While I don't know if this specific proposal would support it, things like the various EU countries' citizen cards (using their national IDs for authenticating to government services) do not use TLS client certs, instead relying on other software that needs to be installed.


Tom Jones

Sep 23, 2022, 12:22:02 PM9/23/22
to Christian Biesinger, agowa338,,,
It is not possible to get onto DOD sites today without loading certs, so there are lots of hills to climb.
I would like to start testing this asap - what do I need to do?

Reply all
Reply to author
0 new messages