Intent to Prototype: Web Smart Card API

[Daniel d'Andrada]

Contact emails

dand...@google.com

Explainer

https://github.com/dandrader/web-smart-card/blob/main/README.md

Summary

Enables smart card (PC/SC) applications to move to the Web platform. It gives them access to the PC/SC implementation (and card reader drivers) available in the host OS.

Blink component

Blink

Motivation

While there are other APIs that provide the right level of abstraction and security properties for identity on the Web, such as WebAuthn, there are domain-specific functions which can't be captured by such higher-level APIs. A remote access (aka "remote desktop") web app letting the remote machine access the host's card reader as if it were directly connected to it. Enabling PC/SC applications on that remote machine to work without modification, unaware that the card reader is not local. A web-based kiosk could read even simple RFID badges via PC/SC and then display relevant information on a screen. It's also not uncommon for such readers to need control commands to put them into the proper state for reading the particular type of card the application supports.

Initial public proposal

https://github.com/WICG/proposals/issues/64

TAG review status

Pending

Risks

Interoperability and Compatibility

Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals: PC/SC developers. Generally positive. (see e-mail thread)

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No

Debuggability

Is this feature fully tested by web-platform-tests?

No

Flag name

SmartCard

Requires code in //chrome?

Yes. Similarly to other device APIs like WebHID and WebUSB.

Estimated milestones

No milestones specified

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6411735804674048

This intent message was generated by Chrome Platform Status.

[Reilly Grant]

Not mentioned above but included in the explainer: To mitigate some of the obvious security concerns this API will only be available to Isolated Web Apps.

Reilly Grant | Software Engineer | rei...@chromium.org | Google Chrome

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CA%2BenBd9j9Ucy-BKqfQSk9hZxVG6-qm4H6X3%3DxT9U86KpiOpKeA%40mail.gmail.com.

[agowa338]

What's the difference between this proposal to just using HTTPS client auth with a certificate on a smartcard? That's basically what we've been using for decades now...

[Thomas Duboucher]

Hi,

Client side-TLS is the web client performing the authentication of the TLS session with a client certificate and private key stored on a smartcard available through a PKCS#11 middleware. This functionality is exclusively limited to the authentication of the session, and the web application has no interaction at all with the smartcard, except from getting the client certificate to identify the user.

Here, the web application and service provider would be able to discuss directly with an application on a smartcard. There are _many_ applications, so there can be many usages:

- card present web payment,

- updating subscription in a transit card,

- authentication with an eId card,

Best regards,

[Christian Biesinger]

While I don't know if this specific proposal would support it, things like the various EU countries' citizen cards (using their national IDs for authenticating to government services) do not use TLS client certs, instead relying on other software that needs to be installed.

Christian

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/2539271a-7eee-468b-8e28-17f19ad4ed02n%40chromium.org.

[Tom Jones]

It is not possible to get onto DOD sites today without loading certs, so there are lots of hills to climb.

I would like to start testing this asap - what do I need to do?

..tom

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAPTJ0XFndAAn1vXgLQzhGtf4oZAqidAHULDM177Su7SnGyA7hA%40mail.gmail.com.