A partial archive of discourse.wicg.io as of Saturday February 24, 2024.

[Proposal] Smart Card API

dandrader
2022-08-11

The objective of this API is to enable smart card (PC/SC) applications to move to the Web platform. It gives them access to the PC/SC implementation (and card reader drivers) available in the host OS.

Smart cards are popular in the enterprise and governmental sectors. A governmental website could identify a citizen by communicating with a government-issued smart ID card inserted in a card reader without the need of external, native, applications. Similarly, an enterprise that issues smart cards to their employees could authenticate them in its corporate website using the employee’s card inserted in a smart card reader needing only the browser itself.

One might argue that there are better, more modern, ways than the low level, legacy, PC/SC, such as WebAuthn. But that won’t change the reality that PC/SC is widely used in some sectors of our society.

The explainer document has all the details.

Anonymous2292900
2022-08-12

@dandrader Hey! How are you?

I have some ideas to solve some of the smart cards problems you listed… or I have this questions:

  1. What do you think about the context of smart cards within the blockchain?
  2. Would this be possible a smart card in blockchain as a wallet in your proposal? (yes or no)
  3. Would this be possible a smart card be temporary? (yes or no)
  4. Is it possible for the browser itself to store and manage these smart cards? (yes or no)
  5. Is it possible to use the SQRL protocol with smart cards? (yes or no)
  6. Is it possible to store smart cards inside Solid? (yes or no)
dandrader2
2023-04-18

Hi @Anonymous2292900,

I missed this post back then. Was reminded on Smart Card API · Issue #64 · WICG/proposals · GitHub. Sorry about that.

I’m not very familiar with cryptocurrency technology.

A common use case for smart cards is to use them to store private keys that cannot be extracted. Ie, you can ask the card to sign something but never access that private key that was used for signing. Assuming a cryptocurrency wallet is just a private key: yes.

Don’t understand the question.

Don’t quite understand the question. A smart card is a physical device, so a browser cannot “store” it.

I had a brief look at SQRL. I imagine one could store the Identify Master Key in a smart card then then just send commands to the card to perform operations with that master key, having the card sending back the results. But that would require a SQRL application on that card to process these commands. Unless both the key and the operations happen to be fairly standard so that a card that implements general cryptographic operations and protocols could do the job.

I don’t understand the question.

PS: I also managed to miss the second factor authentication I used on my original account, hence this new one.

Anonymous2292900
2023-04-19

Hi dandrader2, thanks for response.

I asked about blockchain and cryptocurrency, because it’s one of the areas I’m currently studying. I study a lot about network protocols, blockchain regulation and cryptocurrency. I asked you about this initially because one of my later questions involves the idea of ​​smart cards and blockchain. So, thank you for your response. I talk about it, because it is very important for my research, study.

To me, this smart card and blockchain use case is an interesting idea, or could be an interesting idea. In that regard, thank you for your feedback and taking the time to read and answer my question.

With the previous feedback, this question really doesn’t make sense. I asked if smart cards were temporary because in theory I thought they were a web spec without having a physical device. This was an initial mistake in thinking, as I had a lot of doubts about your proposal and I haven’t read much about that proposal.

So, I apologize for this pointless question.

thank for feedback.

There are password managers that use the SQL protocol or specification. I initially thought of storing my master password key on a physical device, an smart card.

I was talking about a solid project. I thought your proposal could be integrated into “solid-project”, because in theory you would have a physical device with a lot of personal information.

The idea of ​​solid-project is to decentralize certain information. In my opinion, this could be done with smart cards. So, I asked, if your proposal could be applicable to solid-project. Because one of the biggest problems with solid-project is its massive adoption.

I initially thought of adding smart-cards as something extensible to solid-project. Do you think adding smart cards in solid-project makes sense?

Would it be possible to store hardware key with smart card? Please, see this: [Proposal] Built-in E2E encryption into web browsers

A smart card use case can or should be or should/could be the idea of ​​hardware key storage. Is this idea correct? it’s interesting?

dandrader2
2023-04-19

Going into what smart cards can and cannot do, ie, discussing the smart card technology itself, is deviating a bit from the topic.

I think the discussion here should rather focus on the web API itself. Eg:

  1. Is it useful and/or desirable for web apps to access smart cards? Is there interest?
  2. What are the security and privacy implications of web apps having such access? How should such access be controlled (permissions)?
  3. How the API itself should look like?