[Pcsclite-muscle] Proposal for a Web API for smart cards

Sebastien Lorquet sebastien at lorquet.fr
Thu Aug 25 01:35:46 PDT 2022

Hi Daniel,

Your API feels like a very good idea (GP and PKCS11 are too applicative) 
and would be useful for us, we are stuck with a proprietary activeX 
running in Edge in IE mode)

However it feels a bit like XKCD #927...

It would be good however if such an API managed to enter the mainline 
browsers or be implementable with simple plugins that would work across 
all OSes and browsers. In particular Firefox (and chrome) on Windows, 
which are probably the largest market share.


Le 17/08/2022 à 18:35, Daniel d'Andrada a écrit :
> Hi Ludovic,
> The idea is to enable applications that rely specifically on PC/SC to
> be delivered as web apps instead of native apps.
> The AusweisApp2[1] for instance uses APDUs and sends control commands
> to tell the reader device to establish a PACE channel with the card.
> It also sends another control command to detect if the reader at hand
> declares PACE support in the first place, because otherwise it
> implements PACE directly in the host. And then you have the browser
> talking to this app. That API would enable AusweisApp2 to be a web app
> for instance.
> Another example is remote access (or "remote desktop") applications.
> They can enable the remote system, and the applications in that remote
> system, to transparently access the card reader in the computer that
> is running that remote access app. That also requires PC/SC API level.
> Or a web-based kiosk with a card reader that reads RFID tags/badges
> and changes its Web UI accordingly.
> [1] https://www.ausweisapp.bund.de/en/home
> On Sat, Aug 13, 2022 at 3:25 PM Ludovic Rousseau
> <ludovic.rousseau at gmail.com> wrote:
>> Hello Daniel,
>> Le ven. 12 août 2022 à 17:44, Daniel d'Andrada <dandrader at google.com> a écrit :
>>> [1] https://chromestatus.com/feature/6411735804674048
>>  From the web page above:
>> "Motivation
>> Smart cards are popular in the enterprise and governmental sectors. A
>> governmental website could identify a citizen by communicating with a
>> government-issued smart ID card inserted in a card reader without the
>> need of external, native, applications. Similarly, an enterprise that
>> issues smart cards to their employees could authenticate them in its
>> corporate website using the employee's card inserted in a smart card
>> reader needing only the browser itself."
>> This is what PKCS#11 is used for. You can do a client web
>> authentication using your employee badge.
>> Do you plan to (re)implement a PKCS#11 library equivalent (something
>> like OpenSC) in JavaScript in the web page?
>> What are the problems with the "external, native, applications"?
>> Regards,
>> --
>>   Dr. Ludovic Rousseau
>> _______________________________________________
>> pcsclite-muscle mailing list
>> pcsclite-muscle at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/pcsclite-muscle
> _______________________________________________
> pcsclite-muscle mailing list
> pcsclite-muscle at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/pcsclite-muscle

More information about the pcsclite-muscle mailing list