Open guylouis opened 5 years ago
our conclusion on this was that we can't interact with the card natively through USB & PC/SC without some extension added to the browser, on the desktop.
what about on a mobile ? can a mobile browser natively send APDUs to a smartcard through NFC ?
On the desktop, we have roughly the following stack, regardless of whether the device is contacted or NFC and with small differences between OS.
The PCSC server "sees" all connected USB SmartCard readers and reserves them. It then makes them available through the PCSC API to any program. A browser could, in theory, expose the PCSC API to Javascript, but this does not happen at the moment. It'd be likely possible to work around this with a browser extension running native code.
Then there is the Authentication framework, which allows using SmartCard with a specific applet as an authentication provider. This can be used to logon the system, but also by web browser to authenticate to a site. This framework can be more or less invasive and could be a problem for a browser extension at the PCSC level (because of the bad habit of this framework to send commands to any card as soon as you insert it). On some OS this is also extensible and could be another entry point for a browser extension.
On mobile, as far as I know, there is no general framework for SmartCard access so a browser supporting WebUSB should in theory be able to access the reader, given that a Javascript CCID driver implementation is provided. This could solve the problem for an externally connected USB smartcard reader. The internal NFC reader (which is not necessarely connected through the USB bus) is not going to accessible through WebUSB. Also, I think only Chrome on Android supports WebUSB and I am not aware of a solution for iOS.
There is draft WebNFC API which covers access to NDEF records, and we could in theory use that by using the content of a tag-write command as an APDU and writing the response in a record which could then be read by a tag-read command. This is most likely not going to be very efficient and also I doubt there is any browser support at the moment. It'd require major development effort applet-side.
Another note, I think the walletconnect scenario is the most feasible one. We could develop a Keycard Server (to run locally) and define a Javascript API that would give access to the Keycard. The API could either expose the low-level APDU interface or even be more a high-level API, like the SDK.
let's not forget to do this if we ever integrate wallet connect in Status !
It would make a lot of sense to allow web apps to communicate with our smartcard on a desktop.
Trusted web apps could use the card to sign transactions, or use the card as a second factor authentification (proof-of-having the card, proof-of-knowledge through PIN entry)
Our cards is accessible through a PC/SC interface. This is the main hurdle to overcome to here.
Ideally (from a user perspective) we’d like to do that without any extension to the browser, or driver installed. It seems that this is not possible through existing browsers and javascript only. See some discussions here
As a back-up we can think of other possible solutions