W3C's/Gemalto's Web-based SC interface

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

W3C's/Gemalto's Web-based SC interface

Anders Rundgren-2
Maybe of interest:

http://opoto.github.io/secure-element

Is this the right approach?  Time will tell but I'm personally skeptical about
the interoperability.  But maybe this will finally relieve us from installing
unique card-drivers since the server can sort of "emulate" those?

FWIW, I have finished converting SKS/KeyGen2 from XML to JSON and it was
an instant hit in terms of improved performance and reduced complexity:
https://openkeystore.googlecode.com/svn/resources/trunk/docs/sks-api-arch.pdf
Is as beautiful as before?  Maybe not, but readability has IMO gained by JSON's
somewhat primitive constructs.

Cheers
Anders


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Martin Paljak-4
On Sat, Oct 19, 2013 at 12:47 PM, Anders Rundgren
<[hidden email]> wrote:
> http://opoto.github.io/secure-element
>
> Is this the right approach?  Time will tell but I'm personally skeptical about
> the interoperability.  But maybe this will finally relieve us from installing
> unique card-drivers since the server can sort of "emulate" those?

I don't see how it differs that much from http://www.sconnect.com/FAQ/.
YAAI - Yet Another APDU Interface, I don't see browsers having
ethernet capabilities exposed via javascript, but it feels the same.

--
Martin
+372 515 6495

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Anders Rundgren-2
On 2013-10-19 12:02, Martin Paljak wrote:

> On Sat, Oct 19, 2013 at 12:47 PM, Anders Rundgren
> <[hidden email]> wrote:
>> http://opoto.github.io/secure-element
>>
>> Is this the right approach?  Time will tell but I'm personally skeptical about
>> the interoperability.  But maybe this will finally relieve us from installing
>> unique card-drivers since the server can sort of "emulate" those?
>
> I don't see how it differs that much from http://www.sconnect.com/FAQ/.
> YAAI - Yet Another APDU Interface, I don't see browsers having
> ethernet capabilities exposed via javascript, but it feels the same.

Yes, it is like a next generation of SConnect with the difference that
this time the idea is that it should be a standard part of a browser.

Cheers
Anders

>
> --
> Martin
> +372 515 6495
>


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Frank Morgner
By the way, for the German ID card we are using an application that runs
in parallel to the browser for smart card access. The application is
called from a website (or browser) using a redirect to localhost. From
there on the smart card application operates independently from the
browser. When all smart card operations are done the web browser is
provided with a response, which includes a redirect back to the original
website with the transactions result. No extension, no plugin and not
even javascript needed in the browser. However, noscript doesn't like
the context switch from the www to the local network (for obvious
reason). On top of this, it is already in productive use...

On Saturday, October 19 at 01:38PM, Anders Rundgren wrote:

> On 2013-10-19 12:02, Martin Paljak wrote:
> > On Sat, Oct 19, 2013 at 12:47 PM, Anders Rundgren
> > <[hidden email]> wrote:
> >> http://opoto.github.io/secure-element
> >>
> >> Is this the right approach?  Time will tell but I'm personally skeptical about
> >> the interoperability.  But maybe this will finally relieve us from installing
> >> unique card-drivers since the server can sort of "emulate" those?
> >
> > I don't see how it differs that much from http://www.sconnect.com/FAQ/.
> > YAAI - Yet Another APDU Interface, I don't see browsers having
> > ethernet capabilities exposed via javascript, but it feels the same.
>
> Yes, it is like a next generation of SConnect with the difference that
> this time the idea is that it should be a standard part of a browser.
>
> Cheers
> Anders
>
> >
> > --
> > Martin
> > +372 515 6495
> >
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (985 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Ludovic Rousseau
2013/10/20 Frank Morgner <[hidden email]>:

> By the way, for the German ID card we are using an application that runs
> in parallel to the browser for smart card access. The application is
> called from a website (or browser) using a redirect to localhost. From
> there on the smart card application operates independently from the
> browser. When all smart card operations are done the web browser is
> provided with a response, which includes a redirect back to the original
> website with the transactions result. No extension, no plugin and not
> even javascript needed in the browser. However, noscript doesn't like
> the context switch from the www to the local network (for obvious
> reason). On top of this, it is already in productive use...

"No extension, no plugin and not even javascript needed in the
browser" but you need to deploy an application for each operating
system you want to target.
Not very different from a native application with a HTML user interface.

Bye

--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Martin Paljak-4
In reply to this post by Frank Morgner
Hello,

On Sun, Oct 20, 2013 at 12:10 PM, Frank Morgner
<[hidden email]> wrote:

> By the way, for the German ID card we are using an application that runs
> in parallel to the browser for smart card access. The application is
> called from a website (or browser) using a redirect to localhost. From
> there on the smart card application operates independently from the
> browser. When all smart card operations are done the web browser is
> provided with a response, which includes a redirect back to the original
> website with the transactions result. No extension, no plugin and not
> even javascript needed in the browser. However, noscript doesn't like
> the context switch from the www to the local network (for obvious
> reason). On top of this, it is already in productive use...


Indeed, I'm part of the "advisory board" for the open source
re-incarnation of the application, PersoApp and I've seen it "up
close" [1]

To be honest, we (mostly Bud) proposed something similar to the Porvoo
Group [2] a long time ago (it turns out it was in 2005), check out the
concept of the URL Programming Interface or UPI in these slides [3].

It works when you don't need "end to end" and "standards based"
solution. Also, having something constantly run and listening on ::1
opens up a plethora of possible attack surfaces, that don't exist
otherwise.

The concept and vision PersoApp folks have (something that would
facilitate agent based solutions) is nice, but the practicality for
simple authentication is comparable to OpenID as it brings out the
"nascar effect" [4] (Also present in SAML2 solutions), where the
end-result is "peer to peer binding" rather than universal and
horizontal, something that SSL with X509 *almost* manages to be.

Anyway, I still owe a comment to the group mailing list and once I've
written it, comparing the PersoApp to something that the advisory
board was interested in  - prior experiences in Estonia - I can as
well send it here, might be of interest.




[1] https://www.persoapp.de/beirat/
[2] http://www.fineid.fi/default.aspx?id=539
[3] http://www.fineid.fi/default.aspx?docid=3166&action=publish
[4] http://factoryjoe.com/blog/2009/04/06/does-openid-need-to-be-hard/


Best,
--
Martin
+372 515 6495

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Anders Rundgren-2
On 2013-10-20 18:42, Martin Paljak wrote:

> Hello,
>
> On Sun, Oct 20, 2013 at 12:10 PM, Frank Morgner
> <[hidden email]> wrote:
>> By the way, for the German ID card we are using an application that runs
>> in parallel to the browser for smart card access. The application is
>> called from a website (or browser) using a redirect to localhost. From
>> there on the smart card application operates independently from the
>> browser. When all smart card operations are done the web browser is
>> provided with a response, which includes a redirect back to the original
>> website with the transactions result. No extension, no plugin and not
>> even javascript needed in the browser. However, noscript doesn't like
>> the context switch from the www to the local network (for obvious
>> reason). On top of this, it is already in productive use...

Hi,
You might be interested in this proposal

   http://webpki.org/papers/PKI/pki-webcrypto.pdf

which aims at the NASCAR problem as well as moving 3D Secure from its (IMO) entirely useless 1998 state.

Anders

>
>
> Indeed, I'm part of the "advisory board" for the open source
> re-incarnation of the application, PersoApp and I've seen it "up
> close" [1]
>
> To be honest, we (mostly Bud) proposed something similar to the Porvoo
> Group [2] a long time ago (it turns out it was in 2005), check out the
> concept of the URL Programming Interface or UPI in these slides [3].
>
> It works when you don't need "end to end" and "standards based"
> solution. Also, having something constantly run and listening on ::1
> opens up a plethora of possible attack surfaces, that don't exist
> otherwise.
>
> The concept and vision PersoApp folks have (something that would
> facilitate agent based solutions) is nice, but the practicality for
> simple authentication is comparable to OpenID as it brings out the
> "nascar effect" [4] (Also present in SAML2 solutions), where the
> end-result is "peer to peer binding" rather than universal and
> horizontal, something that SSL with X509 *almost* manages to be.
>
> Anyway, I still owe a comment to the group mailing list and once I've
> written it, comparing the PersoApp to something that the advisory
> board was interested in  - prior experiences in Estonia - I can as
> well send it here, might be of interest.
>
>
>
>
> [1] https://www.persoapp.de/beirat/
> [2] http://www.fineid.fi/default.aspx?id=539
> [3] http://www.fineid.fi/default.aspx?docid=3166&action=publish
> [4] http://factoryjoe.com/blog/2009/04/06/does-openid-need-to-be-hard/
>
>
> Best,
> --
> Martin
> +372 515 6495
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

helpcrypto helpcrypto
In reply to this post by Frank Morgner

On Sun, Oct 20, 2013 at 11:10 AM, Frank Morgner <[hidden email]> wrote:
By the way, for the German ID card we are using an application that runs
in parallel to the browser for smart card access. The application is
called from a website (or browser) using a redirect to localhost. From
there on the smart card application operates independently from the
browser. When all smart card operations are done the web browser is
provided with a response, which includes a redirect back to the original
website with the transactions result. No extension, no plugin and not
even javascript needed in the browser. However, noscript doesn't like
the context switch from the www to the local network (for obvious
reason). On top of this, it is already in productive use...

Open source? Link?
Im very interested in this!

As we develop document signature with Java Applets (you too can start crying) we are praying for WebCrypto, but in the meantime, considering this "service" approach.
Another way to do it is using a protocol like signapp://... to invoke local application that handles the protocol. A warning is displayed, but nothing listening on ::1

IIUC, Martin, you did something similar back in 2005. Do u have "runnable" code?

Anders, read pending: http://webpki.org/papers/PKI/pki-webcrypto.pdf ;)ç

Ludovic, ...just hi! xD


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Anders Rundgren-2
As far as I know the Swedish BankID intends to replace all browser-based
client-side PKI for a stand-alone client since browser security (and security
constraints...) has become unmanageable.

I'm still optimistic about a WebCrypto+ effort although it won't happen
until a more useful secure-hardware platform is available in Android.

If it will use W3C's SE API is still up in the air.  I find the locked
down SIM a bit incompatible with the Internet.

Anders

On 2013-10-22 20:47, helpcrypto helpcrypto wrote:

>
> On Sun, Oct 20, 2013 at 11:10 AM, Frank Morgner <[hidden email] <mailto:[hidden email]>> wrote:
>
>     By the way, for the German ID card we are using an application that runs
>     in parallel to the browser for smart card access. The application is
>     called from a website (or browser) using a redirect to localhost. From
>     there on the smart card application operates independently from the
>     browser. When all smart card operations are done the web browser is
>     provided with a response, which includes a redirect back to the original
>     website with the transactions result. No extension, no plugin and not
>     even javascript needed in the browser. However, noscript doesn't like
>     the context switch from the www to the local network (for obvious
>     reason). On top of this, it is already in productive use...
>
>
> Open source? Link?
> Im very interested in this!
>
> As we develop document signature with Java Applets (you too can start crying) we are praying for WebCrypto, but in the meantime, considering this "service" approach.
> Another way to do it is using a protocol like signapp://... to invoke local application that handles the protocol. A warning is displayed, but nothing listening on ::1
>
> IIUC, Martin, you did something similar back in 2005. Do u have "runnable" code?
>
> Anders, read pending: http://webpki.org/papers/PKI/pki-webcrypto.pdf ;)ç
>
> Ludovic, ...just hi! xD
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Frank Morgner
In reply to this post by Martin Paljak-4
On Sunday, October 20 at 07:42PM, Martin Paljak wrote:

> Hello,
>
> On Sun, Oct 20, 2013 at 12:10 PM, Frank Morgner
> <[hidden email]> wrote:
> > By the way, for the German ID card we are using an application that runs
> > in parallel to the browser for smart card access. The application is
> > called from a website (or browser) using a redirect to localhost. From
> > there on the smart card application operates independently from the
> > browser. When all smart card operations are done the web browser is
> > provided with a response, which includes a redirect back to the original
> > website with the transactions result. No extension, no plugin and not
> > even javascript needed in the browser. However, noscript doesn't like
> > the context switch from the www to the local network (for obvious
> > reason). On top of this, it is already in productive use...
>
>
> Indeed, I'm part of the "advisory board" for the open source
> re-incarnation of the application, PersoApp and I've seen it "up
> close" [1]
Actually there are a number of implementations for the client side
available:
https://github.com/BeID-lab/eIDClientCore
https://www.openecard.org/
and some others...

> To be honest, we (mostly Bud) proposed something similar to the Porvoo
> Group [2] a long time ago (it turns out it was in 2005), check out the
> concept of the URL Programming Interface or UPI in these slides [3].

Nice! Why didn't anyone implement it back then?

> It works when you don't need "end to end"

Could you explain?

> and "standards based" solution.

The German approach implements ISO 24727. It adds the PAOS interface to
the application essentially allowing remote procedure calls to it. Also
it allows real end to end communication between server and card. There
is no standard for that (I think), so I think it was OK that the BSI
created their own standard.

With my previous mail I wanted to draw the attention to the technical
solution avoiding real browser integration with plugins or patches,
which was previously discussed in this thread. The German solution in
its current state is far from perfect.

> Also, having something constantly run and listening on ::1
> opens up a plethora of possible attack surfaces, that don't exist
> otherwise.

Is it so different from a Webbrowser that interprets Websites/Javascript
or even executes Java/Flash?

> The concept and vision PersoApp folks have (something that would
> facilitate agent based solutions) is nice, but the practicality for
> simple authentication is comparable to OpenID as it brings out the
> "nascar effect" [4] (Also present in SAML2 solutions), where the
> end-result is "peer to peer binding" rather than universal and
> horizontal, something that SSL with X509 *almost* manages to be.

The user interface is currently one of the biggest problems. However,
there are some technical proposals to avoid "too much choice". For
example, if the user does not run a local client then the default action
should be to proceed without the ID card. This mechanism is still
missing today. An other technical solution would be to include a bridge
between different authentication/identification mechanisms.

> Anyway, I still owe a comment to the group mailing list and once I've
> written it, comparing the PersoApp to something that the advisory
> board was interested in  - prior experiences in Estonia - I can as
> well send it here, might be of interest.

I am already curious :-) ...

> [1] https://www.persoapp.de/beirat/
> [2] http://www.fineid.fi/default.aspx?id=539
> [3] http://www.fineid.fi/default.aspx?docid=3166&action=publish
> [4] http://factoryjoe.com/blog/2009/04/06/does-openid-need-to-be-hard/

--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (985 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Andreas Schwier (ML)
Am 22.10.2013 22:31, schrieb Frank Morgner:
>> To be honest, we (mostly Bud) proposed something similar to the Porvoo
>> Group [2] a long time ago (it turns out it was in 2005), check out the
>> concept of the URL Programming Interface or UPI in these slides [3].
>
> Nice! Why didn't anyone implement it back then?
The same mechanism has been used by the Austrian Bürgerkarte since 2003.

>
>> It works when you don't need "end to end"
>
> Could you explain?
>
>> and "standards based" solution.
>
> The German approach implements ISO 24727. It adds the PAOS interface to
> the application essentially allowing remote procedure calls to it. Also
> it allows real end to end communication between server and card. There
> is no standard for that (I think), so I think it was OK that the BSI
> created their own standard.
Actually there is: Global Platform Remote Application Management over
HTTP (RAMoverHTTP).

>
> With my previous mail I wanted to draw the attention to the technical
> solution avoiding real browser integration with plugins or patches,
> which was previously discussed in this thread. The German solution in
> its current state is far from perfect.
>
>> Also, having something constantly run and listening on ::1
>> opens up a plethora of possible attack surfaces, that don't exist
>> otherwise.
>
> Is it so different from a Webbrowser that interprets Websites/Javascript
> or even executes Java/Flash?
No. I guess a user process bound to an unprivileged port listening to
connections from 127.0.0.1 can't do any more harm than Java/Flash.

You just need to make sure the user can make an educated choice to which
server he allows the client to connect. And of course you need some kind
of protection for the communication link between the client/card and the
server (Like ChipAuthentication in the German eID or the SmartCard-HSM).

>
>> The concept and vision PersoApp folks have (something that would
>> facilitate agent based solutions) is nice, but the practicality for
>> simple authentication is comparable to OpenID as it brings out the
>> "nascar effect" [4] (Also present in SAML2 solutions), where the
>> end-result is "peer to peer binding" rather than universal and
>> horizontal, something that SSL with X509 *almost* manages to be.
>
> The user interface is currently one of the biggest problems. However,
> there are some technical proposals to avoid "too much choice". For
> example, if the user does not run a local client then the default action
> should be to proceed without the ID card. This mechanism is still
> missing today. An other technical solution would be to include a bridge
> between different authentication/identification mechanisms.
>
>> Anyway, I still owe a comment to the group mailing list and once I've
>> written it, comparing the PersoApp to something that the advisory
>> board was interested in  - prior experiences in Estonia - I can as
>> well send it here, might be of interest.
>
> I am already curious :-) ...
>
>> [1] https://www.persoapp.de/beirat/
>> [2] http://www.fineid.fi/default.aspx?id=539
>> [3] http://www.fineid.fi/default.aspx?docid=3166&action=publish
>> [4] http://factoryjoe.com/blog/2009/04/06/does-openid-need-to-be-hard/
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Martin Paljak-4
In reply to this post by Martin Paljak-4
On Sat, Oct 19, 2013 at 1:02 PM, Martin Paljak <[hidden email]> wrote:
>
> I don't see how it differs that much from http://www.sconnect.com/FAQ/.
> YAAI - Yet Another APDU Interface, I don't see browsers having
> ethernet capabilities exposed via javascript, but it feels the same.


And I just stumbled upon this:

https://github.com/ubinity/webpcsc-firebreath

--
Martin
+372 515 6495

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

helpcrypto helpcrypto
And I just stumbled upon this:

https://github.com/ubinity/webpcsc-firebreath

This shows, one more time and increasingly more, that we are in desesperate need of something(like Webcrypto?)


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Mikael Magnusson-5
In reply to this post by Martin Paljak-4
On 10/23/2013 10:12 PM, Martin Paljak wrote:
> On Sat, Oct 19, 2013 at 1:02 PM, Martin Paljak <[hidden email]> wrote:
>> I don't see how it differs that much from http://www.sconnect.com/FAQ/.
>> YAAI - Yet Another APDU Interface, I don't see browsers having
>> ethernet capabilities exposed via javascript, but it feels the same.
> And I just stumbled upon this:
>
> https://github.com/ubinity/webpcsc-firebreath

It apperently uses NPAPI. Keep in mind that at least Google will
discontinue NPAPI in Chrome next year. Don't know about the other
browsers though. I wouldn't use NPAPI when developing something new
today anyway.

/Mikael


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Martin Paljak-4
In reply to this post by Anders Rundgren-2
Instead of exposing your stuff through JS I'm more interested in this
capability in the new Android:

http://developer.android.com/about/versions/kitkat.html#44-hce

http://developer.android.com/reference/android/nfc/cardemulation/HostApduService.html

I envision a bunch of interesting applications in this field now....

Martin
--
Martin
+372 515 6495


On Sat, Oct 19, 2013 at 12:47 PM, Anders Rundgren
<[hidden email]> wrote:

> Maybe of interest:
>
> http://opoto.github.io/secure-element
>
> Is this the right approach?  Time will tell but I'm personally skeptical about
> the interoperability.  But maybe this will finally relieve us from installing
> unique card-drivers since the server can sort of "emulate" those?
>
> FWIW, I have finished converting SKS/KeyGen2 from XML to JSON and it was
> an instant hit in terms of improved performance and reduced complexity:
> https://openkeystore.googlecode.com/svn/resources/trunk/docs/sks-api-arch.pdf
> Is as beautiful as before?  Maybe not, but readability has IMO gained by JSON's
> somewhat primitive constructs.
>
> Cheers
> Anders
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: W3C's/Gemalto's Web-based SC interface

Anders Rundgren-2
On 2013-11-01 09:32, Martin Paljak wrote:
> Instead of exposing your stuff through JS I'm more interested in this
> capability in the new Android:
>
> http://developer.android.com/about/versions/kitkat.html#44-hce
>
> http://developer.android.com/reference/android/nfc/cardemulation/HostApduService.html
>
> I envision a bunch of interesting applications in this field now....

I don't see that there is conflict between these things.
SKS/KeyGen2 should be able to do this support this

http://www.nfcworld.com/2013/10/31/326619/google-gets-around-carriers-host-card-emulation-nfc-payments/

and still maintain an SE.

Unfortunately I don't think anybody can (market-wise) eclipse Google's
U2F.  So our digital future is all in the hands of a single vendor.

The others parties failed to cooperate on just about everything; they didn't
even managed creating a card that "Just Works(TM)".

Anders


>
> Martin
> --
> Martin
> +372 515 6495
>
>
> On Sat, Oct 19, 2013 at 12:47 PM, Anders Rundgren
> <[hidden email]> wrote:
>> Maybe of interest:
>>
>> http://opoto.github.io/secure-element
>>
>> Is this the right approach?  Time will tell but I'm personally skeptical about
>> the interoperability.  But maybe this will finally relieve us from installing
>> unique card-drivers since the server can sort of "emulate" those?
>>
>> FWIW, I have finished converting SKS/KeyGen2 from XML to JSON and it was
>> an instant hit in terms of improved performance and reduced complexity:
>> https://openkeystore.googlecode.com/svn/resources/trunk/docs/sks-api-arch.pdf
>> Is as beautiful as before?  Maybe not, but readability has IMO gained by JSON's
>> somewhat primitive constructs.
>>
>> Cheers
>> Anders
>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
>> the latest Intel processors and coprocessors. See abstracts and register >
>> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel