RE: Need for Smart Card support from Lu HongQian Karen on 2012-06-04 (public-webcrypto@w3.org from June 2012)

From: Lu HongQian Karen <karen.lu@gemalto.com>
Date: Mon, 4 Jun 2012 16:51:33 +0200
To: "Davenport, James L." <jdavenpo@mitre.org>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
CC: GALINDO Virginie <Virginie.GALINDO@gemalto.com>, Ali Asad <Asad.Ali@gemalto.com>
Message-ID: <1126F161F6F1B24FABD92B850CAFBD6E013A1FFDAEB4@CROEXCFWP04.gemalto.com>
The smart card support is also important or critical for government and
government-regulated applications. The smart card not only stores secrets,
but also performs cryptographic operations, such digital signature, data
encryption, cryptographic hash, key exchange, random number generation, and
so on. The use cases include (in addition to the following email), but not
limited to:

 

1.  A citizen files a tax return online, and signs the tax return using his
government issued smart card.

2.  A citizen access his government benefits using his smart card to
authenticate.

3.  A citizen applies driver license using his smart card to authenticate
and to provide attributes required by the license department.

4.  A government employee accesses government application to do his job,
using his smart card to authenticate, encrypt sensitive data, sign document,
etc.

 

It is not possible to list all, but you get the idea.

 

Regards,

Karen

 

From: Davenport, James L. [mailto:jdavenpo@mitre.org] 
Sent: Monday, June 04, 2012 9:12 AM
To: public-webcrypto@w3.org
Subject: Need for Smart Card support

 

Our sponsor needs the Crypto API to enable JavaScript programs to be able to
request: "Hey, please sign this data using that smart card."

 

The term "smart card" is a generic term that includes Common Access Card
(CAC) and Personal Identity Verification (PIV) cards.

 

-----------------------------

Smart Card Use Cases

-----------------------------

In all of the following use cases the user must be prompted for his PIN
prior to signing with the smart card. Also, the system must display to the
user the data that is being signed, so that he knows what he is signing.

 

Using smart cards to sign data submitted to internal company web apps:

 

a. An employee accesses the company web app where he can make changes to his
employee benefits (dental, medical, eye). He enters the changes and presses
Submit. The changes are signed using the employees' smart card and then sent
to the web app which validates the signature and processes the benefits
changes. 

 

b. After an employee makes a business trip he accesses a company web app
which allows him to fill in the trip expenses - hotel, car rental, airfare -
for reimbursement. He enters the expenses and presses Submit. The changes
are signed using the employees' smart card and then sent to the web app
which validates the signature and processes for reimbursement. 

 

c. An employee is on a business trip. At the end of each day he accesses his
company's web app to enter hours worked. He enters the project number and
hours worked and presses Submit. The changes are signed using the employees'
smart card and then sent to the web app which validates the signature and
enters the time charged on his time sheet.

 

Using smart cards to sign data submitted to public web apps:

 

d. An individual accesses his doctor's web app which has a form for
authorizing release of medical records to another family member. The
individual fills in the form and presses Submit. The form data is signed
using the individual's personal smart card and then sent to the web app
which validates the signature and releases the medical records to the family
member. 

 

e. An individual accesses his broker's web app which has a form for
authorizing the transfer of funds from one stock to another. The individual
fills in the form and presses Submit. The form data is signed using the
individual's personal smart card and then sent to the web app which
validates the signature and transfers the funds. 

 

f. An individual accesses his bank's web app which has a form for
authorizing the transfer of money from one account to another. The
individual fills in the form and presses Submit. The form data is signed
using the individual's personal smart card and then sent to the web app
which validates the signature and transfers the money. 

 

g An individual accesses his mortgage company's web app which has a suite of
forms that must be completed for the purchase of a house. The individual
fills in the forms and presses Submit. The form data is signed using the
individual's personal smart card and then sent to the web app which
validates the signature and concludes the purchase of the house.

 

h. A realtor has put together an offer on a house and uploaded it online. An
individual opens his browser, enters the URL, and reviews the offer. He then
checks a box to show that he agrees with the offer, signs it, and uploads
it. The realtor then goes to the seller and makes the offer on behalf of the
individual.

 

Jim Davenport  (on behalf of Jenn Dotson, James Garriss, Roger Costello)
Received on Monday, 4 June 2012 19:59:01 UTC