Re: Web-NFC. Was: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

On 2022-03-21 19:13, Brent Shambaugh wrote:
> I might need to follow up with the TangemID people. I am not sure > how to reach them. I have an installation of their Tangem ID app
> on my iPhone. I just ran through the process with the issuer/verifier 
> and credential wallet cards and I got an error “This data cannot be signed”. 
> I do have an NFC reader and an NFC reader/writer in addition to what is available with my iPhone.

This seems like a rather different problem/solution than the "Better QR" stuff I have worked with.

Regarding interacting with smart cards via WebNFC I don't think that is a workable idea because smart cards are only secure when used in a secure environment which excludes transiently downloaded Web code.  W3C once tried to create standard for smart card access.  I claimed it wouldn't work and published this:
https://cyberphone.github.io/doc/research/permissions.pdf
Unsurprisingly this effort never got anywhere.

thanx,
Anders

> 
> On Monday, March 21, 2022, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
> 
>     On 2022-03-21 13:45, Orie Steele wrote:
> 
>         Although the firmware is proprietary, if WebNFC supported APDU, these crypto currency wallet NFC Cards would almost give you what you want.
> 
> 
>     What I "want" is more basic: a replacement/complement to QR codes since QR codes are (like passwords), susceptible to traditional phishing attacks due to the lack of binding between the Web page and an URL provided in an embedded QR image.
> 
>     To succeed, NFC would eventually have to become a part of the PC/Mac platform which obviously will never happen unless something along these lines becomes a standard.
> 
>     Thanx,
>     Anders
> 
> 
>         https://tangem.com/en/ <https://tangem.com/en/> <https://tangem.com/en/ <https://tangem.com/en/>>
> 
>         I have tested them in "Kiosk" setups and they allow for vanilla EdDSA or ES256K from hardware isolated keys.
> 
>         Unfortunately, you need a regular card reader to interact with them, because web nfc does not expose the APDU interface.
> 
>         So they pair their solution with a Native App.
> 
>         I wouldn't say it's "too late"... there are currently 0 registered standard payment method identifiers: https://www.w3.org/TR/payment-method-id/#registry <https://www.w3.org/TR/payment-method-id/#registry> <https://www.w3.org/TR/payment-method-id/#registry <https://www.w3.org/TR/payment-method-id/#registry>>
> 
>         It does seem like somehow the folks who needed to be in the same room to make this happen got spread across different WGs.
> 
>         OS
> 
>         On Mon, Mar 21, 2022 at 7:21 AM Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>> wrote:
> 
>              On 2022-03-21 13:13, Orie Steele wrote:
>               > I'm not sure what exactly the proposal is.
>               >
>               > NDEF Tags and QR Codes can contain URLs which can then be used to invoke applications.
>               >
>               > Are you hoping for more general purpose NFC APIs that are not limited to mobile browsers?
> 
>              Hi Orie,
> 
>              Since the boat has sailed I'm not really hoping on anything :(
> 
>              The idea is pretty well described in this GitHub issue: https://github.com/w3c/web-nfc/issues/140 <https://github.com/w3c/web-nfc/issues/140> <https://github.com/w3c/web-nfc/issues/140 <https://github.com/w3c/web-nfc/issues/140>>
> 
>              Thanx,
>              Anders
> 
> 
>               >
>               > OS
>               >
>               > On Sat, Mar 19, 2022 at 1:52 AM Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com> <mailto:anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>>>> wrote:
>               >
>               >     Since the original topic is extremely large, I take the liberty focusing on a related item which I have been actively involved in.
>               >
>               >     Google and Intel have created an API that makes it possible reading and writing certain types of RFID tags from a mobile browser.  That's fine but this use case is already supported by much more powerful native apps.
>               >
>               >     I claimed early on (and to no avail), that mobile devices (phones) with native apps interacting with Web pages running in desktop computers have lots of already established applications that could benefit from a better solution.
>               >
>               >     The current solution to this generic use case are QR codes which require you to manually start a specific application, alternatively provide some private information which can be used for Web push.
>               >
>               >     Since QR codes do not provide the security context of the Web page, this solution is susceptible to phishing.
>               >
>               >
>               >     The only people outside of Google and Intel who have been visible in this activity are RFID vendors.  The payment industry were not there.  The same goes for the identity folks.
>               >
>               >     I would like to restart this activity but not alone.  Getting NFC back in PCs will not happen overnight, if ever.
>               >
>               >     Thanx,
>               >     Anders
>               > https://github.com/w3c/web-nfc/issues/128 <https://github.com/w3c/web-nfc/issues/128> <https://github.com/w3c/web-nfc/issues/128 <https://github.com/w3c/web-nfc/issues/128>> <https://github.com/w3c/web-nfc/issues/128 <https://github.com/w3c/web-nfc/issues/128> <https://github.com/w3c/web-nfc/issues/128 <https://github.com/w3c/web-nfc/issues/128>>>
>               >
>               >
>               >
>               > --
>               > *ORIE STEELE*
>               > Chief Technical Officer
>               > www.transmute.industries
>               >
>               > <https://www.transmute.industries <https://www.transmute.industries> <https://www.transmute.industries <https://www.transmute.industries>>>
> 
> 
> 
>         -- 
>         *ORIE STEELE*
>         Chief Technical Officer
>         www.transmute.industries
> 
>         <https://www.transmute.industries <https://www.transmute.industries>>
> 
> 
> 
> 
> 
> -- 
> -Brent Shambaugh
> 
> GitHub: https://github.com/bshambaugh <https://github.com/bshambaugh>
> Website: http://bshambaugh.org/ <http://bshambaugh.org/>
> LinkedIN: https://www.linkedin.com/in/brent-shambaugh-9b91259 <https://www.linkedin.com/in/brent-shambaugh-9b91259>
> Skype: brent.shambaugh
> Twitter: https://twitter.com/Brent_Shambaugh <https://twitter.com/Brent_Shambaugh>
> WebID: http://bshambaugh.org/foaf.rdf#me <http://bshambaugh.org/foaf.rdf#me>

Received on Monday, 21 March 2022 18:53:22 UTC