RE: Feedback about WebNFC API

Hi Zoltan,
Ok I will push a feedback in the thread about the low level IOs (https://github.com/w3c/web-nfc/issues/238).

The NFC technology in itself is specific in terms of security and privacy in the sense that users need to deliberately tap their phone close to an NFC touch point (whether it is a tag or a reader). This is why NFC is popular for payment, biometric / passport and access control applications. It can only be activated if the user places its NFC phone or credit card within centimeters and stops as soon as the user removes his phone.

So with that sort of NFC built-in security plus the required “expressed permission” to access the Web NFC API, aren’t we covered?

Best regards
Olivier


From: Kis, Zoltan <zoltan.kis@intel.com>
Sent: lundi 2 mars 2020 11:43
To: Olivier LORENTE <olivier.lorente@st.com>
Cc: public-web-nfc@w3.org
Subject: Re: Feedback about WebNFC API

Hello,

Thank you for the feedback and the use case.
After the current phase is over we will discuss next steps.
It would help if you could paste the feedback also in one of the issues that discuss this, or create a separate issue if you wish.

https://github.com/w3c/web-nfc/issues/101

https://github.com/w3c/web-nfc/issues/238

https://github.com/w3c/web-nfc/issues/452


There have been a lot of requests for supporting transceive() and there is good will to support it.
Technically it's feasible, create a web'ish API that is simple yet covers most use cases.
The difficult question is security and privacy. The API exposure is huge, and it is arguably more complex than for the APIs made for apps distributed in an app store.
If you have input on security/privacy threats and mitigations related to the API so far, they are most welcome, as we are striving to improve the Security section of the spec.

Best regards,
Zoltan