- From: Gil Bernabeu <gil.bernabeu@globalplatform.org>
- Date: Fri, 9 Mar 2018 14:25:18 +0000
- To: NAZARE GONCALVES Bruno Goncalo <brunogoncalo.nazare@ext.europarl.europa.eu>
- CC: "public-web-security@w3.org" <public-web-security@w3.org>
- Message-ID: <ee4323117510466297b92a16e6199ac5@MBX10A-IAD3.mex06.mlsrvr.com>
Dear Bruno The API to discuss between a Web App and a smart card has been published by GlobalPlatform sometimes ago and available at https://github.com/GlobalPlatform/WebApis-for-se This Secure element APIs is now available on TEE environment, Mobile device called OMAPI (recent Google announcement that this APis will be in Android P is available here<https://android-developers.googleblog.com/2018/03/previewing-android-p.html> ) and web engine. This can be used to develop more functional APIs if needed in the European context for digital signature. Best regards Gil Bernabeu GlobalPlatform Technical Director Website: www.globalplatform.org<http://www.globalplatform.org/> [cid:image002.png@01D33C64.DFC98B00] From: Ryan Hurst [mailto:ryan.hurst@gmail.com] Sent: vendredi 9 mars 2018 15:13 To: NAZARE GONCALVES Bruno Goncalo <brunogoncalo.nazare@ext.europarl.europa.eu> Cc: Tony Arcieri <bascule@gmail.com>; public-web-security@w3.org Subject: Re: Digital signatures in the browser Bruno, You are correct, it is not possible to do a digital signature like you need using FIDO. You could use FIDO to authenticate to a remote server and in turn use that session to do the signature using a remote signing device (HSM, etc). Ryan On Fri, Mar 9, 2018 at 9:02 AM NAZARE GONCALVES Bruno Goncalo <brunogoncalo.nazare@ext.europarl.europa.eu<mailto:brunogoncalo.nazare@ext.europarl.europa.eu>> wrote: Hello Tony, The actual goal is to be able to digitally sign documents, for instance PDFs, using pre-provisioned keys contained in hardware tokens (interest currently leaning on regular smartcards). I've previously looked at FIDO U2F, and even though I believe there could be some openness here to the idea of USB keys (like the U2F authenticators) I believe that's not the biggest drawback of FIDO U2F. From my understanding of the technology, the FIDO API will take a challenge as input to the signing operation, however, somewhere along the stack that challenge will be wrapped in a larger structure and that's what will be signed. This would mean that it is not possible to simply sign the hash of a document, right? Best Regards, [cid:image001.png@01D36841.7642F960] Bruno GONÇALVES Functional Analyst External Provider European Parliament Directorate-General for Innovation and Technological Support Directorate for Development and Support Evolution and Maintenance Unit brunogoncalo.nazare@ext.europarl.europa.eu<mailto:brunogoncalo.nazare@ext.europarl.europa.eu> www.europarl.europa.eu<http://www.europarl.europa.eu> From: Tony Arcieri [mailto:bascule@gmail.com<mailto:bascule@gmail.com>] Sent: 08 March 2018 00:38 To: NAZARE GONCALVES Bruno Goncalo Cc: public-web-security@w3.org<mailto:public-web-security@w3.org> Subject: Re: Digital signatures in the browser Depending on what you mean by "smartcard" and how flexible your needs are, FIDO U2F can be used to accomplish this in Chrome and Firefox today with no additional software. Though U2F is an authentication standard, what it exposes to the browser is effectively an API for performing ECDSA signatures (w\ NIST P-256 elliptic curve) using an origin-specific key. On Wed, Mar 7, 2018 at 8:05 AM, NAZARE GONCALVES Bruno Goncalo <brunogoncalo.nazare@ext.europarl.europa.eu<mailto:brunogoncalo.nazare@ext.europarl.europa.eu>> wrote: Dear Web Security IG, I'm currently working for the European Parliament, looking for upcoming solutions to the problem of creating digital signatures with a smartcard directly from a web page, without resorting to additional software. Thus, I would like to ask if there are any efforts currently underway to support this use case or if any will be undertaken in the foreseeable future. I'm aware of the following initiatives that could be somewhat related: - WebCrypto Key Discovery (https://www.w3.org/TR/webcrypto-key-discovery/) - Web API For Accessing Secure Element (http://globalplatform.github.io/WebApis-for-SE/doc/) - Hardware Based Secure Services features (https://rawgit.com/w3c/websec/gh-pages/hbss.html) Have these been considered already? If so, what's the current sentiment surrounding them? If not, are there any plans to analyse these or similar solutions in the foreseeable future? Best Regards, Bruno GONÇALVES Functional Analyst External Provider European Parliament Directorate-General for Innovation and Technological Support Directorate for Development and Support Evolution and Maintenance Unit brunogoncalo.nazare@ext.europarl.europa.eu<mailto:brunogoncalo.nazare@ext.europarl.europa.eu> www.europarl.europa.eu<http://www.europarl.europa.eu> Ce message contient des informations confidentielles à l'intention exclusive du destinataire. Il ne peut être utilisé, divulgué ou copié de quelconque façon que ce soit par une personne autre que le destinataire désigné. Si vous n'êtes pas le destinataire désigné, merci de contacter l'expéditeur et d'effacer ce message. L'expéditeur de ce message n'est pas mandaté à représenter le Parlement européen. Dès lors, ce message ne constitue pas nécessairement le point de vue officiel du Parlement européen, ni un engagement juridique opposable à ce dernier. This message contains confidential information intended solely for the attention of the named addressee. It may not be used, disclosed or copied in any way whatsoever by anyone else than the intended addressee. If you are not the intended addressee, please contact the sender and delete this message. The sender of this message is not authorized to represent the European Parliament and therefore this message does not necessarily reflect the official position of the European Parliament and is not legally binding upon it. -- Tony Arcieri
Attachments
- image/png attachment: image003.png
- image/png attachment: image004.png
Received on Friday, 9 March 2018 14:25:46 UTC