Re: Digital signatures in the browser


We organized a workshop in 2014 to precisely address this.

While there was virtually unanimous support at the end of the workshop, the
status quo continues. There are several false perceptions on Smartcards in
the web community (such as it is old tech, forgetting the fact so is the
web and thart good tech evolves and smartcards have).

There are lots of APIs that are custom and vendor specific for a given
browser but none built-in and I have very little faith it will get built

Our opinion on a non-branded implementation (outside FIDO) while unlikely
to be supported by the W3C community driven by the browser makers there
will be *soon an effective standards based (non custom API) workaround
irrespective of W3C supporting it.  *

Paper on why non-branded approach:

Happy to discuss further.


On Mar 7, 2018 5:31 PM, "NAZARE GONCALVES Bruno Goncalo" <> wrote:

> Dear Web Security IG,
> I'm currently working for the European Parliament, looking for upcoming
> solutions to the problem of creating digital signatures with a smartcard
> directly from a web page, without resorting to additional software.
> Thus, I would like to ask if there are any efforts currently underway to
> support this use case or if any will be undertaken in the foreseeable
> future.
> I'm aware of the following initiatives that could be somewhat related:
>  - WebCrypto Key Discovery (
> )
>  - Web API For Accessing Secure Element (http://globalplatform.github.
> io/WebApis-for-SE/doc/)
>  - Hardware Based Secure Services features (
> websec/gh-pages/hbss.html)
> Have these been considered already? If so, what's the current sentiment
> surrounding them? If not, are there any plans to analyse these or similar
> solutions in the foreseeable future?
> Best Regards,
> Functional Analyst External Provider
> European Parliament
> Directorate-General for Innovation and Technological Support
> Directorate for Development and Support
> Evolution and Maintenance Unit
> Ce message contient des informations confidentielles à l'intention
> exclusive du destinataire. Il ne peut être utilisé, divulgué ou copié de
> quelconque façon que ce soit par une personne autre que le destinataire
> désigné. Si vous n'êtes pas le destinataire désigné, merci de contacter
> l'expéditeur et d'effacer ce message. L'expéditeur de ce message n'est pas
> mandaté à représenter le Parlement européen. Dès lors, ce message ne
> constitue pas nécessairement le point de vue officiel du Parlement
> européen, ni un engagement juridique opposable à ce dernier.
> This message contains confidential information intended solely for the
> attention of the named addressee. It may not be used, disclosed or copied
> in any way whatsoever by anyone else than the intended addressee. If you
> are not the intended addressee, please contact the sender and delete this
> message. The sender of this message is not authorized to represent the
> European Parliament and therefore this message does not necessarily reflect
> the official position of the European Parliament and is not legally binding
> upon it.

Received on Friday, 9 March 2018 19:02:12 UTC