RE: Need for Smart Card support from Ali Asad on 2012-06-04 (public-webcrypto@w3.org from June 2012)

From: Ali Asad <Asad.Ali@gemalto.com>
Date: Mon, 4 Jun 2012 16:32:25 +0200
To: "Davenport, James L." <jdavenpo@mitre.org>, "public-webcrypto@w3.org" <public-webcrypto@w3.org>
Message-ID: <821D566D81EF6F4F830409E0BD3B1022402B995AB1@ABSEXCFWP01.gemalto.com>
I think it will be good to have an option for interacting with secure element (smart card being one example) in the API. Browsers that choose to support it can implement it while others can skip it. But the fact that it is there in the API will allow creation of secure applications (as indicated by the use cases below) for those interested in them.

The basic idea is that web applications should be able to use keys stored in such a secure element. One option could be to extract the keys from the secure element and use it inside the browser (e.g. for bulk encryption using symmetric keys) without exposing the key to the JavaScript code. Another option could be to do crypto processing inside the secure element so that keys do not leave the secure element (e.g. asking a smart card to sign a hash).

To expand on the use cases listed by Jim, here is a list in terms of what crypto operations could be done either entirely by a smart card, or done in the browser using key material that comes from a smart card:

1. Sign a document hash for non-repudiation
2. Sign a challenge from a server for PKI based challenge-response handshake to perform authentication.
3. Decrypt a message using private asymmetric key.
4. Encrypt a message for someone using their pubic asymmetric key. (not so clear on this one, yet. Public keys may not need to be stored in secure elements)
5. Perform hash of a large document
6. Bulk encryption of a large document using a symmetric key.
7. Bulk decryption of a large document using a symmetric key.

Regards,
--- asad


From: Davenport, James L. [mailto:jdavenpo@mitre.org]
Sent: Monday, June 04, 2012 9:12 AM
To: public-webcrypto@w3.org
Subject: Need for Smart Card support


Our sponsor needs the Crypto API to enable JavaScript programs to be able to request: "Hey, please sign this data using that smart card."



The term "smart card" is a generic term that includes Common Access Card (CAC) and Personal Identity Verification (PIV) cards.



-----------------------------

Smart Card Use Cases

-----------------------------

In all of the following use cases the user must be prompted for his PIN prior to signing with the smart card. Also, the system must display to the user the data that is being signed, so that he knows what he is signing.



Using smart cards to sign data submitted to internal company web apps:



a. An employee accesses the company web app where he can make changes to his employee benefits (dental, medical, eye). He enters the changes and presses Submit. The changes are signed using the employees' smart card and then sent to the web app which validates the signature and processes the benefits changes.



b. After an employee makes a business trip he accesses a company web app which allows him to fill in the trip expenses - hotel, car rental, airfare - for reimbursement. He enters the expenses and presses Submit. The changes are signed using the employees' smart card and then sent to the web app which validates the signature and processes for reimbursement.



c. An employee is on a business trip. At the end of each day he accesses his company's web app to enter hours worked. He enters the project number and hours worked and presses Submit. The changes are signed using the employees' smart card and then sent to the web app which validates the signature and enters the time charged on his time sheet.



Using smart cards to sign data submitted to public web apps:



d. An individual accesses his doctor's web app which has a form for authorizing release of medical records to another family member. The individual fills in the form and presses Submit. The form data is signed using the individual's personal smart card and then sent to the web app which validates the signature and releases the medical records to the family member.



e. An individual accesses his broker's web app which has a form for authorizing the transfer of funds from one stock to another. The individual fills in the form and presses Submit. The form data is signed using the individual's personal smart card and then sent to the web app which validates the signature and transfers the funds.



f. An individual accesses his bank's web app which has a form for authorizing the transfer of money from one account to another. The individual fills in the form and presses Submit. The form data is signed using the individual's personal smart card and then sent to the web app which validates the signature and transfers the money.



g An individual accesses his mortgage company's web app which has a suite of forms that must be completed for the purchase of a house. The individual fills in the forms and presses Submit. The form data is signed using the individual's personal smart card and then sent to the web app which validates the signature and concludes the purchase of the house.



h. A realtor has put together an offer on a house and uploaded it online. An individual opens his browser, enters the URL, and reviews the offer. He then checks a box to show that he agrees with the offer, signs it, and uploads it. The realtor then goes to the seller and makes the offer on behalf of the individual.



Jim Davenport  (on behalf of Jenn Dotson, James Garriss, Roger Costello)
Received on Monday, 4 June 2012 14:39:06 UTC