Hi, I think this could be interesting, donĀ“t know if a standards for this should be written under IETF or somewhere else, but I can share a few use cases we have at neXus where we need to use platform specific capabilities. And a bit on how we currently solve it.
* Smart Card signatures In e.g bank transactions signatures are desired. We develop a middleware with this support (has been used for the Swedish eID for many years), we have historically created plugins to the comunication between the browser and the middleware. But as NPAPI is going away we have now created a new architecture that relies on server component that makes it possible to open up a communication channel between the browser and the middleware. * RFID coding This is kind of like printing, when creating cards for physical access systems (PACS) some data has to be coded in the card or read from it as it is printed (Mifare Desfire etc.), for this we have a SDK/application that runs locally but the card management system runs in the browser. The communication is currently done with a socket connection to localhost, it works well but has some clear drawbacks e.g. TLS. * Signature pad * Fingerprint recording * Document scanning When doing identity management we collect data about the user when enrolling. Once again it is not possible to collect all this data from a browser i.e. we need something running locally, and we need to communicate with it. Currently we do a connection to localhost. * End point integrity We have a client application that is loaded to validate that that platform (OS, antivirus etc.) is updated before allowing the user to connect to the corporate network. And when the user is logged out it helps the user to clean upp downloaded files so that sensitive data gets minimal exposure. (this solution relies on java applet and activeX) All of these use cases would benefit form a standardised way of communicating from the web browser (JavaScript) with a locally installed application. Best Regards Samuel Erdtman On Fri, Mar 20, 2015 at 8:30 AM, Hannes Tschofenig < [email protected]> wrote: > I like the proposal Anders put forward. > Doing some work in the IETF in that area might not be a bad idea to > stimulate discussions. > > Ciao > Hannes > > > On 03/20/2015 06:49 AM, Anders Rundgren wrote: > > On 2015-03-19 19:15, John Bradley wrote: > >> It sounds like WebCrypto or something more related to it. > >> http://www.w3.org/2012/webcrypto/ > > > > I would rather characterize this as the opposite to WebCrypto since the > > referred schemes > > all are based on the idea that "The Web is not enough". > > > > That is, the Web needs (as proven any number of times), to be extended > > with its more > > powerful native/platform companion for a lot of reasons including access > > to platform- > > resident keys as well as breaking away from the crippling SOP notion. > > > > The W3C does not appear to be a suitable home for such an effort, they > > rather prefer > > continuing the so far pretty unsuccessful efforts DUPLICATING the native > > level into > > the Web [1], instead of recognizing the power of COMBINING these worlds. > > > > Cheers, > > Anders > > > > 1] https://lists.w3.org/Archives/Public/public-sysapps/2014Dec/0000.html > > > >> > >> > >>> On Mar 19, 2015, at 3:05 PM, Jim Schaad <[email protected] > >>> <mailto:[email protected]>> wrote: > >>> > >>> To me this sounds more like a W3C activity than an IETF activity. > >>> Jim > >>> *From:*jose [mailto:[email protected]]*On Behalf Of*Anders > Rundgren > >>> *Sent:*Wednesday, March 18, 2015 10:41 PM > >>> *To:*[email protected] <mailto:[email protected]> > >>> *Subject:*[jose] Charter Proposal: "Trusted Code" for the Web > >>> Trusted Code for the Web > >>> > >>> > >>> Existing security-related applications like authentication, payments, > >>> etc. are all based on that a core-part is executed by statically > >>> installed software that is supposed to be TRUSTED. > >>> > >>> Since web-based applications are transiently downloaded, unsigned and > >>> come from any number of more or less unknown sources, such > >>> applications are by definition UNTRUSTED. > >>> > >>> To compensate for this, web-based security applications currently > >>> rely on a hodge-podge of non-standard methods [1] where trusted code > >>> resides (and executes) somewhere outside of the actual web application. > >>> > >>> However, because each browser-vendor have their own idea on what is > >>> secure and useful [2], interoperability has proven to be a major > >>> hassle. In addition, the ongoing quest for locking down browsers (in > >>> order to make them more secure), tends to break applications after > >>> browser updates. > >>> > >>> Although security applications are interesting, they haven't proved > >>> to be a driver. Fortunately it has turned out that the desired > >>> capability ("Trusted Code"), is also used by massively popular music > >>> streaming services, cloud-based storage systems, on-line gaming sites > >>> and open source collaboration networks. > >>> > >>> The goal for the proposed effort would be to define a vendor- and > >>> device-neutral solution for dealing with trusted code on the Web. > >>> > >>> > >>> *References > >>> * > >>> 1] An non-exhaustive list include: > >>> - Custom protocol handlers. Primarily used on Android and iOS. > >>> GitHub also uses it on Windows > >>> - Local web services on 127.0.0.1. Used by lots of services, from > >>> Spotify to digital signatures > >>> - Browser plugins like NPAPI/ActiveX. Used (for example) by millions > >>> of people in Korea for PKI support but is now being deprecated > >>> - Chrome native messaging. Fairly recent solution which enables > >>> Native <=> Web communication > >>> > >>> 2]https://code.google.com/p/chromium/issues/detail?id=378566 > >>> > >>> _______________________________________________ > >>> jose mailing list > >>> [email protected] <mailto:[email protected]> > >>> https://www.ietf.org/mailman/listinfo/jose > >> > > > > _______________________________________________ > > jose mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/jose > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose > >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
