Andrew Ho <[EMAIL PROTECTED]> wrote: > On Tue, 13 Oct 2004, Tim Churches wrote: > > > On Wed, 2004-10-13 at 06:12, Andrew Ho wrote: > ... > > > Karsten, > > > What about USB-accessible cards? Most operating systems have > built-in > > > support to read from these. > > > > Yes, but Karsten's excellent point is that in order to use such > > resources, you need to give the browser-based application (as opposed > to > > the browser itself) a degree of autonomous access to your local > > filesystem. > > Tim, > Why is it necessary for the browser to have autonomous access to any > local file system? It may be sufficient for the end-user to be prompted > for permission to upload an authentication token from the USB device to > the web-server.
If you are using any form of PKI-based authentication, then the application needs to do some computation using the private key (or to cause such computation to be done via an API in the case of a smart dongle or smartcard), and then upload the results. So you are still left with the issue of how your browser based application does those computations. Most **browsers** have facilities to use PKI certificates for authentication purposes, but not applications running **inside** those browsers. At least I think that is the case - perhaps others could comment on this. In the case of OTP (one-time password) schemes, there is usually some API for extracting a value from the device. Likewise for secure smartcards designed to hold EHR/EMR data. In other words, authentication or data management which involves a smartcard or other external device is rarely as simple as the user picking a file to be uploaded to a Web server. Tim C
