FWIW, I have "buried" my efforts putting security HW in the browser (beyond FIDO) since the [theoretical] problems encountered were simply put insurmountable.
By pure accident I found this recent posting by Ryan Sleevy: https://lists.w3.org/Archives/Public/public-webcrypto-comments/2015Jan/0000.html Inside the posting there's a link to this super-cool technology (Chrome Native Messaging) which was recommended to a person wanting to use PKCS #11 for a web-based signature application: http://blog.chromium.org/2013/10/connecting-chrome-apps-and-extensions.html Anyway, Chrome Native Messaging could be maybe improved to even better support various security-applications so I did some "polishing" which can be found here: http://webpki.org/papers/web2native-bridge.pdf I'm pretty sure that Apple Pay in its next iteration will use a variant of native messaging to make the wallet equally useful on the web. Yes, it will have the same look-and-feel and security on the web as in a shop which is a way better idea than building a specific wallet for the web. Anders
