On 2012-04-19 09:21, helpcrypto helpcrypto wrote: >> (to me, that question makes no sense. users can't talk to smart cards. >> Only smart card readers and programs can. So what smart card reader and >> what program is doing this? A dumb smart card reader and a browser, >> following Javascript instructions from a website? That'd be game over...) > > Why a website "cant" use javascript to communicate with the card?
A number of banks came up with the wonderful idea adding a citizen ID application to their already shipping EMV (payment) card. What this meant was that any merchant could read your citizen ID certificate (=national ID) without your knowledge. Naturally this scheme was endorsed by the government and their consultants. I'm by *no means* a privacy advocate but this is way below what I consider a useful solution. My criticism of this idea made me quite unpopular but it seems that they actually never put it in production :-| Anyway, this was another way of expressing a core problem with "direct access". I do not think that "clever" GUIs can do much here either. Then there are security-related stuff such as PIN spoofing and associated credential misuse that I makes me pretty uncomfortable with the whole idea. My "solution" to this is to treat all PKI-using applications as complete applications running in trusted code. W3C tries to do something different, we'll see how that pans out... Anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
