Some sites, in particular banking and e-commerce sites in China, are using ActiveX controls and/or NPAPI plugins to improve security. Some of these plugins are used to sign transactions using smartcards. Typically the smartcards are USB devices where the smartcard and the smartcard reader are combined into one device. The bank typically asks users to install an EXE/MSI package that contains the device driver for the USB smartcard device and ActiveX and/or NPAPI plugins for browsers, to facilitate the interaction between the driver and the web app doing the signing. I am not sure how to solve the driver installation problem, but it should be possible for us to create a Web API that allows the web app to give the smartcard driver some details (e.g. the amount of a financial transaction and the account number), and retrieves a signature for those details from the smartcard. AFAICT, the plugin-based approach works as follows: 1. The plugin sends the data to be signed to the smartcard driver 2. The smartcard driver causes a UI to be shown that includes those details and prompts the user to verify the transaction. Often, this includes the requirement for the user to enter a PIN number for their smartcard. 3. The user reads the transaction details in the smartcard-presented UI, then enters the PIN number into the PIN field in that UI, then presses OK. 4. The smartcard driver returns the signed data to the plugin 5. The plugin stuffs the signed data somewhere in some form field, to be submitted later. AFAICT, the difficult part of this is the UI-related stuff: how does the user know what data he is signing? If we rely on the driver to present the data to be signed, how do we know the driver is presenting that data correctly? If the browser presents the transaction in its own UI, how does the driver and/or website know to trust the browser's UI? How do we structure the data to facilitate this end-to-end communication from the UI to the website so that the signature is useful? The other major complication is, how do we get the drivers for the smartcard devices installed? I think this kind of API may also become useful for SIM-card-signed transactions in B2G and in Fennec.

(In reply to Brian Smith (:bsmith) from comment #0) > The other major complication is, how do we get the drivers for the smartcard > devices installed? They're typically USB, no? Assuming we got WebUSB off the ground, perhaps those drivers could be written and delivered in JS?

Bob should be cc'ed on all smartcard related bugs.

We're basically getting this with WebAuthn now, calling this a dupe on that metabug.