Basically it is done by requiring SSL/TLS comunication between browser and web-server, by an addition of requirement that not only server presents its certificate, but client as well presents clients certificate.
You did not specify what kind of web-aplication you are building and using what components or development environment.
I plan to use Omnikey 3021 card reader that runs in a web browser.
And this system will interact with the website when there is a need.
I think the best idea will be to implement java-applets that can read the data in smart cards using the Omnikey Hardware. And, it will send the authentication or other information to the website.
The problem is that the system should be a web-based application; and not a desktop application. But still, it should be able to read out the card in the customer’s web browser and send information to the server.
If you dont have any clue on how to do this, you should consider saying no to the project.
What your asking about is a fairly simple process, but the caveat is that if you dont do it correctly the website will not be any more secure afterwards. In this case the chance of something not being secure enough in the end product is pretty high, and you as a professional should be able to see your limit and say no to projects that you dont know how to complete (especially when we are talking about security).
I am fully aware about the security issues, and need the system work.
So, I can think of hiring experts on this as well.
The system I am going to build is important, and producing cards to the sytem shows the legal presense of the member who signs using a card, and is run by limited members only.
This is typically handled by the smart card middleware via PCKS 11 operations (if you have the middleware installed on the client, the browser will pop up a dialog asking the client for their smartcard on login). This won’t require applets or browser plug-ins.
If you need to do it via a web only solution, Comet Way makes a browser plug-in that might be useful to you, <snip/> - this plug-in lets you write scripts on the server that encapsulate the smart card interactions and post results back to your server, and it works with any kind of smart card without requiring middleware (a card minidriver) to be installed.
