ELAI Chip Bridge

Browser bridge for chip-card identity verification on ELAI sites. Talks to your USB reader via Chrome Native Messaging.

The ELAI Chip Bridge lets verifythecard.com, americafirst4us.com, and other ELAI ecosystem websites talk to the chip card in your USB smart-card reader — without opening a localhost network port. WHAT IT DOES The extension is a sandboxed Native Messaging bridge between web pages on a small allowlist of origins (verifythecard.com, americafirst4us.com, idregulators.com, idregulars.com, 4pdfs.com) and a local Python helper that talks to your reader via the operating system's PC/SC smart-card subsystem. When a verifythecard.com page asks "is the chip card in the reader real?", the request flows through the Chrome Native Messaging pipe to the local helper, which runs an ISO 7816-4 SELECT + INTERNAL AUTHENTICATE exchange and returns the result. The chip's private key never leaves the secure element. WHY USE THE EXTENSION INSTEAD OF A LOCALHOST HELPER? Earlier ELAI tooling opened a localhost HTTP port to talk to the reader. That works, but it's an attack surface — any tab in any browser can probe it. The Native Messaging architecture eliminates that completely: • No localhost port — Chrome manages the stdio pipe itself • Only this extension can spawn the host (Chrome enforces via the host's allowed_origins config) • Only the 5 listed ELAI ecosystem origins can reach this extension (enforced by Chrome's externally_connectable matches) • Zero CORS surface, zero CSRF surface WHAT IT DOES NOT DO • Read your card number, name, or magstripe data — the chip refuses to release those • Read your card's private key — the secure element refuses to release it • Collect any data, run any analytics, or make any outbound network calls • Work on websites outside the ELAI ecosystem allowlist PREREQUISITES This extension requires the ELAI Chip Bridge Native Messaging host to be installed separately. Install instructions and the host source code (Python, under 500 lines, MIT licensed) are at https://verifythecard.com/helper/. The host depends on Python 3.9+ and the pyscard library. macOS install is one shell script. Windows and Linux installs are in development. PRIVACY We collect nothing. We send nothing. We store nothing. Full policy at https://verifythecard.com/helper/privacy/. OPEN PROTOCOL The card-side protocol is ISO 7816-4 SELECT-by-AID followed by INTERNAL AUTHENTICATE. This is the same open standard your federal agency already uses for CAC and P