The problem I am trying to solve is to prove a product is authentic. The simplest solution I can think of is proving that NFC's private key corresponds with some public key, without relying on third-party servers.
If the NFC tag has a private key that can sign arbitrary data presented to it, a user could present data that they generate themselves, then compare with the publicly-available key.
I am not really worried about replay attacks in this scenario.
So in all, the properties the tag should have are roughly:
- unique private key
- corresponding public key that can be distributed
- API or some means whereby we can simply pass the data to be signed, and the NFC responds with the signature
The only tag I know about that implements anything close to this is the NTAG 424 DNA, but I'm not aware of a simple API provided by the company or an open source API. It would be great if it could be done via something like web NFC API, but perhaps that is too simplistic.
Is there a public list of NFC tags that have these properties, assuming such a tag exists?
Web NFC allows you to read/write NFC tags with NDEF content. I don't think Web NFC is suitable in your case then.