On Saturday, August 16, 2003, at 08:24 AM, Jon Barber wrote:
I'd highly recommend the IBM JCOP family of smart cards. Implements JavaCard & OpenPlatform, and the support from IBM is excellent. The toolkit with 2 cards & 14 emulators is 75 swiss francs. : http://www.zurich.ibm.com/jcop/order/tools.html
Okay then, I'll stop being stubborn--in place of Funcards, does anyone have a recommendation for good general purpose smartcard that can be entirely reprogrammed and has decent documentation available? I suppose what I'm looking for is a recommendation from anyone who's some experience developing applications for smartcards. Pros, cons, what you think is decent non-buggy hardware that doesn't get in your way, that sort of thing.
AFAIK, the JCOP card can not "be entirely reprogrammed" (and I don't think that the SSP Forte card can be either). The only way to get a "proper" card that can be completely re-programmed is to go see a secure IC manufacturer and buy a development kit. This is usually quite expensive and might require the signature of NDAs. Even then, one has to trust that there is no back-door in the Firmware (or the actual silicon). So a careful person would need to get the chips blueprint, review them and then make sure that the chip really reflects these blueprints.
Even on a Linux/xBSD box based on an x86 chip, there is nothing that proves that a sequence of byte codes run in user mode might not "by accident" turn the chip into supervisor mode. I'm am not even talking about all the firmware present in a PC...
So at some point, somebody has to be trusted. If trusting a card manufacturer is "pushing it too far", deep pockets are needed to go see a silicon manufacturer (Atmel, Emosyn, Infineon, Philipps, ST microelectronics,...), get an emulator and start writing a new OS. I trust that the expertise of the development team in side channel attacks (SPA, DPA,...) will allow to put strong counter-measure in the OS.
If trusting a SC manufacturer is reasonable (after all, institutions that we trust (Banks,...) do trust them), buying a Javacard and writing an applet is a good choice. Getting a card that has been reviewed by a third party is probably a good idea (FIPS or CC evaluation). Alternatively, one could use the Musclecard applet and start working at the musclecard API level (or PKCS#11) on the host to build innovative applications that use the card.
My 2 cents about it anyways...
Cheers, JLuc.
_______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
