On the first day of JavaOne, I spent some time looking at the open source business, attending in particular Simon Phipps’ session (BUS-8032) about Open Source business models. Most of Java is now open source, and Java Card remains an exception here. Of course, one of the reasons may be that Java Card is the market with the smallest revenue, but there are more reasons for this.
According to Phipps, the important thing about open source is that is starts a virtuous circle: somebody contributes a technology, it is used by others to create products (and wealth), and then these others contribute to the technology. The interesting claim is that, here, the main gain for the members of the active community is not the price of the technology, but the fact that access to source code allows them to lower their maintenance costs. This is also a strong incentive to contribute back: if your extensions are integrated in the product, then you know that their maintenance will be considered as part of the product, hence reducing your maintenance costs.
So far, so good. In principle, this could work for Java Card. Of course, our industry has a long history of secrecy, so things would not be easy, but people could consider such extensions. The good thing is that it would allow other people, such as academic researchers, to contribute as well.
Problems start arising with the license. Sun has chosen the GPL V2 license for Java. What this means is that any product that uses part of the Java code base must also be made open source. This naturally rules out its use for Java Card. I believe it is a good idea to make the reference implementation code public, but the industry is not ready to make the code of actual implementations public, for many reasons, some of them good. Sun offers an alternative for its product, which is to use an already packaged product; in that case, you don’t get the source, but you get something that is ready to use.
Nevertheless, I strongly believe that keeping Java Card as strictly closed as it is today is a bottleneck for the technology. With the current licensing terms, we have several very interesting research projects that remain inaccessible, because publishing them would violate the terms of the license. This situation is painful for the industry, because it significantly reduces the visibility of our community. These issues could be addressed by taking a few steps towards Open Source:
- Make the Java Card reference implementation source code available, together with the TCK.
- Encourage researchers to publish results (and open source them, if possible).
- Allow “masked” implementations from card manufacturers to remain closed source.
Of course, these requirements seem a bit contradictory, but just like there are several ways to license other Java technologies, there may be several ways to license Java Card and cover these needs.
I thought long time about the idea of an open source Java Card OS. I do not see the problem
What this means is that any product that uses part of the Java code base must also be made open source. This naturally rules out its use for Java Card.
In the smart card business most effort and money is spent on the security. Now by making it open source, we would take a similar step as cryptography dictates: The algorithm is known and the secrecy lies only in the key. The community would design the security architecture find the flaws much faster. Of course there is a stronger requirement for governance and the hardware dependency (which can be overcome with a modular layer concept). But I am sure we would get better results.
One remark regarding the reference implementation and TCK: Sun’s Java Card Kit includes a reference implementation of the virtual machine in C and the Java Test Harness is open sourced as well (the Java Card test cases are not).
I kinda agree to start with. However, I have second thoughts, as I am not sure that publishing smart card code is exactly similar to publishing cryptographic algorithms.
I am still thinking about it, and I will publish a full entry on this in a few days.
I strongly support an open source Java Card implementation. I expect that the benefits for academia and industry are outweighing any drawback. There is always the possibility of dual licensing in order to use it commercially.
There are products in the marked where one company makes a mask and other companies produce smartcards with this mask. So open-source is just the next step.
Customers want interoperability and reliability and performance and security and much memory for their applications, with different priorities. So, I think there is still enough space for further Java Card implementations, one reference implementation will never fit all needs. The different hardware platforms are also an issue to consider.
Are there opinions on Open-Source Java Card in the Java Card Forum, e.g. for Java Card 3?
How about going step-by-step and starting with an open-source Java Card simulation?
By the way, I don’t think that it has to be Sun who has to or should provide their reference implementation as open-source.