It seems that this year’s Java Card offering at e-Smart was fairly small, so the Java Card session had to be extended to include more topics. One of the presentations, from Gemalto, was about the plug-and-play authentication product.
This is not new, and it has been around for a while. Plug and play has been unreachable for smart cards for a long time, and it basically remains unreachable for classical smart cards. But if you include a USB interface and embed your card in a form factor that can be directly plugged into a USB port (i.e., a USB key), then you can pretend to be something else, and in particular, a USB mass storage device. This allows auto-run to be activated, so the required driver and software can be directly loaded into the PC. Here we are: plug-and-play!
This is very nice for Gemalto’s target market, which relies on a single application, loaded on the smart card (a network authentication application). However, the products I like are open, and this one isn’t. Gemalto may be offering an open version of their product, but I am not sure about the application model. It is fairly complex, at it requires at least a PC application and a card application. The card application is naturally a Web server, which is now natural. However, the PC side is more complex, in particular if you want to deal with all the security issues that are inherent to today’s PCs. In particular, including some measures that ensure to a certain extent that the PC is not compromised is very difficult. Here, we simply need some specialized middleware that deals with that. Something must exist, and I will try to find it, because it has interesting possible interactions with Java Card 3. If you know about something like that, please send a comment or a note.