just one correction !
On TLV: length of F1 and F2 are changed.

F1 03 48 6F 6D 65 F2 04 62 6F 62 F3 04 70 61 73 73

correct TLV:
F1 04 48 6F 6D 65 F2 03 62 6F 62 F3 04 70 61 73 73

Best regards.

About security, don’t worry, it will come later. I never said that this spec was the final one…

About design, I am trying to avoid getting in big smart card debates. I hesitated a while before writing this post, because it is not Java enough for me. Now, I would admit that it is a good idea to return information on SELECT, but this goes beyond what I want to do in this tutorial.

Finally, about status words, I am not sure what you mean. I have reused status words defined in the ISO7816-4 spec, on top of the T=0 protocol, and I don’t see any conflict.

Some remarks:
– I do not understand the reasoning behind Lr in the response. The application must set the offset and length of the APDU buffer in the APDU.sendBytes() anyway. Besides having always a data field (to stay consistent: no data means Lr = 0) the data field length is reduced by one byte.
– You mention that this is purely functional, without security features, but .. I think it should always be forbidden to retrieve secret data like keys, or in this example the password itself.
– Do you think it’s a good design that an applet provides information about it’s capabilities in the response to the SELECT APDU? For example the file control information could include the commands supported and the methods behind it.
– I would add that the application developer has to be aware of status words which might conflict with the ones already defined in ISO 7816 or JCRE (e.g. T=0 protocol handling).