[wzdd]

Odd -- JavaCard smartcards are available for under $5, have crypto co-processors, and certainly support general-purpose code. See for example my project for KeePass, http://code.lardcave.net/2016/08/06/1/ . After programming, you can choose to lock down the card (which means you can only erase the card, not modify it). I'm using NXP chips and although I haven't investigated completely I would be highly surprised if it was not possible to get the tamper-resistant and cryptographic properties the author is after.

There is an open-source toolchain for generating code for the card which works great from OS X or Linux. Contactless writers are available on eBay for like twenty bucks. And they will even work (via NFC) with Android phones.

It's a great time to be playing with contactless general-purpose smartcards.

[closeparen]

I tried to do something like this last summer. I found little to zero intersection between the cards that GlobalPlatformPro can personalize, and the cards that you can just buy in low volume at reasonable cost.

I think I did buy one "$5" JavaCard but the shipping was like $50.

As much as I admire GlobalPlatformPro, staking your small company's security infrastructure on 1) a hobby project maintained by one guy (Martin Paljaik), and 2) materials with "call us" pricing that the suppliers really don't want to sell in sub-thousands volume seems worse than just using Yubikey.

Oh, also, I couldn't find an actual working open source PKCS#11 applet that wasn't abandonware. I did get something working with GPG (though it felt like duct tape and prayer), but I couldn't get the PKI stuff to work at all.

[mjg59]

I've used http://www.smartcardfocus.us/shop/ilp/se~any/so~5/p/index.sh... without any trouble - the Yubico GPG applet runs on them happily, and we're using https://github.com/philipWendland/IsoApplet for PKCS#11 based signing.

[pisipisipisi]

this "one guy" here. I would say that the availability of open access cards is almost excellent these days, at least in EU. The quality of those easily available cards (chinese) is questionable though. But there are cards available from other vendors as well (most notably NXP)

[closeparen]

Haha I love HN.

EU might be the differentiator. I do remember seeing a lot of cards that would only ship to EU, or shipping to US was prohibitively expensive.

Keep up the awesome work.

[pisipisipisi]

HN is nice indeed, but the awesome work would be more effective with less HN ;)

I have been thinking for a long time about opening a webshop for "pre-verified cards" that would come with an open source SDK and as much docs as possible. Maybe that would help (but would still only ship to "western world").

[kawsper]

I even have a ring that runs JavaCard software on its JVM, they are sold for cheap, and I bought one just for fun and history, there is an eBay listing here: http://www.ebay.co.uk/itm/JAVA-RING-RARE-Sun-Microsystems-JA...

[hvidgaard]

That seems like a great way to distribute some secret. Create an Arduino reader for the ring, save the secret in a format that requires 3 out of 5 rings to reconstruct and store them apart.

Only the most persistent and knowledgeable about the ring will go through the trouble to get the data off it.

[Gruselbauer]

That is the weirdest ebay listing I saw in a while. Also I want to have one super-badly now. Thank you :)

[pjmlp]

I remember the JavaONE when they were given. Oh getting old!

[spullara]

I think I still have one somewhere from that JavaOne.

[jaytaylor]

What can you actually do with it?

[contingencies]

Hey Nick! I did a smartcard module for the old Cobalt Raq/Qube systems back in ~1999/2000, perl. Worked fine but few customers IIRC. Since then only used a bunch of bank ones. Can probably help you find cheapies from China, eg. try a search like https://s.taobao.com/search?q=智能卡 (92% < USD$3) with results like https://item.taobao.com/item.htm?spm=a230r.1.14.201.VcCJvD&i... (100 cards + USB programmer for ~USD$70). We are flying back to Sydney tonight... if you are back before xmas drop me a line. (NXPs only: https://s.taobao.com/search?q=智能卡+nxp)

[hlandau]

What I don't get is why they're all virtual machine based, though I think someone posted a brief explanation for that in response to me last time this came up. Moreover it doesn't help that I am violently allergic to Java. But when it comes down to it, the smartcard industry giving people JavaCard is the same as not giving them actual, full access to the chip. It's probably the best thing going with regard to my article, but there's still something amiss there.

[MarkMc]

Why are you violently allergic to Java?

[voltagex_]

Can I get something that would allow me to unlock an SSH key by tapping a card to my phone?

[j_s]

https://grepular.com/An_NFC_PGP_SmartCard_For_Android

I believe you would still have to write most of the software involved yourself. A discussion of smart card login with SSH as of five years ago:

https://grepular.com/Smart_Cards_and_SSH_Authentication

And a useful discussion on SSH and 2FA last year here on HN: https://news.ycombinator.com/item?id=10885654

[A_COMPUTER]

Did it get easier recently? I tried getting into this about six years or so ago and found it really hard to get started. Finding appropriate applets (MUSCLE applet I guess was the common crypto one), incompatible cards and readers, etc.