At SunNetwork 2003 back in September, Jonathan Schwartz made the case that the Java card is the most strategic piece of Sun's whole technology stack. Actually, I'd say per-employee pricing is the real strategic innovation. But I've always hoped to see movement on the identity card front, so this clip, in which Schwartz stresses something I've been harping on for years, got my attention:
Java card support will be built into the desktop that we offer. It is the fundamental way we will help people to understand that if there were a menu item in your mail app that said, 'Show only mail from people that have been strongly authenticated,' then spam would disappear. 'Show me only content that has been strongly authenticated,' viruses would disappear.
I'm with you, Jonathan. Now as a longtime advocate of this view, I've gotten plenty of useful pushback. And it's true, there are problems. PCs don't come with card readers. It's unclear how the governments and banks and airlines and other entities who currently issue cards will evolve the identity infrastructures this solution implies, how those infrastructures will cooperate, and how revocation can be managed in a scalable way.
That said, I worry less nowadays about card-reader deployment. Maybe because I figure that we'll just authenticate to our phones, and let them talk Bluetooth to PCs and other devices.
I also worry less about how we'll relate identity cards (or devices, like phones) to identity infrastructures. Look at how ordinary credit cards are now used at airline kiosks. There's no multifactor authentication involved in printing your boarding pass. But multifactor authentication is part of the larger system. Your government-issued biometric, aka driver's license with photo, will also be checked. It's all a question of context.
I'm not even too worried about how we handle revocation, now that I've seen what Corestreet has in mind.
All in all, I'm fairly optimistic about the scenario Schwartz paints. The whole talk, by the way, is here. It lays out the new server and client strategies. I do wonder how all this adds up to a "Java system." There are roles for J2EE, J2SE, and J2ME. But the server suite is based on Solaris, with Java APIs that you might rather generalize as Web services APIs. The desktop is based on Linux/GNOME/Mozilla/StarOffice, and while there is indeed a Java client software renaissance underway, it looks to me as though IBM (with Eclipse and SWT) is more of an instigator there than Sun. But the cards, and more importantly the phones, that part I get. So maybe J2ME really is Sun's ticket.
Former URL: http://weblog.infoworld.com/udell/2003/12/16.html#a869