In the fourth interview of the 25th Anniversary series, Eric Vétillard, Lead Certification Expert at ENISA explains ENISA’s certification mandate and discuses how Java Card certification schemes are related to the ENISA scope. He also reflects on his time as the JCF Technical Committee (TC) Chairman and how it has shaped his career path since.
It’s been a while since you were the Technical Committee Chairman of the Java Card Forum. What have you been working on since then?
The last time I joined the Java Card Forum was when I was with Oracle; I was Product Manager for Java Card. I’ve had a few jobs since, that included a stint at NXP, where I stayed in touch with the JCF through present members like Christian Kirchstaetter [current Technical Committee chairman] and Alexandre Frey, but my focus was actually more on IoT processors and certification.
In 2019, I joined ENISA, the EU Cyber Security Agency, as a Certification Expert, so here I’ve been continuing the work I was actually doing at NXP – working on Cyber Security certification, but focusing more on a scheme on cloud services. So, this is not very close to Java Card, but thanks to my experience with Java Card and more generally with Secure Elements, I’ve also been involved in other schemes that we’re developing in ENISA on Common Criteria and also on 5G, where we’re also on the Embedded UICC. We’re working as a team, so it’s very nice to have this experience and it definitely helps.
What is ENISA doing with certification?
In 2019, the Cyber Security Act made ENISA a permanent agency in the EU and, maybe most importantly, assigned new tasks to the agency. One of these tasks is to design European Cyber Security certification schemes. Our role here is to prepare the schemes, in collaboration both with the industry and with the Member States. When we’re done with that, we’ll actually give these schemes to the Commission, who will derive an implementing Act and they become part of the EU law.
The first scheme that ENISA worked with is called EUCC – it’s a European scheme for Common Criteria. This one should be quite important for the Java Card community, as most Java Card products are certified with Common Criteria. This scheme will of course be used by at least European chip and card developers, hopefully starting next year with the first certification activities. ENISA will also continue in helping and guiding through the deployment of this scheme and other schemes that we are working on.
How are Java Card certification schemes related to the ENISA scope?
Java Card is not something that we explicitly talk about, but it often is in the background. For instance, many of the Java Card licencees are represented in our working groups on Common Criteria and 5G, and every time we consider examples of certified products, Java Card platforms are somehow cited. They are such an important component of the supply chain in smart cards’ Secure Elements. I’m also quite confident that some Java Card products will be among the first to be certified with both the EUCC and the EU5G – maybe we’ll be lucky enough to have a Java Card product being the first one to actually be certified.
Of course, with my work on cloud services, we are much further from Java Card and smart cards in general, but it’s interesting to see that there’s always some kind of a surprise reference that comes up every time we talk about access control or authentication. We rely on products, and these products rely on Java Card technology, so the link is indirect, but it’s always there, because the technology is so present everywhere.
Do you miss the Java Card Forum?
Well, yes I do! I’m not missing the interactions, because my work includes many interactions with the industry, with governments…But the cloud community is very large – discussions have a tendency to grow political at some points. So, what I really miss here is also the lower profile of the Java Card Forum, where you have a limited number of members; most of them are not even known to the general public and what we’re working on still remains in the background, yet we’re collaborating on the design of a product that just about everyone on the planet is using. It’s like we have the impact, but with maybe less visibility. And when you’re actually working on defining the next version of a specification, it’s easier when you work like this – a little bit hidden, especially for the technical people. For the business people this is not always seen as positive!
I’m sometimes missing the excitement of the Java Card Forum’s early days, back in the 1990s, where we were designing the first versions and all our companies were still wondering whether this would work or not. Well, 25 years later and there are a number of Billions of cards being sold every year with Java Card – I guess that now they know the answer to that question and I am very happy to see that the Java Card Forum is still here and that the technology still remains dominant. There hasn’t been another technology coming along and replacing it, and it doesn’t look like this will happen in the near future. I think the Java Card Forum is definitely a nice adventure!
View the interview in video format here