laforge submitted this change.

View Change

Approvals: laforge: Looks good to me, approved fixeria: Looks good to me, but someone else must approve Jenkins Builder: Verified 
docs: Bring osmo-smdpp documentation up to date with code

Change-Id: Ibaab1fadd5d35ecdb356bed1820074b1b0a1752e
Closes: OS#6418
---
M docs/osmo-smdpp.rst
1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/docs/osmo-smdpp.rst b/docs/osmo-smdpp.rst
index ad7d902..afc4eb8 100644
--- a/docs/osmo-smdpp.rst
+++ b/docs/osmo-smdpp.rst
@@ -19,15 +19,20 @@
 
 osmo-smdpp currently
 
-* uses test certificates copied from GSMA SGP.26 into `./smdpp-data/certs`, assuming that your osmo-smdppp
-  would be running at the host name `testsmdpplus1.example.com`
+* [by default] uses test certificates copied from GSMA SGP.26 into `./smdpp-data/certs`, assuming that your
+  osmo-smdppp would be running at the host name `testsmdpplus1.example.com`. You can of course replace those
+  certificates with your own, whether SGP.26 derived or part of a *private root CA* setup with mathcing eUICCs.
 * doesn't understand profile state. Any profile can always be downloaded any number of times, irrespective
-  of the EID or whether it was donwloaded before
-* doesn't perform any personalization, so the IMSI/ICCID etc. are always identical
+  of the EID or whether it was donwloaded before.  This is actually very useful for R&D and testing, as it
+  doesn't require you to generate new profiles all the time.  This logic of course is unsuitable for
+  production usage.
+* doesn't perform any personalization, so the IMSI/ICCID etc. are always identical (the ones that are stored in
+  the respective UPP `.der` files)
 * **is absolutely insecure**, as it
 
- * does not perform any certificate verification
- * does not evaluate/consider any *Matching ID* or *Confirmation Code*
+ * does not perform all of the mandatory certificate verification (it checks the certificate chain, but not
+   the expiration dates nor any CRL)
+ * does not evaluate/consider any *Confirmation Code*
  * stores the sessions in an unencrypted _python shelve_ and is hence leaking one-time key materials
    used for profile encryption and signing.
 
@@ -82,7 +87,8 @@
 and it will bind its plain-HTTP ES9+ interface to local TCP port 8000.
 
 The `smdpp-data/certs`` directory contains the DPtls, DPauth and DPpb as well as CI certificates
-used; they are copied from GSMA SGP.26 v2.
+used; they are copied from GSMA SGP.26 v2.  You can of course replace them with custom certificates
+if you're operating eSIM with a *private root CA*.
 
 The `smdpp-data/upp` directory contains the UPP (Unprotected Profile Package) used.  The file names (without
 .der suffix) are looked up by the matchingID parameter from the activation code presented by the LPA.

To view, visit change 38150. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: merged
Gerrit-Project: pysim
Gerrit-Branch: master
Gerrit-Change-Id: Ibaab1fadd5d35ecdb356bed1820074b1b0a1752e
Gerrit-Change-Number: 38150
Gerrit-PatchSet: 6
Gerrit-Owner: laforge <laforge@osmocom.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: laforge <laforge@osmocom.org>
Gerrit-Reviewer: pespin <pespin@sysmocom.de>