Attention is currently required from: neels.

laforge has posted comments on this change by neels. ( https://gerrit.osmocom.org/c/pysim/+/40094?usp=email )

Change subject: personalization: set default values ......................................................................

Patch Set 2: Code-Review-1

(7 comments)

Commit Message:

https://gerrit.osmocom.org/c/pysim/+/40094/comment/02406a05_f38afaab?usp=ema... : PS2, Line 11: This is useful for user interaction, to prefill an input field that : indicates a valid input to modify to taste. I beg to differ. Filling default values is dangerous as it makes the form validate without the user having provided reasonable input to all of them.

In other words, having default values is likely to make it easy for users to personalize profiles with something they don't want?

It might depend on the actual parameter, but for sure something like IMSI or K/OPc should never have a default, as there is no reasonable default that is true for most use cases. Those are always individual...

File pySim/esim/saip/personalization.py:

https://gerrit.osmocom.org/c/pysim/+/40094/comment/dc3446be_48aa8fe5?usp=ema... : PS2, Line 278: default_value there's no point of an all-zero default ICCID.

https://gerrit.osmocom.org/c/pysim/+/40094/comment/36215e1a_5cff6661?usp=ema... : PS2, Line 299: I also think there's no point in having a default for the IMSI

https://gerrit.osmocom.org/c/pysim/+/40094/comment/decfdbb0_d7ea037e?usp=ema... : PS2, Line 467: default_value = '0' * allow_len I'm not sure why any security key / pin should have any default value at all. This seems more like its introducing a security issue as anyone not explicitly setting a PUK would get 00000000 instead of a warning/error/exception?

https://gerrit.osmocom.org/c/pysim/+/40094/comment/d1fe8be5_64b46f16?usp=ema... : PS2, Line 494: default_value = '0' * max_len same here

https://gerrit.osmocom.org/c/pysim/+/40094/comment/1382f00c_548564dc?usp=ema... : PS2, Line 565: default_value = 1 # Milenage here I agree that a default actually does make sense.

https://gerrit.osmocom.org/c/pysim/+/40094/comment/16919990_827bb8c0?usp=ema... : PS2, Line 582: default_value = '00' * allow_len no cryptographic key should have any default value. It's just creating security nightmares.