Hi Sipos,
On Sun, Nov 10, 2024 at 11:40:18AM +0100, Sipos Csaba wrote:
- Both the eSIM profile and the SM-DP+ server's certificate has to be
signed by the GSMA in order to be able to provide eSIM services to commercial handsets?
yes. To be precise, all SM-DP+ certificates have to be signed by GSMA CI, that includes the certificate for TLS transport as well as the other certificate used for eSIM profile signature (CERT_DP_*) where "DP" menas data preparation.
- If the above is the case, that means we effectively lost control of
the SIM infra, as we always have to rely on 3rd party SM-DP+ and eSIM profile providers who can provide the necessary signing for both the eSIM profiles and the SM-DP+ server certs signed by GSMA?
that is true, and has been very clear from the very beginning of the eSIM universe. It's a *MASSIVE* shift of control from "whoever is technically capaable to issue a chip card with an UICC/USIM profile on it" to a single, cerntralized entity of control. It's one of my main criticisms of this scheme.
It's like having BIOS/EFI with secure boot *without* the ability of users to enroll their own keys.
In the ideal world, the eUICC would have procedures where the legitimate owner could add its own CA certificate. At that point, the owner of the UE would again have similar control as they had with classic removable SIM/USIM.
The only entity/government that seems to have realized the socpe of this loss of control and sovereignty appears to be the Chinese government. There are various other alternate eSIM Certificate Authorities / roots of trust, in addition to those of GSMA. It looks like there's a regulatory requirement that the eUICCs of devices sold in China contain not just the GSMA root CA certificate, but also a domestic chinese one.
The eUICC specifications explicitly permit multiple roots of trust, and I have personally successfully created such eUICCs.
It's just that the eUICCs don't offer anyone the addition of such roots of trust except [even that optionally] the EUM (eUICC manufacturer).
Based on what you implied during the OsmoDevCall call about getting certified, I am under the impression that Sysmocom will not be able to provide nor eSIM profiles nor SM-DP+ services that can be used for commercial handsets? If this is the case, can you kindly redirect me to a vendor/provider who you have good experience with in this regard?
sysmocom does not have any plans to operate a GSMA-accredited SM-DP+ itself. However, we do work with partners who do and we are able to issue GSMA-signed eSIM profiles. If I wouldn't be constantly distracted by other tasks, we would also have completed the development of a web-based platform where customers can personalize such profiles - sadly that is still WIP at this point. But we can do it manually, if you have a UPP that you'd want to get signed.
Regards, Harald