10 Nov
2024
10 Nov
'24
11:40 a.m.
Dear Harald,
I watched your excellent presentation on eSIMs and I have two
questions just to make sure I understand the situation correctly.
1. Both the eSIM profile and the SM-DP+ server's certificate has to be
signed by the GSMA in order to be able to provide eSIM services to
commercial handsets?
2. If the above is the case, that means we effectively lost control of
the SIM infra, as we always have to rely on 3rd party SM-DP+ and eSIM
profile providers who can provide the necessary signing for both the
eSIM profiles and the SM-DP+ server certs signed by GSMA?
Based on what you implied during the OsmoDevCall call about getting
certified, I am under the impression that Sysmocom will not be able to
provide nor eSIM profiles nor SM-DP+ services that can be used for
commercial handsets? If this is the case, can you kindly redirect me
to a vendor/provider who you have good experience with in this regard?
Much appreciate your help!
Regards,
Csaba
10 Nov
10 Nov
2:40 p.m.
Hi Sipos,
On Sun, Nov 10, 2024 at 11:40:18AM +0100, Sipos Csaba wrote:
1. Both the eSIM profile and the SM-DP+ server's
certificate has to be
signed by the GSMA in order to be able to provide eSIM services to
commercial handsets?
yes. To be precise, all SM-DP+ certificates have to be signed by GSMA CI,
that includes the certificate for TLS transport as well as the other certificate
used for eSIM profile signature (CERT_DP_*) where "DP" menas data preparation.
2. If the above is the case, that means we effectively
lost control of
the SIM infra, as we always have to rely on 3rd party SM-DP+ and eSIM
profile providers who can provide the necessary signing for both the
eSIM profiles and the SM-DP+ server certs signed by GSMA?
that is true, and has been very clear from the very beginning of the
eSIM universe. It's a *MASSIVE* shift of control from "whoever is
technically capaable to issue a chip card with an UICC/USIM profile on
it" to a single, cerntralized entity of control. It's one of my main
criticisms of this scheme.
It's like having BIOS/EFI with secure boot *without* the ability of
users to enroll their own keys.
In the ideal world, the eUICC would have procedures where the legitimate
owner could add its own CA certificate. At that point, the owner of the
UE would again have similar control as they had with classic removable
SIM/USIM.
The only entity/government that seems to have realized the socpe of this
loss of control and sovereignty appears to be the Chinese government.
There are various other alternate eSIM Certificate Authorities / roots
of trust, in addition to those of GSMA. It looks like there's a
regulatory requirement that the eUICCs of devices sold in China contain
not just the GSMA root CA certificate, but also a domestic chinese one.
The eUICC specifications explicitly permit multiple roots of trust, and
I have personally successfully created such eUICCs.
It's just that the eUICCs don't offer anyone the addition of such roots
of trust except [even that optionally] the EUM (eUICC manufacturer).
Based on what you implied during the OsmoDevCall call
about getting
certified, I am under the impression that Sysmocom will not be able to
provide nor eSIM profiles nor SM-DP+ services that can be used for
commercial handsets? If this is the case, can you kindly redirect me
to a vendor/provider who you have good experience with in this regard?
sysmocom does not have any plans to operate a GSMA-accredited SM-DP+
itself. However, we do work with partners who do and we are able to
issue GSMA-signed eSIM profiles. If I wouldn't be constantly distracted
by other tasks, we would also have completed the development of a
web-based platform where customers can personalize such profiles - sadly
that is still WIP at this point. But we can do it manually, if you have
a UPP that you'd want to get signed.
Regards,
Harald
--
- Harald Welte <laforge(a)gnumonks.org> https://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
3:09 p.m.
Dear Harald,
Thanks for the answer.
that is true, and has been very clear from the very
beginning of the
eSIM universe. It's a *MASSIVE* shift of control from "whoever is
technically capaable to issue a chip card with an UICC/USIM profile on
it" to a single, cerntralized entity of control. It's one of my main
criticisms of this scheme.
No doubt, this is terrible. And I am not even sure how soon we will
see the increase of UEs that has not physical SIM slots at all...
The eUICC specifications explicitly permit multiple
roots of trust, and
I have personally successfully created such eUICCs.
It's just that the eUICCs don't offer anyone the addition of such roots
of trust except [even that optionally] the EUM (eUICC manufacturer).
Yeah, this would be a solution if I want to build my own UEs and can
embed an EUM eUICC, so I can upload my own certs, then I could use my
own SM-DP+ and eSIM profiles. Not really an option for private network
operators with commercial UEs at play unfortunately.
sysmocom does not have any plans to operate a
GSMA-accredited SM-DP+
itself. However, we do work with partners who do and we are able to
issue GSMA-signed eSIM profiles. If I wouldn't be constantly distracted
by other tasks, we would also have completed the development of a
web-based platform where customers can personalize such profiles - sadly
that is still WIP at this point. But we can do it manually, if you have
a UPP that you'd want to get signed.
Shall I reach out to you in private to further discuss this?
Regards,
Csaba
13 Nov
13 Nov
4:56 p.m.
Hi Sipos,
On Sun, Nov 10, 2024 at 03:09:08PM +0100, Sipos Csaba wrote:
yes, feel free to reach out to sales(a)sysmocom.de with related inquiries.
--
- Harald Welte <laforge(a)gnumonks.org> https://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
sysmocom does
not have any plans to operate a GSMA-accredited SM-DP+
itself. However, we do work with partners who do and we are able to
issue GSMA-signed eSIM profiles. If I wouldn't be constantly distracted
by other tasks, we would also have completed the development of a
web-based platform where customers can personalize such profiles - sadly
that is still WIP at this point. But we can do it manually, if you have
a UPP that you'd want to get signed.
Shall I reach out to you in private to further discuss this?
220
days inactive
223
days old
3 comments
2 participants
participants (2)
-
Harald Welte -
Sipos Csaba