Dear Harald,
I watched your excellent presentation on eSIMs and I have two questions just to make sure I understand the situation correctly.
1. Both the eSIM profile and the SM-DP+ server's certificate has to be signed by the GSMA in order to be able to provide eSIM services to commercial handsets?
2. If the above is the case, that means we effectively lost control of the SIM infra, as we always have to rely on 3rd party SM-DP+ and eSIM profile providers who can provide the necessary signing for both the eSIM profiles and the SM-DP+ server certs signed by GSMA?
Based on what you implied during the OsmoDevCall call about getting certified, I am under the impression that Sysmocom will not be able to provide nor eSIM profiles nor SM-DP+ services that can be used for commercial handsets? If this is the case, can you kindly redirect me to a vendor/provider who you have good experience with in this regard?
Much appreciate your help!
Regards, Csaba
Hi Sipos,
On Sun, Nov 10, 2024 at 11:40:18AM +0100, Sipos Csaba wrote:
- Both the eSIM profile and the SM-DP+ server's certificate has to be
signed by the GSMA in order to be able to provide eSIM services to commercial handsets?
yes. To be precise, all SM-DP+ certificates have to be signed by GSMA CI, that includes the certificate for TLS transport as well as the other certificate used for eSIM profile signature (CERT_DP_*) where "DP" menas data preparation.
- If the above is the case, that means we effectively lost control of
the SIM infra, as we always have to rely on 3rd party SM-DP+ and eSIM profile providers who can provide the necessary signing for both the eSIM profiles and the SM-DP+ server certs signed by GSMA?
that is true, and has been very clear from the very beginning of the eSIM universe. It's a *MASSIVE* shift of control from "whoever is technically capaable to issue a chip card with an UICC/USIM profile on it" to a single, cerntralized entity of control. It's one of my main criticisms of this scheme.
It's like having BIOS/EFI with secure boot *without* the ability of users to enroll their own keys.
In the ideal world, the eUICC would have procedures where the legitimate owner could add its own CA certificate. At that point, the owner of the UE would again have similar control as they had with classic removable SIM/USIM.
The only entity/government that seems to have realized the socpe of this loss of control and sovereignty appears to be the Chinese government. There are various other alternate eSIM Certificate Authorities / roots of trust, in addition to those of GSMA. It looks like there's a regulatory requirement that the eUICCs of devices sold in China contain not just the GSMA root CA certificate, but also a domestic chinese one.
The eUICC specifications explicitly permit multiple roots of trust, and I have personally successfully created such eUICCs.
It's just that the eUICCs don't offer anyone the addition of such roots of trust except [even that optionally] the EUM (eUICC manufacturer).
Based on what you implied during the OsmoDevCall call about getting certified, I am under the impression that Sysmocom will not be able to provide nor eSIM profiles nor SM-DP+ services that can be used for commercial handsets? If this is the case, can you kindly redirect me to a vendor/provider who you have good experience with in this regard?
sysmocom does not have any plans to operate a GSMA-accredited SM-DP+ itself. However, we do work with partners who do and we are able to issue GSMA-signed eSIM profiles. If I wouldn't be constantly distracted by other tasks, we would also have completed the development of a web-based platform where customers can personalize such profiles - sadly that is still WIP at this point. But we can do it manually, if you have a UPP that you'd want to get signed.
Regards, Harald
Dear Harald,
Thanks for the answer.
that is true, and has been very clear from the very beginning of the eSIM universe. It's a *MASSIVE* shift of control from "whoever is technically capaable to issue a chip card with an UICC/USIM profile on it" to a single, cerntralized entity of control. It's one of my main criticisms of this scheme.
No doubt, this is terrible. And I am not even sure how soon we will see the increase of UEs that has not physical SIM slots at all...
The eUICC specifications explicitly permit multiple roots of trust, and I have personally successfully created such eUICCs.
It's just that the eUICCs don't offer anyone the addition of such roots of trust except [even that optionally] the EUM (eUICC manufacturer).
Yeah, this would be a solution if I want to build my own UEs and can embed an EUM eUICC, so I can upload my own certs, then I could use my own SM-DP+ and eSIM profiles. Not really an option for private network operators with commercial UEs at play unfortunately.
sysmocom does not have any plans to operate a GSMA-accredited SM-DP+ itself. However, we do work with partners who do and we are able to issue GSMA-signed eSIM profiles. If I wouldn't be constantly distracted by other tasks, we would also have completed the development of a web-based platform where customers can personalize such profiles - sadly that is still WIP at this point. But we can do it manually, if you have a UPP that you'd want to get signed.
Shall I reach out to you in private to further discuss this?
Regards, Csaba
Hi Sipos,
On Sun, Nov 10, 2024 at 03:09:08PM +0100, Sipos Csaba wrote:
sysmocom does not have any plans to operate a GSMA-accredited SM-DP+ itself. However, we do work with partners who do and we are able to issue GSMA-signed eSIM profiles. If I wouldn't be constantly distracted by other tasks, we would also have completed the development of a web-based platform where customers can personalize such profiles - sadly that is still WIP at this point. But we can do it manually, if you have a UPP that you'd want to get signed.
Shall I reach out to you in private to further discuss this?
yes, feel free to reach out to sales@sysmocom.de with related inquiries.
-
Harald Welte -
Sipos Csaba