Hi Sipos,
On Sun, Nov 10, 2024 at 11:40:18AM +0100, Sipos Csaba wrote:
> 1. Both the eSIM profile and the SM-DP+ server's certificate has to be
> signed by the GSMA in order to be able to provide eSIM services to
> commercial handsets?
yes. To be precise, all SM-DP+ certificates have to be signed by GSMA CI,
that includes the certificate for TLS transport as well as the other certificate
used for eSIM profile signature (CERT_DP_*) where "DP" menas data preparation.
> 2. If the above is the case, that means we effectively lost control of
> the SIM infra, as we always have to rely on 3rd party SM-DP+ and eSIM
> profile providers who can provide the necessary signing for both the
> eSIM profiles and the SM-DP+ server certs signed by GSMA?
that is true, and has been very clear from the very beginning of the
eSIM universe. It's a *MASSIVE* shift of control from "whoever is
technically capaable to issue a chip card with an UICC/USIM profile on
it" to a single, cerntralized entity of control. It's one of my main
criticisms of this scheme.
It's like having BIOS/EFI with secure boot *without* the ability of
users to enroll their own keys.
In the ideal world, the eUICC would have procedures where the legitimate
owner could add its own CA certificate. At that point, the owner of the
UE would again have similar control as they had with classic removable
SIM/USIM.
The only entity/government that seems to have realized the socpe of this
loss of control and sovereignty appears to be the Chinese government.
There are various other alternate eSIM Certificate Authorities / roots
of trust, in addition to those of GSMA. It looks like there's a
regulatory requirement that the eUICCs of devices sold in China contain
not just the GSMA root CA certificate, but also a domestic chinese one.
The eUICC specifications explicitly permit multiple roots of trust, and
I have personally successfully created such eUICCs.
It's just that the eUICCs don't offer anyone the addition of such roots
of trust except [even that optionally] the EUM (eUICC manufacturer).
> Based on what you implied during the OsmoDevCall call about getting
> certified, I am under the impression that Sysmocom will not be able to
> provide nor eSIM profiles nor SM-DP+ services that can be used for
> commercial handsets? If this is the case, can you kindly redirect me
> to a vendor/provider who you have good experience with in this regard?
sysmocom does not have any plans to operate a GSMA-accredited SM-DP+
itself. However, we do work with partners who do and we are able to
issue GSMA-signed eSIM profiles. If I wouldn't be constantly distracted
by other tasks, we would also have completed the development of a
web-based platform where customers can personalize such profiles - sadly
that is still WIP at this point. But we can do it manually, if you have
a UPP that you'd want to get signed.
Regards,
Harald
--
- Harald Welte <[email protected]> https://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
