Editing Esim (section)

= The eSIM public key infrastructure =

The new eSIM card introduces a novel public key infrastructure designed to protect the mobile ecosystem [esim-hw-sec-spec]. Here’s how it works.

Every network operator and manufacturer must undergo a rigorous audit to participate. Once complete, they receive a certificate which is signed by the GSMA root key [gsma-root-key]. The manufacturer is also required to sign every eSIM they produce, creating a secure audit trail [esim-hw-sec-spec].

'''For a manufacturer the process looks like this''' [esim-cert-process]:

# The eSIM manufacturer requests an audit from the GSMA.
# The GSMA auditors visit the manufacturer premises and check the onsite location against [SAS-UP] standards [gsma-sas].
# The auditors return a report to the GSMA SAS Certification Body.
# If approved, the manufacturer will be certified.

The manufacturer is now considered to have a secure facility (SAS-UP certified), '''but their product still needs to be tested, and so:'''

# The GSMA maintains a list of security properties for eSIM cards which has been validated and approved by national security agencies [SAS-SM.]
# A manufacturer creates an eSIM and requests an audit from an independent party. Auditors are specialized laboratories that have been certified by GlobalPlatform and are recognized by national security agencies as highly competent [esim-cert-process][gp-certified-labs].
# Auditors attempt to find weaknesses in the product and test the integrity of the solution against a list of criteria set by the GSMA [sas-sm].
# The audit results get returned to GlobalPlatform who certifies that the product has been tested up to a EAL4+ standard [eal].

The manufacturer now has an eSIM that is certified by multiple parties. '''At this point there is now proof their facility and product has been audited which becomes part of their cryptographic identity. Impressively, all this information gets recorded in the eSIM cards they manufacture.'''

Network operators undergo a similar procedure to check the security around their remote subscription management services [sas-sm][gsma-sas].

'''(WTF) Why does any of this matter?!'''

The way that U/SIM cards are manufactured today doesn’t allow an end-user to tell who made it. Once more, because U/SIMs use symmetric key cryptography for everything, it becomes impossible to identify who created a message (as the operator must also hold the same private keys to decipher encrypted messages)[gsm-crypto].

Without being able to distinguish between a U/SIM manufacturer, network operator, or mobile device– we cannot establish trust in identities within the system which is required if we are to build secure products. '''Being able to know this information would also be beneficial for blockchain applications as a secure identity system solves many trust problems in distributed systems and smart contracts protocols.'''

W͟h͟a͟t͟ ͟t͟h͟e͟ ͟G͟S͟M͟A͟ ͟h͟a͟v͟e͟ ͟d͟o͟n͟e͟ ͟i͟s͟ ͟s͟o͟l͟v͟e͟d͟ ͟t͟h͟a͟t͟ ͟p͟r͟o͟b͟l͟e͟m͟.͟ They have created a secure, digital identity system and tied it into the global mobile system. It is a clever, new public key infrastructure (PKI) that identifies all of the main actors, and since it’s built directly into eSim chips billions of future IoT devices (and people) are likely to use it. '''Usually, these kinds of features are only used by nerds''', but with digital identity systems, you need as many people as possible using it for maximum benefits.

'''So here’s a quick recap:''' - eSim introduced a new identity system for actors in the mobile network. - It has the full backing of the GSMA, GlobalPlatform, various national security agencies, security laboratories, and industry partners. - It will be used for billions of devices; some phones already support it. - We can use it to solve many complex trust problems in unexpected ways.

<span id="blockchain-applications-of-esim"></span>