Ensuring compliance with the specification
The GSMA has published an Embedded SIM Test Specification for remote provisioning solution providers that will give assurance that different GSMA Embedded SIM remote provisioning systems functionally comply with the GSMA Technical Specifications. The GSMA has also extended its successful Security Accreditation Scheme (SAS) to cover remote provisioning subscription management service providers to ensure the robust security and product integrity requirements are maintained.
Security Accreditation Scheme for GSMA Embedded SIM
For almost 15 years, the GSMA’s Security Accreditation Scheme has been providing mobile network operators with valuable peace of mind that their SAS-certified UICC suppliers implement high levels of production security. With the advent of GSMA Embedded SIM Specification it is essential that remote provisioning subscription management service providers continue to safeguard the integrity of the Embedded UICC and its data. To facilitate industry confidence in the security of remote provisioning, the successful SAS model in use for UICC production is being extended to cover security auditing and accreditation of the Embedded UICC supplier and the providers of subscription management (DP and SR) services.
- The SAS security standards developed and approved by mobile network operators and SIM manufacturers within GSMA are used by suppliers of Embedded UICCs or subscription management services to design the security of the environment and processes that are used to manufacture and manage Embedded UICCs.
- The supplier requests an audit of its environment and processes at a specific site from the GSMA.
- A professional security auditing team engaged by GSMA visits the supplier site, conducts a comprehensive audit against the SAS standard, and produces an audit report for review by a SAS Certification Body, an expert group made up of GSMA operator members.
- Based on the audit report and its recommendations, the SAS Certification Body decides whether or not the supplier site is awarded SAS certification.
- GSMA publicises certified supplier sites, highlighting to its members the benefits of acquiring products and services from such sites.
GSMA Embedded SIM Test Specification
The purpose of the Test Specification for GSMA Embedded SIM is to ensure products made by vendors, including eUICC, SM-DP and SM-SR entities are functionally compliant to the GSMA Embedded SIM Technical Specification.
Test tool manufacturers will use the GSMA Embedded SIM Test Specification to develop dedicated test tools for the market. Vendors will then develop their products and commission test houses to test their products, or buy in appropriate test tools and perform the testing themselves. The vendors may self-certify their products if all the test cases are passed, and the appropriate criteria are met that permits self-certification. (ISO/IEC 17050).
GSMA Embedded SIM – Certificate Issuance
The Certificate Issuer (CI) process within the GSMA Embedded SIM architecture ensures the various system entities (SM-DP, SM-SR, EUM, eUICC) can all be trusted by each other.
Initially the GSMA will be the Sole Certificate Issuer however, as the market establishes, other Certificate Issuers can be added in a hierarchy. For example, issuers per region, or country, or even market sector.
Vendors of certified and SAS accredited GSMA Embedded SIM product/entities can apply for certificates for each of their system entities. Once the EUM has a valid root CI from the Certificate Issuer it is able to self-certify eUICC products. When these entities communicate with each other they use the certificates to mutually authenticate themselves. In that way they can trust each other.
More information on the Security Accreditation Scheme can be found here.