> with esim technology i had assumed the trust was assured using keys owned by the proivider, so i'm not sure whether there's something else going on here?
There is trust both ways:
- You trust the provider's keys so that nobody can later intercept your traffic, as the keys encrypted under it will later be used to encrypt and authenticate that traffic. (Of course the networks themselves have ample security holes and allow for lawful interception, but that's another topic.)
- The provider trusts your eSIM to not expose your keys to the baseband or application processor ever. If it wasn't for that, the provider's invoices might not be defensible in court in case of a billing dispute: You could easily claim that you've been subject to malware that stole your authentication keys and then went on to call toll numbers for hours.
Theoretically, the first point is only addressing your own risk, but it seems like the eSIM designers seem to have taken the position they did (mandatory GSMA PKI signatures). Unfortunately, this also means that "homebrew eSIMs" are out of reach for now.
The latter is very similar to the idea of chip credit and debit cards: The issuer relies in both users and fraudsters not being able to extract and duplicate a card's keys, so that use of these keys can be seen as proof of the authentic card being involved.
There is trust both ways:
- You trust the provider's keys so that nobody can later intercept your traffic, as the keys encrypted under it will later be used to encrypt and authenticate that traffic. (Of course the networks themselves have ample security holes and allow for lawful interception, but that's another topic.)
- The provider trusts your eSIM to not expose your keys to the baseband or application processor ever. If it wasn't for that, the provider's invoices might not be defensible in court in case of a billing dispute: You could easily claim that you've been subject to malware that stole your authentication keys and then went on to call toll numbers for hours.
Theoretically, the first point is only addressing your own risk, but it seems like the eSIM designers seem to have taken the position they did (mandatory GSMA PKI signatures). Unfortunately, this also means that "homebrew eSIMs" are out of reach for now.
The latter is very similar to the idea of chip credit and debit cards: The issuer relies in both users and fraudsters not being able to extract and duplicate a card's keys, so that use of these keys can be seen as proof of the authentic card being involved.