laforge has submitted this change. (
https://gerrit.osmocom.org/c/pysim/+/38150?usp=email )
Change subject: docs: Bring osmo-smdpp documentation up to date with code
......................................................................
docs: Bring osmo-smdpp documentation up to date with code
Change-Id: Ibaab1fadd5d35ecdb356bed1820074b1b0a1752e
Closes: OS#6418
---
M docs/osmo-smdpp.rst
1 file changed, 13 insertions(+), 7 deletions(-)
Approvals:
laforge: Looks good to me, approved
fixeria: Looks good to me, but someone else must approve
Jenkins Builder: Verified
diff --git a/docs/osmo-smdpp.rst b/docs/osmo-smdpp.rst
index ad7d902..afc4eb8 100644
--- a/docs/osmo-smdpp.rst
+++ b/docs/osmo-smdpp.rst
@@ -19,15 +19,20 @@
osmo-smdpp currently
-* uses test certificates copied from GSMA SGP.26 into `./smdpp-data/certs`,
assuming that your osmo-smdppp
- would be running at the host name `testsmdpplus1.example.com`
+* [by default] uses test certificates copied from GSMA SGP.26 into
`./smdpp-data/certs`, assuming that your
+ osmo-smdppp would be running at the host name `testsmdpplus1.example.com`.
You can of course replace those
+ certificates with your own, whether SGP.26 derived or part of a *private
root CA* setup with mathcing eUICCs.
* doesn't understand profile state. Any profile can always be downloaded any
number of times, irrespective
- of the EID or whether it was donwloaded before
-* doesn't perform any personalization, so the IMSI/ICCID etc. are always
identical
+ of the EID or whether it was donwloaded before. This is actually very
useful for R&D and testing, as it
+ doesn't require you to generate new profiles all the time. This logic of
course is unsuitable for
+ production usage.
+* doesn't perform any personalization, so the IMSI/ICCID etc. are always
identical (the ones that are stored in
+ the respective UPP `.der` files)
* **is absolutely insecure**, as it
- * does not perform any certificate verification
- * does not evaluate/consider any *Matching ID* or *Confirmation Code*
+ * does not perform all of the mandatory certificate verification (it checks
the certificate chain, but not
+ the expiration dates nor any CRL)
+ * does not evaluate/consider any *Confirmation Code*
* stores the sessions in an unencrypted _python shelve_ and is hence leaking
one-time key materials
used for profile encryption and signing.
@@ -82,7 +87,8 @@
and it will bind its plain-HTTP ES9+ interface to local TCP port 8000.
The `smdpp-data/certs`` directory contains the DPtls, DPauth and DPpb as well
as CI certificates
-used; they are copied from GSMA SGP.26 v2.
+used; they are copied from GSMA SGP.26 v2. You can of course replace them
with custom certificates
+if you're operating eSIM with a *private root CA*.
The `smdpp-data/upp` directory contains the UPP (Unprotected Profile Package)
used. The file names (without
.der suffix) are looked up by the matchingID parameter from the activation
code presented by the LPA.
--
To view, visit https://gerrit.osmocom.org/c/pysim/+/38150?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: merged
Gerrit-Project: pysim
Gerrit-Branch: master
Gerrit-Change-Id: Ibaab1fadd5d35ecdb356bed1820074b1b0a1752e
Gerrit-Change-Number: 38150
Gerrit-PatchSet: 6
Gerrit-Owner: laforge <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <[email protected]>
Gerrit-Reviewer: laforge <[email protected]>
Gerrit-Reviewer: pespin <[email protected]>
