Category: Certification

Describes certification schemes for GSMA compliant eSIMs

GSMA Public Key Infrastructure ( PKI ) Certificate Policy

The GSMA implement a trusted system using certificates based on Public Key Infrastructure ( PKI ) to control what components of a Remote SIM Provisioning system can talk to each other.

The policy is outlined in SGP.14

In order to permit any certified component can talk to any other certified component the GSMA issue signed root certificates.

They have appointed Cybertrust to act as the Root Certificate Issuer for M2M RSP systems ( version 3.1 ) and Digicert as the Certificate Issuer for Consumer RSP systems. The Cybertrust root certificates were acquired by Digicert in 2015. In order to obtain a certificate from one of these sources it is necessary to have SAS certification.

eUICC and RSP certification

There are various bodies involved in the certification of the different elements involved in GSMA compliant eUICC applications.

The GSMA operate a scheme called Security Accreditation Scheme ( SAS ) that provides a certification of the site belonging to an organisation that provides Remote SIM Provisioning services. Details of the scheme and a list of approved sites is available on their web site.

GlobalPlatform tests and lists the actual certified eUICC chips on their website. Select “eUICC” from the drop-down to see the eUICCs that are currently approved.

The Global Certification Forum ( GCF ) operates a scheme to certify RSP compliance of consumer devices, the details of which are available on their website.

The GSMA implements a trusted system through the use of signed root certificates.


SAS certification ( SAS-UP and SAS-SM )

The GSMA operate a Security Accreditation Scheme ( SAS ).

Companies wishing to manufacture eUICCs must get their site accredited to SAS-UP ( SAS for UICC Production ) while those wishing to program eUICCs must get their site SAS-SM accreditation.

The schemes are in place mainly to ensure that the highly sensitive Profiles from the MNO’s are secure. They have components of ISO 27001 to ensure that an ISMS ( Information Security Management System ) and BCP ( Business Continuity Plan ) are in place. In addition they require that all of these procedures are operated in a High Security Area ( HSA ), over a secure network by trained personnel who comply with strict HR policies.

The GSMA currently use two outside companies to conduct the audits for SAS-UP, FML and ChaseWaterford

For SAS-SM they use NCC Group and SRC Security Research & Consulting GmbH

The audit usually takes about a week and is performed by both auditors.

A provisional approval is given once the site is able to demonstrate that they have all of the processes in place to meet the requirements but is not yet operating with real customers. This is sometimes called a ‘dry audit’. Another audit is conducted up to 9 months after provisional approval to finalise the certification. This is sometimes called a ‘wet audit’.

A list of SAS accredited sites is available on the GSMA web site.