As you know in the eSIM realm, for the customer model, SM-DP+ is responsible for loading the MNO provided profile into the eSIM chip; and, after loading such profile, the final end-user, can authenticate himself/herself to the MNO network in order to utilize operator services. Additionally, utilizing such profile in the eSIM, the MNO is provided with the capability to communicate securely with the eSIM, on a communication channel different from the one SM-DP+ utilized.
My question is about the separation of the accesses. More specifically, given that the profile is loaded by the SM-DP+, I am curios to know whether the SM-DP+ has access to the user's authentication keys for the MNO network authentication (such as Ki)? And whether the SM-DP+ has access to the MNO-SD OTA keys?
One may answer "No" to both questions I asked above; but, in that case, given that the profile is loaded by the SM-DP+, I can imagine only two scenarios to prevent such problem:
For the first approach, the eSIM shall already contain a pre-shared key between the MNO and the eSIM, which is not the case; the manufacturer only loads the eSIM with SM-DP+ authentication keys in first step.
And for the second approach, the SM-DP+ still has access to the keys that can be misused by it to obtain MNO and user credentials that are not necessary for SM-DP+ functionalities.
So, can someone please clarify how the access to the MNO credentials are controlled in eSIM realm? Are SM-DP+ entities fully trusted by different MNOs to have all the keys in plaintext?
the IPP that is transferred through ES8+ to eSIM contains everything. and DP+ is the one encrypting it. so it is the trusted party in the ecosystem. in case other keys are generated/put through OTA in the enabled ISD-P (after installation), then with a proper implementation its not possible to extract them in a commercial eSIM, but it cannot include the Ki.