eSIM Provisioning Standards

GSMA SGP.21: RSP Functional Requirements for CoreESIM Platforms

3 min read

CoreESIM refers to the foundational infrastructure and platforms enabling embedded SIM (eSIM) functionalities, primarily governed by GSMA specifications. SGP.21 is pivotal in this ecosystem, outlining the functional requirements for the Remote SIM Provisioning (RSP) architecture. This specification details the secure and interoperable management of cellular profiles on an eUICC (embedded Universal Integrated Circuit Card), moving beyond the logistical constraints of traditional physical SIM cards.

SGP.21 defines key functional entities within the RSP architecture: the eUICC itself, the Local Profile Assistant (LPA), the Subscription Manager - Data Preparation+ (SM-DP+), and the Subscription Manager - Secure Routing (SM-SR). The secure and standardized interaction between these components ensures robust profile lifecycle management, encompassing everything from initial profile download and activation to subsequent updates, deactivation, and deletion.

The SM-DP+ is responsible for the secure preparation and delivery of operator profiles. Key functional requirements for the SM-DP+ include: secure generation of ISD-P (Integrated Security Domain - Profile) instances, authenticating the eUICC and LPA using X.509 certificates and other cryptographic primitives, initiating profile download sessions, and securely transmitting profile data to the eUICC. It must support various profile states and handle requests for profile deletion or deactivation in compliance with defined security protocols and lifecycle management rules.

SM-SR and eUICC Roles

The SM-SR's primary role is the secure routing of management commands to the eUICC, acting as a crucial broker for profile lifecycle operations. Its functional requirements mandate: managing the eUICC's profile inventory, processing requests for profile enabling, disabling, and deletion, and maintaining secure communication channels with both the eUICC and the SM-DP+. This involves orchestrating profile state changes and ensuring the integrity and authenticity of all management commands transmitted to the eUICC.

The eUICC is the secure hardware element designed for storing and executing operator profiles. SGP.21 mandates its ability to: securely store multiple operator profiles, manage profile states (e.g., enabled, disabled, inactive), authenticate itself with both the SM-DP+ and SM-SR, and securely execute commands received through the RSP infrastructure. It must also expose a defined interface for the LPA to facilitate user interaction and trigger RSP operations on the device.

The entire CoreESIM framework, as defined by SGP.21, relies heavily on robust security mechanisms. These include TLS 1.2+ for secure transport, end-to-end encryption, and Public Key Infrastructure (PKI)-based mutual authentication between all involved parties. SGP.21, complemented by SGP.22 (which outlines the technical realization), ensures interoperability across different vendors and operators, which is critical for fostering a secure and globally accessible CoreESIM ecosystem. Adherence to these specifications minimizes fragmentation and maximizes the security posture of the entire RSP process.