| 摘要 |
Provided are methods and apparatus for secure provision of access control entities (such as electronic or virtual subscriber identity module (eSIM) components) post-deployment of the host device on which the access control entity will be used. In one embodiment, wireless (e.g. cellular) user equipment is given a unique device key and endorsement certificate which can be used to provide updates or new eSIMs to the user equipment in the ″field″. The user equipment can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the device key. In another aspect, an operating system (OS) is partitioned into various portions or ″sandboxes″. During an operation, the user device can activate and execute the operating system in the sandbox corresponding to the current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated. |
