On 21 Jan 2019, at 13:53, Jim Reid <jim@rfc1035.com> wrote:
I’m not sure that’s true Andrei.
If an IoT device is on the Internet, it shouldn’t have hard-wired crypto. Just like how it shouldn’t have a factory-set password of 0000 or whatever. This should not be a subject for debate. It’s basic common sense.* Whether that device is a node in a sensor network or some piece of CPE is irrelevant from that perspective.
A bit to the side of this, but probably relevant in this context: the ongoing discussion between “hardware based security” and “software”. This also flairs up every now and then in forums like AIOTI. Where chip vendors of course are a big proponent of hardware based solutions, saying software is easier to compromise. Agility as you propose doesn’t rule out hardware solutions, but they are probably harder to modify on-the-go and less agile as an entirely software based solution. I have no particular opinion on it, but pushing back on hardware solutions may find some responding counter pressure from those groups who prefer hardware over software. On the original question; did you already look at GSM’s eSIM (and possibly SIM) specification. Not 100% sure they are ‘agile’ in a sense you are aiming for, but it has some ways to update to newer stuff afaik. MarcoH