Trust Onboard is in Developer Preview with availability by request. Some features are not yet implemented, and others will change before the product is generally available. Developer Preview API's are very likely to change before the product reaches general availability.
Trust Onboard is a feature where Programmable Wireless SIM cards contain two X.509 certificates. These client-side certificates will be used to authenticate SIM cards in HTTPS connections.
Customers will be able to authenticate to Twilio services and other cloud providers such as AWS IoT and their own homegrown systems using the HTTPS handshake.
No additional pre-shared keys (API tokens, passwords, request signing) are needed - only a Twilio SIM card with Trust Onboard. The SIM cards are manufactured with two unique certificates and key pairs with different capabilities, described below.
|Device identity||Device identity differentiation at the point of manufacturing, without the installation of custom software or hardware by the device manufacturer|
|Device protection||Software integrity|
|Secure communication||API authentication and authorization|
- Twilio generates a public key, private key, and two certificates (Type A and Type B) per SIM card.
- Certificates are loaded on the SIM card during SIM manufacturing.
- Twilio provides you with an ICCID to certificate mapping.
- Private keys are not stored, other than on the SIM.
- Available Key (Type A) certificates will be on the SIM card but the text is freely available on the device. Your code will have access to the full text of the public and private keys and certificate. This is intended to be used with hardware that requires you to hand over this data for HTTPS communication. These live in a simple global platform applet that holds files with only read operations.
- Signing Key (Type B) certificates will be inside the SIM card with no way to export the text contents. You will utilize TLS libraries such as mBed that can request the SIM card to sign requests using the keys and perform request encryption. This is intended for use cases where your hardware allows you to offload the TLS communication to the SIM card. These live in a global platform applet called mIAS that implements a full security suite (similar to OpenSSL).
Mobile Identification Authentication Signature applet (mIAS) is a Java Card Applet in a Secure Element, providing functions to integrate with a PKI system:
The SIM certificates have long expiration periods (30 years).
- Available Key (Type A) certificates that are able to be extracted out of the SIM onto the device memory can never be replaced. The files (public, private key and certificate) live in a location on the SIM card that is not writable. For this reason the keys are effectively permanent and the certificate should outlive the physical device.
- Signing Key (Type B) has the same 30 year expiration period as Available Key (Type A) while in Developer Preview.
Twilio certificate bundles allow you to verify the authenticity of a SIM certificate. Each bundle file below contains the CA certificates used to sign the certificates on a Twilio SIM card.
openssl verify -verbose -CApath /dev/null -CAfile programmable-wireless.available.bundle example-sim-available.cert openssl verify -verbose -CApath /dev/null -CAfile programmable-wireless.signing.bundle example-sim-signing.cert
*Twilio can provide the SIM certificates as files while in Trust Onboard is in Developer Preview.