Resources

Reading, References, and Architecture Notes

Concept-first articles for engineering and architecture readers. Nothing on this page is marketing collateral — it's how we think.

Each article is also available as a clean Markdown source for content repurposing — see the Markdown source index · LinkedIn content calendar.

Technical knowledge base

Trust chain & manufacturing

Architecture

Trust Chain Architecture: From Manufacturing HSM to Deployed Device

The end-to-end trust chain — HSM, secure element, SCP03 OTA, PKI, lifecycle — as one architectural commitment.

12 min · Read article →
Manufacturing

Device Identity at Manufacturing Scale: Fleet Provisioning Architecture

HSM, key diversification, atomic identity records, and PKI hierarchy for fleet-scale provisioning.

13 min · Read article →
OTA · SCP03

SCP03-Protected OTA Channel: What It Does and What It Doesn't Protect

What SCP03 secures, what it doesn't, and why the distinction matters for OTA security architecture.

11 min · Read article →

eSIM, eUICC & telecom integration

RSP · SGP.22

eSIM/eUICC Provisioning Architecture: RSP, SM-DP+, and LPA Integration

The GSMA RSP architecture and provisioning sequence — and the failure modes most commonly encountered at fleet scale.

14 min · Read article →
LTE · PKI

Telecom Authentication and Enterprise Identity: Where LTE and PKI Meet

Two identity contexts on one device — and the integration boundary that governs revocation, decommissioning, and incident response.

12 min · Read article →
Foundations

eSIM vs eUICC vs iSIM: Understanding the Difference

What each term denotes, how they map to silicon, and why the distinction matters for IoT engineering.

9 min · Read article →
eUICC

eUICC Applet Development

Security and architecture considerations for eUICC-resident applets — Security Domains, profile lifecycle, vendor independence.

10 min · Read article →
Java Card

Java Card and eSIM Applet Development

Patterns for building eSIM identity logic on Java Card — state machines, key roles, transaction boundaries.

10 min · Read article →
Telecom

What Makes IoT Security "Telecom-Grade"?

An honest unpacking of an overused phrase — what the bar actually is, who sets it, and how to credibly aspire to it.

8 min · Read article →

Hardware trust & PKI for embedded

Decision framework

Hardware-Backed Authentication: SE vs TEE vs TPM

A precise comparison of Secure Element, Trusted Execution Environment, and TPM 2.0 — with a decision framework.

15 min · Read article →
PKI

PKI for Embedded Systems: Five Enterprise Assumptions That Break

Chain length, online revocation, RSA-2048, on-demand rotation, reliable clocks — and the embedded adjustments for each.

16 min · Read article →
PKI

Embedded PKI Architectures for IoT Security

PKI under embedded constraints — clocks, memory, connectivity, and revocation that works in the field.

10 min · Read article →
Identity

Hardware-Backed Identity for IoT Devices

Why software-only identity isn't enough at fleet scale, and what hardware actually buys you.

10 min · Read article →
Secure Element

Why Secure Elements Matter in Connected Infrastructure

The case for hardware-isolated execution in connected products — and what the boundary actually buys you.

9 min · Read article →

Provisioning, attestation & offline trust

Offline trust

Offline-Capable Trust: Maintaining Device Identity Without Network Connectivity

Hardware-resident credentials, pre-loaded revocation, SE RTC discipline, and explicit degradation policy.

11 min · Read article →
Provisioning

Secure Provisioning Workflows for Connected Devices

Reducing the trusted handoff surface during onboarding and lifecycle re-provisioning.

9 min · Read article →
Attestation

Device Attestation in IoT Security Architectures

Producing signed assertions about device state that a relying party can actually act on.

9 min · Read article →
Resilience

Offline-Capable Authentication for Low-Connectivity IoT

Trust assertions that hold when the network does not — short-lived credentials, capability tokens, monotonic counters.

9 min · Read article →
Capability documents

Whitepaper & capability briefs

Documentation made available on request to operator and ecosystem reviewers under appropriate terms.

D1

eSIM / eUICC capability brief

Architecture, applet scope, identity workflows, and assumptions. Available on request under NDA.

Request brief →
D2

IoT identity reference

End-to-end identity reference: silicon RoT, Secure Element, embedded PKI, attestation, lifecycle.

Request reference →
D3

Sandbox collaboration scope

What we can validate, what we will not claim, and proposed shape of an engagement.

Request scope →