Apparatus and methods for Electronic Subscriber Identity Module (ESIM) installation notification

What is claimed is: 1. A method for provisioning electronic Subscriber Identity Modules (eSIMs) on an embedded Universal Integrated Circuit Card (eUICC) included in a wireless device, the method comprising: by processing circuitry of the wireless device external to the eUICC: receiving, from a provisioning server via a secure connection, an encrypted eSIM package; transferring a block of the encrypted eSIM package to the eUICC for loading and installation in an eSIM security domain on the eUICC; receiving, from the eUICC in response to transfer of the block of the encrypted eSIM package, a response message that includes a tag field that indicates encryption and signing verification applicable to the response message; and processing the response message in accordance with a value of the tag field, wherein: a first value for the tag field indicates the response message cannot be decrypted by the processing circuitry of the wireless device external to the eUICC; a second value for the tag field indicates the response message is signed by the eUICC with a certificate that can be verified by the processing circuitry of the wireless device external to the eUICC; a third value for the tag field indicates the response message is unencrypted and readable by the processing circuitry of the wireless device external to the eUICC; and responses having the third value for the tag field are used only for local communication via a trusted communication channel between the eUICC and the processing circuitry of the wireless device external to the eUICC, where response messages having the third value for the tag field are not forwarded to the provisioning server. 2. The method of claim 1 , wherein the first value for the tag field indicates the response message is encrypted and signed using session keys applicable for a session established by the provisioning server. 3. The method of claim 2 , further comprising: by the processing circuitry of the wireless device external to the eUICC: forwarding the response message to the provisioning server without decrypting contents of the response message. 4. The method of claim 3 , further comprising: by the processing circuitry of the wireless device external to the eUICC: verifying integrity of the response message before forwarding the response message to the provisioning server. 5. The method of claim 1 , wherein the second value for the tag field indicates the response message is not encrypted and is verifiably signed by the eUICC. 6. The method of claim 5 , wherein the response message is verifiably signed using a session key having a message authentication code chain used only for local communication between the eUICC and the processing circuitry of the wireless device external to the eUICC and is distinct from one or more session keys used for response messages that include a first value for the tag field, the first value indicating encryption and signing using sessions keys applicable for a session established by the provisioning server. 7. The method of claim 5 , wherein the processing circuitry processes the response message based at least in part on a certificate associated with the eUICC. 8. The method of claim 5 , further comprising: by the processing circuitry of the wireless device external to the eUICC: determining whether to forward the response message to the provisioning server based at least in part on contents of the response message. 9. The method of claim 5 , wherein the third value for the tag field indicates the response message includes plain text. 10. The method of claim 1 , further comprising: by the processing circuitry of the wireless device external to the eUICC: providing a status indication of loading and/or installation of the encrypted eSIM package via a user interface of the wireless device. 11. The method of claim 10 , wherein the status indication is based at least in part on information from non-encrypted response messages received from the eUICC. 12. The method of claim 1 , further comprising: by the processing circuitry of the wireless device external to the eUICC: forwarding response messages that include error indications and/or warning indications received from the eUICC to the provisioning server; refraining from forwarding to the provisioning server intermediate success messages received from the eUICC during loading and/or installation of the encrypted eSIM package; and forwarding a final success message received from the eUICC to the provisioning server after successful completion of loading and/or installation of the encrypted eSIM package. 13. A wireless device configured to provision electronic Subscriber Identity Modules (eSIMs) on an embedded Universal Integrated Circuit Card (eUICC) included in the wireless device, the wireless device comprising processing circuitry configured to carry out steps that include: receiving, from a provisioning server via a secure connection, an encrypted eSIM package; transferring a block of the encrypted eSIM package to the eUICC for loading and installation in an eSIM security domain on the eUICC; receiving, from the eUICC in response to transfer of the block of the encrypted eSIM package, a response message that includes a tag field that indicates encryption and signing verification applicable to the response message; and processing the response message in accordance with a value of the tag field, wherein: a first value for the tag field indicates the response message cannot be decrypted by the processing circuitry of the wireless device external to the eUICC; a second value for the tag field indicates the response message is signed by the eUICC with a certificate that can be verified by the processing circuitry of the wireless device external to the eUICC; a third value for the tag field indicates the response message is unencrypted and readable by the processing circuitry of the wireless device external to the eUICC; and responses having the third value for the tag field are used only for local communication via a trusted communication channel between the eUICC and the processing circuitry of the wireless device external to the eUICC, where response messages having the third value for the tag field are not forwarded to the provisioning server. 14. The wireless device of claim 13 , wherein: the first value for the tag field indicates the response message is encrypted and signed using session keys applicable for a session established by the provisioning server; and the steps further include forwarding the response message to the provisioning server without decrypting contents of the response message. 15. The wireless device of claim 14 , wherein: the steps further include verifying integrity of the response message before forwarding the response message to the provisioning server. 16. The wireless device of claim 13 , wherein: the second value for the tag field indicates the response message is not encrypted and is verifiably signed by the eUICC using a session key having a message authentication code chain used only for local communication between the eUICC and the processing circuitry of the wireless device external to the eUICC; and the processing circuitry processes the response message based at least in part on a certificate associated with the eUICC. 17. The wireless device of claim 16 , wherein the steps further include determining whether to forward the response message to the provisioning server based at least in part on contents of the response message. 18. The wireless device of claim