Secure on-line signup and provisioning of wireless devices

What is claimed is: 1. An apparatus including; one or more processors having logic to: associate with a hotspot using an online signup (OSU) service set identifier (SSID); establish a transport-layer-security (TLS) session with an OSU server through the hotspot; exchange provisioning messages with the OSU server to sign up for a subscription and to provision credentials; receive a subscription management object from the OSU server; and disassociate with the hotspot using the OSU SSID and associate with the hotspot using a first SSID, different from the OSU SSID, and the subscription management object; and two or more antennas. 2. The apparatus of claim 1 , wherein the provisioning messages include Open Mobile Alliance Device Management (OMA-DM) messages. 3. The apparatus of claim 1 , wherein the provisioning messages include Simple Object Access Protocol Extensible Markup Language (SOAP-XML) messages. 4. The apparatus of claim 1 , wherein the logic is further to launch a certificate-enrollment protocol for provisioning of certificate-based credentials; and wherein after the provisioning of certificate-based credentials, the logic is further to receive a command from the OSU server to add a location to the subscription management object. 5. The apparatus of claim 1 , wherein when the hotspot implements a first Basic Service Set Identifier (BSSID) and an OSU BSSID; and wherein the STA is configured to use the OSU BSSID for credential provisioning. 6. The apparatus of claim 5 , wherein the first SSID and first BSSID are part of a transmitted profile; and wherein the OSU SSID and OSU BSSID are part of a non-transmitted profile. 7. The apparatus of claim 1 , wherein the OSU SSID is derived from the first SSID. 8. The apparatus of claim 1 , wherein the OSU SSID is contained in a vendor specific information element. 9. The apparatus of claim 1 , wherein the logic is further to receive an OSU provider list that includes the OSU SSID to be used for online signup. 10. The apparatus of claim 1 , wherein the apparatus further includes: a transceiver configured to be coupled to the two or more antennas. 11. The apparatus of claim 1 , wherein the logic is further to identify the hotspot that provides the first SSID and the OSU SSID based on a probe response. 12. An apparatus including; one or more processors having logic to: associate with a hotspot using an online signup (OSU) Service Set Identifier (SSID) in a dependent profile and establish a secure connection to an OSU server; exchange management messages with the OSU server to sign up for a subscription and to identify information necessary to create a subscription management object having a credentials section; retrieve the subscription management object; disassociate from the hotspot; and associate with the hotspot using a first SSID, different from the OSU SSID, in a primary profile of the hotspot and information in a credentials section of the subscription management object; and two or more antennas. 13. The apparatus of claim 12 , wherein the dependent profile is a non-transmitted profile contained as a field in an OSU provider list; and wherein the logic is further to obtain the OSU provider list. 14. The apparatus of claim 12 , wherein the dependent profile is part of a Wi-Fi Alliance (WFA) vendor specific information element; and wherein the logic is further to decode the vendor specific information element to obtain the OSU SSID. 15. The apparatus of claim 12 , wherein the logic is further to display the first SSID to a user and to hide the OSU SSID when the first SSID is displayed. 16. A non-transitory computer-readable storage medium that stores instructions for execution by one or more processors to perform operations for operating a device in a wireless network, the operations to configure the device to: associate with a hotspot using an online signup (OSU) service set identifier (SSID); establish a transport-layer-security (TLS) session with an OSU server through the hotspot; exchange provisioning messages with the OSU server to sign up for a subscription and to provision credentials; retrieve a subscription management object from the OSU server; and disassociate with the hotspot using the OSU SSID and associate with the hotspot using a first SSID, different from the OSU SSID, and the subscription management object. 17. The non-transitory computer-readable storage medium of claim 16 , wherein the provisioning messages include Open Mobile Alliance Device Management (OMA-DM) messages. 18. The non-transitory computer-readable storage medium of claim 16 , wherein the provisioning messages include Simple Object Access Protocol Extensible Markup Language (SOAP-XML) messages. 19. The non-transitory computer-readable storage medium of claim 16 , wherein the instructions further configure the device to: launch a certificate-enrollment protocol for provisioning of certificate-based credentials; and wherein after the provisioning of certificate based credentials, the instructions further configure the device to receive a command from the OSU server to add a location to the subscription management object.