Abstract: A system, terminal, method, and computer program product use a capability certificate to authorize a sender to send a communication message to a recipient, such that the recipient can quickly and easily determine whether to receive the message. In this regard, a system for controlling receipt of a communication message by a recipient comprises a sending terminal and a receiving terminal. The sending terminal may be capable of sending the communication message from a sender. The receiving terminal may be capable of determining if the communication message is cryptographically bound to a capability certificate, such that the receiving terminal receives the communication message if the communication message is cryptographically bound to the capability certificate. Determining if the communication message is cryptographically bound to a capability certificate may comprise determining if the communication message is signed by the sender using a private encryption key of the sender.

Abstract: The invention relates to a mechanism for maintaining a secure tunnel in a packet-based communication system. A secure tunnel is established between a security gateway and a mobile terminal being located at a first address in a first network, wherein the security gateway connects the first network to a second network and the mobile terminal has a second address that identifies the mobile terminal in the second network. In the gateway, the tunnel is identified based on the second address in packets destined for the mobile terminal from the second network. A change is detected in the first address of the mobile terminal and an update message including a new address value of the first address is sent to the security gateway. Based on the update message, the first address associated with the secure tunnel is updated in the security gateway.

Abstract: The invention relates to a mechanism for maintaining a secure tunnel in a packet-based communication system. A secure tunnel is established between a security gateway and a mobile terminal being located at a first address in a first network, wherein the security gateway connects the first network to a second network and the mobile terminal has a second address that identifies the mobile terminal in the second network. In the gateway, the tunnel is identified based on the second address in packets destined for the mobile terminal from the second network. A change is detected in the first address of the mobile terminal and an update message including a new address value of the first address is sent to the security gateway. Based on the update message, the first address associated with the secure tunnel is updated in the security gateway.

Abstract: A system, terminal, method, and computer program product use a capability certificate to authorize a sender to send a communication message to a recipient, such that the recipient can quickly and easily determine whether to receive the message. In this regard, a system for controlling receipt of a communication message by a recipient comprises a sending terminal and a receiving terminal. The sending terminal may be capable of sending the communication message from a sender. The receiving terminal may be capable of determining if the communication message is cryptographically bound to a capability certificate, such that the receiving terminal receives the communication message if the communication message is cryptographically bound to the capability certificate. Determining if the communication message is cryptographically bound to a capability certificate may comprise determining if the communication message is signed by the sender using a private encryption key of the sender.

Abstract: The present invention relates to arranging data transmission for a mobile node in a telecommunications system comprising a secure network and an insecure network. A connection to a secure network for a mobile node may be arranged by a home agent if the mobile node is accessing the secure network directly or via a third network other than the insecure network, or a connection to the secure network may be arranged by a VPN node if the mobile node is accessing the secure network via the insecure network. According to a first aspect of the invention, the VPN node and the home agent are configured to allocate the same IP address as an internal IP address and as a home address.