Abstract: There is provided mechanisms for remote provisioning of a SIM profile to a subscriber entity. A method is performed by a remote SIM provisioning server. The method includes obtaining a request from an MNO entity for generation of the SIM profile. The method includes generating the SIM profile. The method includes providing, to a storage entity, a key-value pair of the SIM profile. The key-value pair includes a unique identifier including at least one profile specific element of the SIM profile as key and binding information of the at least one profile specific element as value. The unique identifier including at least one profile specific element of the SIM profile is represented by an ICCID of the SIM profile. The binding information of the at least one profile specific element is represented by an EID and profile/subscription unique data elements for the SIM profile.

Abstract: There is provided mechanisms for event handling for at least one subscriber entity. A method is performed by an event handling server. The method comprises obtaining, from an RSP entity, an event registration message of the event. The event registration message comprises an identifier field containing a string of characters identifying the at least one subscriber entity. The string of characters comprises at least one marker character specifying an event type and/or indicating that the event is valid for more than one subscriber entity. The method comprises storing an event record of the event. The event record comprises the identifier field and an address of that RSP entity from which data of the event is to be fetched. The method comprises providing the event record to the at least one subscriber entity.

Abstract: There is provided mechanisms for certificate revocation check during a subscription related procedure for a subscriber entity. A method is performed by the subscriber entity. The method comprises receiving a message from a subscription management entity during the subscription related procedure for the subscriber entity. The message comprises a certificate and an OCSP response for the certificate. The OCSP response indicates a revocation state of the certificate. The method comprises determining whether the certificate has been revoked or not by checking the revocation state as indicated in the OCSP response.

Abstract: There is provided mechanisms for remote provisioning of a SIM profile to a subscriber entity. A method is performed by a remote SIM provisioning server. The method comprises obtaining a request from an MNO entity for generation of the SIM profile. The method comprises generating the SIM profile. The method comprises providing, to a storage entity, a key-value pair of the SIM profile. The key-value pair comprises a unique identifier comprising at least one profile specific element of the SIM profile as key and binding information of the at least one profile specific element as value. The unique identifier comprising at least one profile specific element of the SIM profile is represented by profile/subscription unique data elements for the SIM profile. The binding information of the at least one profile specific element is represented by an BID of the subscriber entity, ICCID of the SIM profile, IMSI, and an MNO identifier.

Abstract: There is provided mechanisms for controlling access of a subscriber entity to an application service of an enterprise network. A method is performed by a ZTNA controller. The method comprises obtaining an indication that the subscriber entity requests to access the application service of the enterprise network. The indication is obtained via an access network to which the subscriber entity is operatively connected. The method comprises providing a request for user information of the subscriber entity to a UDM entity provided in a core network to which the access network is operatively connected. The request for user information comprises an identifier of the subscriber entity. The method comprises obtaining the user information of the subscriber entity from the UDM entity. The user information indicates successful 3GPP credentials based authentication of the subscriber entity performed by the UDM entity.

Abstract: A method of ending a subscription performed in a network entity is disclosed. The method comprises receiving, from a device comprising an Embedded Universal Integrated Circuit Card, eUICC, a signed confirmation of a profile having been deleted in the device, the profile being associated with a subscription for the device; sending, to a Subscription Manager Data Preparation entity, a command for deletion of the profile; and deleting the user subscription and related profile in case an acknowledgement of the deletion of the profile is received from the Subscription Manager Data Preparation entity. Method in a device, method in a Subscription Manager Data Preparation entity, devices and entities, computer programs and computer program products are also provided.

Abstract: There is provided mechanisms for handling a subscription profile for a subscriber entity. A method is performed by a subscription management entity. The method comprises obtaining a request from a mobile network operator entity to configure the subscription profile for the subscriber entity. The method comprises configuring the subscription profile with a customized PIN/PUK code for the subscriber entity. The method comprises providing an indication of the customized PIN/PUK code being configured in the subscription profile in a response to the mobile network operator entity.

Abstract: A mechanism and method are provided for attesting a platform entity. The method is performed by a verification entity. The method may include performing mutual authentication between a TEE of the verification entity and a TEE of the platform entity. The method may include sending, towards the TEE of the platform entity, a first piece of protected secret data. The method may include sending, towards the TEE of the platform entity, at least one protected nonce. The method may include receiving, from the TEE of the platform entity, a protected concatenation of the secret data and the at least one nonce. The method may include attesting the platform entity by, in the TEE of the verification entity, verifying that the secret data and the at least one nonce received from the platform entity are identical to the sent secret data and at least one nonce.

Abstract: Methods and apparatus for establishing enhanced secure communication between two Network Entities. A method performed by a first Network Entity (NE1) to establish communication between the NE1 and a second Network Entity (NE2), wherein both NE1 and NE2 trust a Trusted Network Entity (TNE). The method comprises establishing an initial connection with the NE2, obtaining a report associated with NE1 from TNE, wherein the report is signed by the TNE and providing the report associated with NE1 to NE2.

Abstract: There is provided mechanisms for enabling subscription profile download to a subscriber entity. A method is performed by a network node of an SNPN. The method comprises receiving a request from the subscriber entity for network registration with EAP based authentication to the SNPN. The method comprises granting network connectivity for the subscriber entity to the SNPN by completing the network registration upon successful EAP based authentication of the subscriber entity and upon verification that there is a pending subscription profile available for download to the subscriber entity. The network connectivity enables subscription profile download to the subscriber entity.

Abstract: A method enabling migration of a subscription from a source device to a destination device is disclosed. The method may be performed in a migration entity and comprises: receiving, from the source device, a confirmation of a first profile associated with the subscription having been deleted in the source device, securing a second profile associated with the subscription to be provisioned onto the eUICC of the destination device, wherein at least one piece of subscription information is the same for the first and second profiles, and providing an activation code for use in migration of the subscription to the destination device. A method in a source device, migration entity, source device, computer programs and computer program products are also provided.

Abstract: There is provided mechanisms for remote provisioning of a SIM profile to a subscriber entity. A method is performed by a remote SIM provisioning server. The method includes obtaining a request from an MNO entity for generation of the SIM profile. The method includes generating the SIM profile. The method includes providing, to a storage entity, a key-value pair of the SIM profile. The key-value pair includes a unique identifier including at least one profile specific element of the SIM profile as key and binding information of the at least one profile specific element as value. The unique identifier including at least one profile specific element of the SIM profile is represented by an ICCID of the SIM profile. The binding information of the at least one profile specific element is represented by an EID and profile/subscription unique data elements for the SIM profile.

Abstract: There is provided mechanisms for remote provisioning of a SIM profile to a subscriber entity. A method is performed by a remote SIM provisioning server. The method comprises obtaining a request from an MNO entity for generation of the SIM profile. The method comprises generating the SIM profile. The method comprises providing, to a storage entity, a key-value pair of the SIM profile. The key-value pair comprises a unique identifier comprising at least one profile specific element of the SIM profile as key and binding information of the at least one profile specific element as value. The unique identifier comprising at least one profile specific element of the SIM profile is represented by profile/subscription unique data elements for the SIM profile. The binding information of the at least one profile specific element is represented by an BID of the subscriber entity, ICCID of the SIM profile, IMSI, and an MNO identifier.

Abstract: There is provided mechanisms for initial network access of a subscriber entity to a radio access network. A method is performed by the subscriber entity. The method comprises transmitting an attach message towards a network node. The attach message indicates a request for network access of the subscriber entity to a radio access network of the network node. The method comprises receiving an identification request originating from the network node. The identification request requests identification of the subscriber entity. The method comprises transmitting a response message towards the network node. The response message comprises an Access Identifier of the subscriber entity. The Access Identifier indicates that the subscriber entity is subscription-less. The method comprises receiving a grant from the network node. The grant allows the subscriber entity limited network access.

Abstract: There is provided mechanisms for event handling for at least one subscriber entity. A method is performed by an event handling server. The method comprises obtaining, from an RSP entity, an event registration message of the event. The event registration message comprises an identifier field containing a string of characters identifying the at least one subscriber entity. The string of characters comprises at least one marker character specifying an event type and/or indicating that the event is valid for more than one subscriber entity. The method comprises storing an event record of the event. The event record comprises the identifier field and an address of that RSP entity from which data of the event is to be fetched. The method comprises providing the event record to the at least one subscriber entity.

Abstract: There is provided mechanisms for certificate revocation check during a subscription related procedure for a subscriber entity. A method is performed by the subscriber entity. The method comprises receiving a message from a subscription management entity during the subscription related procedure for the subscriber entity. The message comprises a certificate and an OCSP response for the certificate. The OCSP response indicates a revocation state of the certificate. The method comprises determining whether the certificate has been revoked or not by checking the revocation state as indicated in the OCSP response.

Abstract: There are provided mechanisms for combined migration and remigration of a network subscription of a source subscriber entity. A method is performed by a profile handling unit of the source subscriber entity. The method includes initiating a combined migration and remigration of the network subscription by providing a migration start message to a migration service entity. The migration start message includes a remigration condition. The method includes accepting the network subscription to be unavailable to the source subscriber entity upon migration of the network subscription and until remigration of the network subscription back to the source subscriber entity.

Abstract: A mechanism and method are provided for attesting a platform entity. The method is performed by a verification entity. The method may include performing mutual authentication between a TEE of the verification entity and a TEE of the platform entity. The method may include sending, towards the TEE of the platform entity, a first piece of protected secret data. The method may include sending, towards the TEE of the platform entity, at least one protected nonce. The method may include receiving, from the TEE of the platform entity, a protected concatenation of the secret data and the at least one nonce. The method may include attesting the platform entity by, in the TEE of the verification entity, verifying that the secret data and the at least one nonce received from the platform entity are identical to the sent secret data and at least one nonce.

Abstract: There is provided mechanisms for enabling management of a subscriber entity. A method is performed by the subscriber entity. The method comprises obtaining a message from a subscription server. The message comprises an event record. The event record is addressed to the subscriber entity and comprises a pointer to a primary entity. The method comprises establishing a connection to the primary entity for management of the subscriber entity.

Abstract: A method of ending a subscription performed in a network entity is disclosed. The method comprises receiving, from a device comprising an Embedded Universal Integrated Circuit Card, eUICC, a signed confirmation of a profile having been deleted in the device, the profile being associated with a subscription for the device; sending, to a Subscription Manager Data Preparation entity, a command for deletion of the profile; and deleting the user subscription and related profile in case an acknowledgement of the deletion of the profile is received from the Subscription Manager Data Preparation entity. Method in a device, method in a Subscription Manager Data Preparation entity, devices and entities, computer programs and computer program products are also provided.