Abstract: A communication node for delivering secure content in respect of a requested service to a target entity. The communication node has respective interfaces towards: at least one network for communicating with mobile terminals; a service-provider node providing the requested service; and an authorization node for effecting payments. After having completed a set-up phase and in response to a payment, the communication node enables forwarding of secure content, relating to at least one service requested by a user of a first mobile terminal to a target entity associated with the first mobile terminal. The set-up phase involves: identifying the at least one requested service from the first mobile terminal; linking in the service-provider node the at least one requested service to the first mobile terminal; and assigning a reference in the service-provider node to a payment to be made in respect of the at least one requested service.

Abstract: A communication node for delivering secure content in respect of a requested service to a target entity. The communication node has respective interfaces towards: at least one network for communicating with mobile terminals; a service-provider node providing the requested service; and an authorization node for effecting payments. After having completed a set-up phase and in response to a payment, the communication node enables forwarding of secure content, relating to at least one service requested by a user of a first mobile terminal to a target entity associated with the first mobile terminal. The set-up phase involves: identifying the at least one requested service from the first mobile terminal; linking in the service-provider node the at least one requested service to the first mobile terminal; and assigning a reference in the service-provider node to a payment to be made in respect of the at least one requested service.

Abstract: A communication node for delivering secure content in respect of a requested service to a target entity. The communication node has respective interfaces towards: at least one network for communicating with mobile terminals; a service-provider node providing the requested service; and an authorization node for effecting payments. After having completed a set-up phase and in response to a payment, the communication node enables forwarding of secure content, relating to at least one service requested by a user of a first mobile terminal to a target entity associated with the first mobile terminal. The set-up phase involves: identifying the at least one requested service from the first mobile terminal; linking in the service-provider node the at least one requested service to the first mobile terminal; and assigning a reference in the service-provider node to a payment to be made in respect of the at least one requested service.

Abstract: It is presented a security server arranged to set up communication between a merchant device and a customer payment application. The security server comprises: a receiver arranged to receive a first message comprising a customer identifier, an application identifier and a security token; a determiner arranged to determine whether the merchant device is authorized; a transmitter arranged to send a second message to the merchant device, the second message indicating that the merchant device is authorized to effect payment; and a channel establisher arranged to set up a secure channel between the merchant device and the customer payment application in a secure element being adapted to be comprised in a mobile communication terminal, wherein all communication between the merchant device and the customer payment application is controlled by the security server. Corresponding methods, merchant device, computer programs and computer program products are also presented.

Abstract: It is presented a security server arranged to set up communication between a merchant device and a customer payment application. The security server comprises: a receiver arranged to receive a first message comprising a customer identifier, an application identifier and a security token; a determiner arranged to determine whether the merchant device is authorized; a transmitter arranged to send a second message to the merchant device, the second message indicating that the merchant device is authorized to effect payment; and a channel establisher arranged to set up a secure channel between the merchant device and the customer payment application in a secure element being adapted to be comprised in a mobile communication terminal, wherein all communication between the merchant device and the customer payment application is controlled by the security server. Corresponding methods, merchant device, computer programs and computer program products are also presented.

Abstract: A particular authentication-based service is implemented via a physical authentication device. A service description of the particular authentication-based service is read from the physical authentication device via a user terminal; and based thereon, a service request is generated, which specifies a capability description of the user terminal. A communication node receives the service request and checks this against a database containing information about which node in a set of nodes that stores downloadable software for implementing which authentication-based services on which types of user terminals. If a match is found between at least one node and the particular authentication-based service, a download identification message is sent to the user terminal, which specifies at least one address string uniquely identifying a respective location for the downloadable software stored in the matching node(s).

Abstract: It is disclosed a method and trusted execution environments (TEE) of assigning a selected identifier to an application. A request is received to load or install, within or outside a profile domain, of an application with a selected identifier. It is checked that the selected identifier is not already stored in an application registry entry outside the profile registry 230, 302. If it is requested to load or install the application in the selected profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of a profile domain registry associated with the selected profile domain. If it is requested to load or install the application outside any profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of any of at least two profile domain registries.

Abstract: A method is presented for sending a message to a secure element connected to a mobile equipment, wherein the secure element is coupled to a user of the mobile equipment. The method comprises the steps, performed in an application manager server of: receiving, from an application server, an application message and an identifier of a destination secure element; generating a secure element message from the application message; from a plurality of connectivity providers, selecting a connectivity provider capable of communicating with the destination secure element; and sending the secure element message to the selected connectivity provider for forwarding to the destination secure element. A corresponding application manager server, computer program and computer program product are also presented.

Abstract: A communication node for delivering secure content in respect of a requested service to a target entity. The communication node has respective interfaces towards: at least one network for communicating with mobile terminals; a service-provider node providing the requested service; and an authorization node for effecting payments. After having completed a set-up phase and in response to a payment, the communication node enables forwarding of secure content, relating to at least one service requested by a user of a first mobile terminal to a target entity associated with the first mobile terminal. The set-up phase involves: identifying the at least one requested service from the first mobile terminal; linking in the service-provider node the at least one requested service to the first mobile terminal; and assigning a reference in the service-provider node to a payment to be made in respect of the at least one requested service.

Abstract: A network node comprising an input, a processor and an output, the processor being coupled to the input and the output; the input and output both being connected to at least one network; in which the processor is arranged so as to receive from the input an executable application and an associated set of requirements for the application, in which the processor is arranged to determine, on receipt of an application and the associated set of requirements, a set of destination network nodes which are reachable through at least one network, to which the output is connected based upon the requirements and to send the application to the destination nodes through the output. Thus, an application can be distributed through a telecommunications network specifying only the requirements that a destination network must satisfy, rather than the addresses of the destination network nodes. Furthermore, the application can be transferred between network nodes should user equipment move through the network.

Abstract: It presented a method, performed in a secure element, the secure element being arranged to enable user applications of the secure element to verify authenticity of incoming user application commands. The method comprises the steps of: receiving a command from a secure element reader for a user application on the secure element, the command comprising an application identifier of the user application; determining whether there is a matching user application in the secure element; invoking the matching user application; and establishing, when there is an absence of any matching user applications, a communication channel with a remote application manager server and sending an absent user application message to the application manager server indicating that the user application has been requested on the secure element. A corresponding secure element, method for an application manager server and application manager server are also presented.

Abstract: A particular authentication-based service is implemented via a physical authentication device. A service description of the particular authentication-based service is read from the physical authentication device via a user terminal; and based thereon, a service request is generated, which specifies a capability description of the user terminal. A communication node receives the service request and checks this against a database containing information about which node in a set of nodes that stores downloadable software for implementing which authentication-based services on which types of user terminals. If a match is found between at least one node and the particular authentication-based service, a download identification message is sent to the user terminal, which specifies at least one address string uniquely identifying a respective location for the downloadable software stored in the matching node(s).

Abstract: It is presented a method for invoking an application service in response to a tag reading by a mobile terminal. The method comprises the steps of: receiving an input message, the input message comprising tag data being associated with a tag read by the mobile terminal using local communication, the input message further comprising a recipient identifier linked to the mobile terminal; determining, using a plurality of parameters associated with the tag reading, a plurality of matching application servers, wherein conditions of a tag reading subscription for each of the matching application servers matches the plurality of parameters; and sending an invocation message to each of the matching application servers to invoke a respective application service of each of the matching application servers, the invocation message comprising the recipient identifier enabling each of the application services to send content to the user equipment and the tag data.

Abstract: It presented a method, performed in a secure element, the secure element being arranged to enable user applications of the secure element to verify authenticity of incoming user application commands. The method comprises the steps of: receiving a command from a secure element reader for a user application on the secure element, the command comprising an application identifier of the user application; determining whether there is a matching user application in the secure element; invoking the matching user application; and establishing, when there is an absence of any matching user applications, a communication channel with a remote application manager server and sending an absent user application message to the application manager server indicating that the user application has been requested on the secure element. A corresponding secure element, method for an application manager server and application manager server are also presented.

Abstract: It is disclosed methods and trusted execution environments (TEE) of enabling one of at least two profile domains. An authorisation token for authorising a TEE application to request one of the at least two profile domains to be enabled, is received (816, 1102). The validity of the authorization token is checked (818, 1104). If the authorization token is valid, information about the TEE application being authorised to request one of the at least two profile domains to be enabled, is stored (820, 1106). If receiving (822) a command requesting the authorised TEE application to request (824, 1108) one of the at least two profile domains to be enabled, said one of the at least two profile domains is enabled (826, 1110). A TEE comprises a processor and a memory storing a computer program comprising computer program code for executing the method when the code is run in the processor.

Abstract: It is disclosed a method and trusted execution environments (TEE) of assigning a selected identifier to an application. A request is received to load or install, within or outside a profile domain, of an application with a selected identifier. It is checked that the selected identifier is not already stored in an application registry entry outside the profile registry 230, 302. If it is requested to load or install the application in the selected profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of a profile domain registry associated with the selected profile domain. If it is requested to load or install the application outside any profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of any of at least two profile domain registries.

Abstract: It is presented a method for invoking an application service in response to a tag reading by a mobile terminal. The method comprises the steps of: receiving an input message, the input message comprising tag data being associated with a tag read by the mobile terminal using local communication, the input message further comprising a recipient identifier linked to the mobile terminal; determining, using a plurality of parameters associated with the tag reading, a plurality of matching application servers, wherein conditions of a tag reading subscription for each of the matching application servers matches the plurality of parameters; and sending an invocation message to each of the matching application servers to invoke a respective application service of each of the matching application servers, the invocation message comprising the recipient identifier enabling each of the application services to send content to the user equipment and the tag data.

Abstract: It presented a method, performed in a secure element, the secure element being arranged to enable user applications of the secure element to verify authenticity of incoming user application commands. The method comprises the steps of: receiving a command from a secure element reader for a user application on the secure element, the command comprising an application identifier of the user application; determining whether there is a matching user application in the secure element; invoking the matching user application; and establishing, when there is an absence of any matching user applications, a communication channel with a remote application manager server and sending an absent user application message to the application manager server indicating that the user application has been requested on the secure element. A corresponding secure element, method for an application manager server and application manager server are also presented.

Abstract: A method, arrangement, and provisioning server in a Selected Home Operator (SHO) network for downloading a new Downloadable Universal Subscriber Identity Module (DLUSIM) to a communication device when the communication device changes from a first operator network to the SHO network. A manager of the communication device registers with the SHO network and transfers KAuth to the SHO network. The communication device then receives a bootstrapping message instructing the device to connect to the provisioning server. The bootstrapping message includes an address of the provisioning server and an authentication nonce. The SHO network validates the communication device when the communication device attempts to connect to the provisioning server. The SHO network then generates the new DLUSIM and encrypts the new DLUSIM with KProvision. The provisioning server then downloads the new DLUSIM as an encrypted blob to the communication device.

Abstract: It is presented a method for invoking an application service in response to a tag reading by a mobile terminal. The method comprises the steps of: receiving an input message, the input message comprising data being associated with a tag read by the mobile terminal using local communication, the input message further comprising a recipient identifier linked to the mobile terminal; determining, using a plurality of parameters associated with the tag reading, a plurality of matching application servers, wherein conditions of a tag reading subscription for each of the matching application servers matches the plurality of parameters; and sending an invocation message to each of the matching application servers to invoke a respective application service of each of the matching application servers, the invocation message comprising the recipient identifier enabling each of the application services to send content to the user equipment and the tag data.