Abstract: A communication device is configured for use in a communication network (10). The communication device generates a subscription concealed identifier (20) that conceals a subscription identifier part (16A) of a subscription permanent identifier (16) and conceals a set (22) of one or more data fields which is agnostic as to a type of data that the set (22) conveys. The communication device transmits the subscription concealed identifier (20). Based on the conveyed data, a network node may configure the communication network (10) for use by the subscription.

Abstract: There is provided mechanisms for event handling for at least one subscriber entity. A method is performed by an event handling server. The method comprises obtaining, from an RSP entity, an event registration message of the event. The event registration message comprises an identifier field containing a string of characters identifying the at least one subscriber entity. The string of characters comprises at least one marker character specifying an event type and/or indicating that the event is valid for more than one subscriber entity. The method comprises storing an event record of the event. The event record comprises the identifier field and an address of that RSP entity from which data of the event is to be fetched. The method comprises providing the event record to the at least one subscriber entity.

Abstract: There is provided mechanisms for certificate revocation check during a subscription related procedure for a subscriber entity. A method is performed by the subscriber entity. The method comprises receiving a message from a subscription management entity during the subscription related procedure for the subscriber entity. The message comprises a certificate and an OCSP response for the certificate. The OCSP response indicates a revocation state of the certificate. The method comprises determining whether the certificate has been revoked or not by checking the revocation state as indicated in the OCSP response.

Abstract: There is provided mechanisms for remote provisioning of a SIM profile to a subscriber entity. A method is performed by a remote SIM provisioning server. The method comprises obtaining a request from an MNO entity for generation of the SIM profile. The method comprises generating the SIM profile. The method comprises providing, to a storage entity, a key-value pair of the SIM profile. The key-value pair comprises a unique identifier comprising at least one profile specific element of the SIM profile as key and binding information of the at least one profile specific element as value. The unique identifier comprising at least one profile specific element of the SIM profile is represented by profile/subscription unique data elements for the SIM profile. The binding information of the at least one profile specific element is represented by an BID of the subscriber entity, ICCID of the SIM profile, IMSI, and an MNO identifier.

Abstract: There is provided mechanisms for a manufacturer of an ML model to embed at least one marker in an electronic file. A method comprises obtaining the electronic file. The electronic file represents content that causes the ML model to determine an output for the electronic file according to a first processing strategy. The method comprises embedding, in the electronic file, the at least one marker that, only when detected by the ML model, causes the output of the electronic file to be determined according to a second processing strategy. The second processing strategy is unrelated to the first processing strategy and deterministically defined by the at least one marker.

Abstract: Methods and apparatus are provided. In an example aspect, a method of authorization in a network node is provided. The method comprises receiving, from an authorization node, an indication that a User Equipment, UE, is authorized to access a resource, and receiving, from the authorization node, an indication of network access parameters for the UE for accessing the resource.

Abstract: There is provided mechanisms for authenticating a first radio communication device with a network. A method is performed by the first radio communication device. The method comprises obtaining credentials for a network subscription to the network. The method comprises obtaining an upper part of a radio protocol stack, according to which radio protocol stack the first radio communication device is configured to communicate with the network. The method comprises authenticating with the network. The method comprises providing, to a second radio communication device, at least one key, as derived from the credentials during the authenticating, for use by the second radio communication device when executing the remaining part of the radio protocol stack for communication between the second radio communication device and the network.

Abstract: There is provided a method performed by a first wireless device that is roaming in a visited network. The method comprises measuring (901) an amount of data transmitted and/or received by the first wireless device in a first session with the visited network; using (903) a private key to generate a signature for a data usage record that comprises the data measurement, wherein a public key corresponding to the private key is associated, by a home network of the first wireless device, with the first wireless device; and sending (905) the data usage record to the visited network.

Abstract: Methods for enabling end-to-end security for a communication session between a user equipment (UE), registered with a Mobile Network Operator (MNO) network, and a gateway and/or service of an external network are disclosed. In the methods additional keys are generated based on keys obtained in a secondary authentication between the UE and an entity and/or service. An entity, a UE, computer programs and computer program products are also disclosed.

Abstract: A first edge node can communicate an address candidate for either a first sidecar container of the first edge node or a second sidecar container of a second edge node with a master orchestrator. The first edge node can then communicate traffic between a first application container of the first edge node and a second application container of the second edge node via a connection between the first sidecar container and the second sidecar container using the address candidate.

Abstract: Methods and means for providing a UE access to an external network are disclosed. In the methods it is determined that a that a secondary authentication procedure is required in order for the UE to access the external network, and then providing, to an entity of the external network, information relating to the UE. The UE related information is included in a message in relation to the secondary authentication procedure between the UE and the entity of the external network.

Abstract: A method for operating a system hosted on a mobile entity is disclosed, wherein the system is operable to connect to a communication network. The method, performed by a controller of the system, comprises seeking to establish a trust relationship with a cooperating system hosted on a mobile entity, and, if a trust relationship with the cooperating system is established, performing at least one of: initiating use of a resource provided by the cooperating system, or initiating provision of a resource for use by the cooperating system. Also disclosed is a method for operating a function comprising a digital representative of a system hosted on a mobile entity, wherein the system is operable to connect to a communication network.

Abstract: Systems and methods for network slice continuity in handover of a communication network are provided. In some embodiments, a User Equipment (UE) is configured to receive, from a network node on a first cell, a first message comprising an indication of at least one cell that supports a particular network slice and engage in a handover operation based on the 5 indication comprised in the received first message. In some embodiments, a network node is configured to sending, to a UE on a first cell, a first message comprising an identification of at least one cell that supports a particular network slice.

Abstract: There is provided mechanisms for authenticating a first radio communication device with a network. A method is performed by the first radio communication device. The method comprises obtaining credentials for a network subscription to the network. The method comprises obtaining an upper part of a radio protocol stack, according to which radio protocol stack the first radio communication device is configured to communicate with the network. The method comprises authenticating with the network. The method comprises providing, to a second radio communication device, at least one key, as derived from the credentials during the authenticating, for use by the second radio communication device when executing the remaining part of the radio protocol stack for communication between the second radio communication device and the network.

Abstract: A method of ending a subscription performed in a network entity is disclosed. The method comprises receiving, from a device comprising an Embedded Universal Integrated Circuit Card, eUICC, a signed confirmation of a profile having been deleted in the device, the profile being associated with a subscription for the device; sending, to a Subscription Manager Data Preparation entity, a command for deletion of the profile; and deleting the user subscription and related profile in case an acknowledgement of the deletion of the profile is received from the Subscription Manager Data Preparation entity. Method in a device, method in a Subscription Manager Data Preparation entity, devices and entities, computer programs and computer program products are also provided.

Abstract: A communication device (2) obtains a subscription identifier (50) that identifies a subscription to a first communication network (10). The subscription identifier (50) includes a first network identifier (52) that identifies the first communication network (10) and includes a second network identifier (54) that identifies a second communication network serving the first communication network (10). In some embodiments, the subscription identifier (50) conceals the first network identifier (52). Alternatively or additionally, the subscription identifier (50) is an International Mobile Subscriber Identity, IMSI, or is a Network Access Identifier, NAI, that includes the first network identifier (52) in a username part of the NAI. Regardless, the communication device (2) transmits the subscription identifier (50).

Abstract: A first network node (20N) in a first communication network (20) transmits information to a second network node (10N) in a second communication network (10). The information indicates a third communication network (30) is in a control signaling path (15) between a communication device (2) and the second communication network (10). In some embodiments, the first network node (20N) and/or the second network node (10N) may apply one or more policies based on the information, e.g., whether to authenticate a subscription of the communication device (2) to the second communication network (10).

Abstract: A communication device (2) generates a cryptographic key (20K) as a function of information (20B) bound to an intermediate communication network (20) via which the communication device (2) authenticates a subscription to a subscribed communication network (10). Here, the communication device (2) is served by a serving communication network (30) that differs from the intermediate communication network (20). The communication device (2) protects communication for the communication device (2) based on the generated cryptographic key (20K).

Abstract: There is provided mechanisms for handling download of a subscription profile from a pool of subscription profiles. The subscription profiles of the pool of subscription profiles are served by an MNO entity. A method is performed by a subscription management entity. The subscription management entity manages the pool of subscription profiles. The pool of subscription profiles has its own pool identifier. The method comprises obtaining a request from a communication device for download of one of the subscription profiles from the pool of subscription profiles. The method comprises enabling download to the communication device of one of the subscription profiles from the pool of subscription profiles. The method comprises filling up the pool of subscription profiles so that total number of subscription profiles in the pool of subscription profiles remains unchanged.

Abstract: Embodiments relate to a method for secure domain name system, DNS, queries. The method is performed in a DNS client, and the method includes obtaining an encryption key and internet protocol, IP, address for a final DNS resolver, creating a session key, encrypting a DNS query and the created session key with the obtained encryption key, and sending a DNS message containing the encrypted DNS query and the created session key to an intermediate DNS resolver, different from the final DNS resolver, together with the obtained IP address for the final DNS resolver. Methods, nodes, computer programs, and a computer program product for secure DNS queries are also presented.