Abstract: There is provided mechanisms for certificate revocation check during a subscription related procedure for a subscriber entity. A method is performed by the subscriber entity. The method comprises receiving a message from a subscription management entity during the subscription related procedure for the subscriber entity. The message comprises a certificate and an OCSP response for the certificate. The OCSP response indicates a revocation state of the certificate. The method comprises determining whether the certificate has been revoked or not by checking the revocation state as indicated in the OCSP response.

Abstract: There is provided mechanisms for remote provisioning of a SIM profile to a subscriber entity. A method is performed by a remote SIM provisioning server. The method comprises obtaining a request from an MNO entity for generation of the SIM profile. The method comprises generating the SIM profile. The method comprises providing, to a storage entity, a key-value pair of the SIM profile. The key-value pair comprises a unique identifier comprising at least one profile specific element of the SIM profile as key and binding information of the at least one profile specific element as value. The unique identifier comprising at least one profile specific element of the SIM profile is represented by profile/subscription unique data elements for the SIM profile. The binding information of the at least one profile specific element is represented by an BID of the subscriber entity, ICCID of the SIM profile, IMSI, and an MNO identifier.

Abstract: There is provided mechanisms for a manufacturer of an ML model to embed at least one marker in an electronic file. A method comprises obtaining the electronic file. The electronic file represents content that causes the ML model to determine an output for the electronic file according to a first processing strategy. The method comprises embedding, in the electronic file, the at least one marker that, only when detected by the ML model, causes the output of the electronic file to be determined according to a second processing strategy. The second processing strategy is unrelated to the first processing strategy and deterministically defined by the at least one marker.

Abstract: Methods and apparatus are provided. In an example aspect, a method of authorization in a network node is provided. The method comprises receiving, from an authorization node, an indication that a User Equipment, UE, is authorized to access a resource, and receiving, from the authorization node, an indication of network access parameters for the UE for accessing the resource.

Abstract: There is provided a method performed by a first wireless device that is roaming in a visited network. The method comprises measuring (901) an amount of data transmitted and/or received by the first wireless device in a first session with the visited network; using (903) a private key to generate a signature for a data usage record that comprises the data measurement, wherein a public key corresponding to the private key is associated, by a home network of the first wireless device, with the first wireless device; and sending (905) the data usage record to the visited network.

Abstract: There is provided mechanisms for authenticating a first radio communication device with a network. A method is performed by the first radio communication device. The method comprises obtaining credentials for a network subscription to the network. The method comprises obtaining an upper part of a radio protocol stack, according to which radio protocol stack the first radio communication device is configured to communicate with the network. The method comprises authenticating with the network. The method comprises providing, to a second radio communication device, at least one key, as derived from the credentials during the authenticating, for use by the second radio communication device when executing the remaining part of the radio protocol stack for communication between the second radio communication device and the network.

Abstract: Methods for enabling end-to-end security for a communication session between a user equipment (UE), registered with a Mobile Network Operator (MNO) network, and a gateway and/or service of an external network are disclosed. In the methods additional keys are generated based on keys obtained in a secondary authentication between the UE and an entity and/or service. An entity, a UE, computer programs and computer program products are also disclosed.

Abstract: A first edge node can communicate an address candidate for either a first sidecar container of the first edge node or a second sidecar container of a second edge node with a master orchestrator. The first edge node can then communicate traffic between a first application container of the first edge node and a second application container of the second edge node via a connection between the first sidecar container and the second sidecar container using the address candidate.

Abstract: Methods and means for providing a UE access to an external network are disclosed. In the methods it is determined that a that a secondary authentication procedure is required in order for the UE to access the external network, and then providing, to an entity of the external network, information relating to the UE. The UE related information is included in a message in relation to the secondary authentication procedure between the UE and the entity of the external network.

Abstract: A method for operating a system hosted on a mobile entity is disclosed, wherein the system is operable to connect to a communication network. The method, performed by a controller of the system, comprises seeking to establish a trust relationship with a cooperating system hosted on a mobile entity, and, if a trust relationship with the cooperating system is established, performing at least one of: initiating use of a resource provided by the cooperating system, or initiating provision of a resource for use by the cooperating system. Also disclosed is a method for operating a function comprising a digital representative of a system hosted on a mobile entity, wherein the system is operable to connect to a communication network.

Abstract: Systems and methods for network slice continuity in handover of a communication network are provided. In some embodiments, a User Equipment (UE) is configured to receive, from a network node on a first cell, a first message comprising an indication of at least one cell that supports a particular network slice and engage in a handover operation based on the 5 indication comprised in the received first message. In some embodiments, a network node is configured to sending, to a UE on a first cell, a first message comprising an identification of at least one cell that supports a particular network slice.

Abstract: There is provided mechanisms for authenticating a first radio communication device with a network. A method is performed by the first radio communication device. The method comprises obtaining credentials for a network subscription to the network. The method comprises obtaining an upper part of a radio protocol stack, according to which radio protocol stack the first radio communication device is configured to communicate with the network. The method comprises authenticating with the network. The method comprises providing, to a second radio communication device, at least one key, as derived from the credentials during the authenticating, for use by the second radio communication device when executing the remaining part of the radio protocol stack for communication between the second radio communication device and the network.

Abstract: A method of ending a subscription performed in a network entity is disclosed. The method comprises receiving, from a device comprising an Embedded Universal Integrated Circuit Card, eUICC, a signed confirmation of a profile having been deleted in the device, the profile being associated with a subscription for the device; sending, to a Subscription Manager Data Preparation entity, a command for deletion of the profile; and deleting the user subscription and related profile in case an acknowledgement of the deletion of the profile is received from the Subscription Manager Data Preparation entity. Method in a device, method in a Subscription Manager Data Preparation entity, devices and entities, computer programs and computer program products are also provided.

Abstract: A communication device (2) generates a cryptographic key (20K) as a function of information (20B) bound to an intermediate communication network (20) via which the communication device (2) authenticates a subscription to a subscribed communication network (10). Here, the communication device (2) is served by a serving communication network (30) that differs from the intermediate communication network (20). The communication device (2) protects communication for the communication device (2) based on the generated cryptographic key (20K).

Abstract: A communication device (2) obtains a subscription identifier (50) that identifies a subscription to a first communication network (10). The subscription identifier (50) includes a first network identifier (52) that identifies the first communication network (10) and includes a second network identifier (54) that identifies a second communication network serving the first communication network (10). In some embodiments, the subscription identifier (50) conceals the first network identifier (52). Alternatively or additionally, the subscription identifier (50) is an International Mobile Subscriber Identity, IMSI, or is a Network Access Identifier, NAI, that includes the first network identifier (52) in a username part of the NAI. Regardless, the communication device (2) transmits the subscription identifier (50).

Abstract: A first network node (20N) in a first communication network (20) transmits information to a second network node (10N) in a second communication network (10). The information indicates a third communication network (30) is in a control signaling path (15) between a communication device (2) and the second communication network (10). In some embodiments, the first network node (20N) and/or the second network node (10N) may apply one or more policies based on the information, e.g., whether to authenticate a subscription of the communication device (2) to the second communication network (10).

Abstract: There is provided mechanisms for handling download of a subscription profile from a pool of subscription profiles. The subscription profiles of the pool of subscription profiles are served by an MNO entity. A method is performed by a subscription management entity. The subscription management entity manages the pool of subscription profiles. The pool of subscription profiles has its own pool identifier. The method comprises obtaining a request from a communication device for download of one of the subscription profiles from the pool of subscription profiles. The method comprises enabling download to the communication device of one of the subscription profiles from the pool of subscription profiles. The method comprises filling up the pool of subscription profiles so that total number of subscription profiles in the pool of subscription profiles remains unchanged.

Abstract: Embodiments relate to a method for secure domain name system, DNS, queries. The method is performed in a DNS client, and the method includes obtaining an encryption key and internet protocol, IP, address for a final DNS resolver, creating a session key, encrypting a DNS query and the created session key with the obtained encryption key, and sending a DNS message containing the encrypted DNS query and the created session key to an intermediate DNS resolver, different from the final DNS resolver, together with the obtained IP address for the final DNS resolver. Methods, nodes, computer programs, and a computer program product for secure DNS queries are also presented.

Abstract: Communication equipment (4, 6) generates an inner subscription concealed identifier (10C). Generating the inner subscription concealed identifier (10C) includes concealing at least a part of a subscription identifier (10S) using cryptographic key material (10K) associated with a first communication network (10), e.g., a non-public network. The subscription identifier (10S) identifies a subscription to the first communication network (10). The communication equipment (4, 6) generates an outer subscription concealed identifier (20C). Generating the outer subscription concealed identifier (20C) includes concealing the inner subscription concealed identifier (10C) using cryptographic key material (20K) associated with a second communication network (20), e.g., a public network. The communication equipment (4, 6) transmits the outer subscription concealed identifier (20C).

Abstract: There is provided mechanisms for handling a subscription profile for a subscriber entity. A method is performed by a subscription management entity. The method comprises obtaining a request from a mobile network operator entity to configure the subscription profile for the subscriber entity. The method comprises configuring the subscription profile with a customized PIN/PUK code for the subscriber entity. The method comprises providing an indication of the customized PIN/PUK code being configured in the subscription profile in a response to the mobile network operator entity.