Abstract: A communication node for delivering secure content in respect of a requested service to a target entity. The communication node has respective interfaces towards: at least one network for communicating with mobile terminals; a service-provider node providing the requested service; and an authorization node for effecting payments. After having completed a set-up phase and in response to a payment, the communication node enables forwarding of secure content, relating to at least one service requested by a user of a first mobile terminal to a target entity associated with the first mobile terminal. The set-up phase involves: identifying the at least one requested service from the first mobile terminal; linking in the service-provider node the at least one requested service to the first mobile terminal; and assigning a reference in the service-provider node to a payment to be made in respect of the at least one requested service.

Abstract: A communication node for delivering secure content in respect of a requested service to a target entity. The communication node has respective interfaces towards: at least one network for communicating with mobile terminals; a service-provider node providing the requested service; and an authorization node for effecting payments. After having completed a set-up phase and in response to a payment, the communication node enables forwarding of secure content, relating to at least one service requested by a user of a first mobile terminal to a target entity associated with the first mobile terminal. The set-up phase involves: identifying the at least one requested service from the first mobile terminal; linking in the service-provider node the at least one requested service to the first mobile terminal; and assigning a reference in the service-provider node to a payment to be made in respect of the at least one requested service.

Abstract: A communication node for delivering secure content in respect of a requested service to a target entity. The communication node has respective interfaces towards: at least one network for communicating with mobile terminals; a service-provider node providing the requested service; and an authorization node for effecting payments. After having completed a set-up phase and in response to a payment, the communication node enables forwarding of secure content, relating to at least one service requested by a user of a first mobile terminal to a target entity associated with the first mobile terminal. The set-up phase involves: identifying the at least one requested service from the first mobile terminal; linking in the service-provider node the at least one requested service to the first mobile terminal; and assigning a reference in the service-provider node to a payment to be made in respect of the at least one requested service.

Abstract: It is presented a security server arranged to set up communication between a merchant device and a customer payment application. The security server comprises: a receiver arranged to receive a first message comprising a customer identifier, an application identifier and a security token; a determiner arranged to determine whether the merchant device is authorized; a transmitter arranged to send a second message to the merchant device, the second message indicating that the merchant device is authorized to effect payment; and a channel establisher arranged to set up a secure channel between the merchant device and the customer payment application in a secure element being adapted to be comprised in a mobile communication terminal, wherein all communication between the merchant device and the customer payment application is controlled by the security server. Corresponding methods, merchant device, computer programs and computer program products are also presented.

Abstract: It is presented a security server arranged to set up communication between a merchant device and a customer payment application. The security server comprises: a receiver arranged to receive a first message comprising a customer identifier, an application identifier and a security token; a determiner arranged to determine whether the merchant device is authorized; a transmitter arranged to send a second message to the merchant device, the second message indicating that the merchant device is authorized to effect payment; and a channel establisher arranged to set up a secure channel between the merchant device and the customer payment application in a secure element being adapted to be comprised in a mobile communication terminal, wherein all communication between the merchant device and the customer payment application is controlled by the security server. Corresponding methods, merchant device, computer programs and computer program products are also presented.

Abstract: A particular authentication-based service is implemented via a physical authentication device. A service description of the particular authentication-based service is read from the physical authentication device via a user terminal; and based thereon, a service request is generated, which specifies a capability description of the user terminal. A communication node receives the service request and checks this against a database containing information about which node in a set of nodes that stores downloadable software for implementing which authentication-based services on which types of user terminals. If a match is found between at least one node and the particular authentication-based service, a download identification message is sent to the user terminal, which specifies at least one address string uniquely identifying a respective location for the downloadable software stored in the matching node(s).

Abstract: It is disclosed a method and trusted execution environments (TEE) of assigning a selected identifier to an application. A request is received to load or install, within or outside a profile domain, of an application with a selected identifier. It is checked that the selected identifier is not already stored in an application registry entry outside the profile registry 230, 302. If it is requested to load or install the application in the selected profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of a profile domain registry associated with the selected profile domain. If it is requested to load or install the application outside any profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of any of at least two profile domain registries.

Abstract: A method is presented for sending a message to a secure element connected to a mobile equipment, wherein the secure element is coupled to a user of the mobile equipment. The method comprises the steps, performed in an application manager server of: receiving, from an application server, an application message and an identifier of a destination secure element; generating a secure element message from the application message; from a plurality of connectivity providers, selecting a connectivity provider capable of communicating with the destination secure element; and sending the secure element message to the selected connectivity provider for forwarding to the destination secure element. A corresponding application manager server, computer program and computer program product are also presented.

Abstract: A communication node for delivering secure content in respect of a requested service to a target entity. The communication node has respective interfaces towards: at least one network for communicating with mobile terminals; a service-provider node providing the requested service; and an authorization node for effecting payments. After having completed a set-up phase and in response to a payment, the communication node enables forwarding of secure content, relating to at least one service requested by a user of a first mobile terminal to a target entity associated with the first mobile terminal. The set-up phase involves: identifying the at least one requested service from the first mobile terminal; linking in the service-provider node the at least one requested service to the first mobile terminal; and assigning a reference in the service-provider node to a payment to be made in respect of the at least one requested service.

Abstract: It presented a method, performed in a secure element, the secure element being arranged to enable user applications of the secure element to verify authenticity of incoming user application commands. The method comprises the steps of: receiving a command from a secure element reader for a user application on the secure element, the command comprising an application identifier of the user application; determining whether there is a matching user application in the secure element; invoking the matching user application; and establishing, when there is an absence of any matching user applications, a communication channel with a remote application manager server and sending an absent user application message to the application manager server indicating that the user application has been requested on the secure element. A corresponding secure element, method for an application manager server and application manager server are also presented.

Abstract: A particular authentication-based service is implemented via a physical authentication device. A service description of the particular authentication-based service is read from the physical authentication device via a user terminal; and based thereon, a service request is generated, which specifies a capability description of the user terminal. A communication node receives the service request and checks this against a database containing information about which node in a set of nodes that stores downloadable software for implementing which authentication-based services on which types of user terminals. If a match is found between at least one node and the particular authentication-based service, a download identification message is sent to the user terminal, which specifies at least one address string uniquely identifying a respective location for the downloadable software stored in the matching node(s).

Abstract: It presented a method, performed in a secure element, the secure element being arranged to enable user applications of the secure element to verify authenticity of incoming user application commands. The method comprises the steps of: receiving a command from a secure element reader for a user application on the secure element, the command comprising an application identifier of the user application; determining whether there is a matching user application in the secure element; invoking the matching user application; and establishing, when there is an absence of any matching user applications, a communication channel with a remote application manager server and sending an absent user application message to the application manager server indicating that the user application has been requested on the secure element. A corresponding secure element, method for an application manager server and application manager server are also presented.

Abstract: It is disclosed methods and trusted execution environments (TEE) of enabling one of at least two profile domains. An authorisation token for authorising a TEE application to request one of the at least two profile domains to be enabled, is received (816, 1102). The validity of the authorization token is checked (818, 1104). If the authorization token is valid, information about the TEE application being authorised to request one of the at least two profile domains to be enabled, is stored (820, 1106). If receiving (822) a command requesting the authorised TEE application to request (824, 1108) one of the at least two profile domains to be enabled, said one of the at least two profile domains is enabled (826, 1110). A TEE comprises a processor and a memory storing a computer program comprising computer program code for executing the method when the code is run in the processor.

Abstract: It is disclosed a method and trusted execution environments (TEE) of assigning a selected identifier to an application. A request is received to load or install, within or outside a profile domain, of an application with a selected identifier. It is checked that the selected identifier is not already stored in an application registry entry outside the profile registry 230, 302. If it is requested to load or install the application in the selected profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of a profile domain registry associated with the selected profile domain. If it is requested to load or install the application outside any profile domain, the selected identifier is assigned to said application if the selected identifier is not already stored in an application entry of any of at least two profile domain registries.

Abstract: A method is provided for use in a communications network in which a plurality of accesses are available to a user entity for accessing a network resource, comprising: determining a set of active rules, each rule specifying respective preferences, at least relatively, for at least some of the plurality of accesses, with potential for conflict between the rules of the set concerning which access is most preferred; deriving from the set of active rules a new rule specifying respective preferences, at least relatively, for at least some of the plurality of accesses; and selecting an access for use by the user entity based on the new rule.

Abstract: It presented a method, performed in a secure element, the secure element being arranged to enable user applications of the secure element to verify authenticity of incoming user application commands. The method comprises the steps of: receiving a command from a secure element reader for a user application on the secure element, the command comprising an application identifier of the user application; determining whether there is a matching user application in the secure element; invoking the matching user application; and establishing, when there is an absence of any matching user applications, a communication channel with a remote application manager server and sending an absent user application message to the application manager server indicating that the user application has been requested on the secure element. A corresponding secure element, method for an application manager server and application manager server are also presented.

Abstract: A method is provided for use in a communications network in which a plurality of accesses are available to a user entity for accessing a network resource, comprising: determining a set of active rules, each rule specifying respective preferences, at least relatively, for at least some of the plurality of accesses, with potential for conflict between the rules of the set concerning which access is most preferred; deriving from the set of active rules a new rule specifying respective preferences, at least relatively, for at least some of the plurality of accesses; and selecting an access for use by the user entity based on the new rule.

Abstract: A method is provided for use in a communications network in which a plurality of accesses are available to a user entity for accessing a network resource, comprising: determining a set of active rules, each rule specifying respective preferences, at least relatively, for at least some of the plurality of accesses, with potential for conflict between the rules of the set concerning which access is most preferred; deriving from the set of active rules network discovery and selection rules a new rule specifying respective preferences, at least relatively, for at least some of the plurality of accesses; and selecting an access for use by the user entity based on the new rule.

Abstract: It is presented a security server arranged to set up communication between a merchant device and a customer payment application. The security server comprises: a receiver arranged to receive a first message comprising a customer identifier, an application identifier and a security token; a determiner arranged to determine whether the merchant device is authorised; a transmitter arranged to send a second message to the merchant device, the second message indicating that the merchant device is authorised to effect payment; and a channel establisher arranged to set up a secure channel between the merchant device and the customer payment application in a secure element being adapted to be comprised in a mobile communication terminal, wherein all communication between the merchant device and the customer payment application is controlled by the security server. Corresponding methods, merchant device, computer programs and computer program products are also presented.

Abstract: It is presented a security server arranged to set up communication between a merchant device and a customer payment application. The security server comprises: a receiver arranged to receive a first message comprising a customer identifier, an application identifier and a security token; a determiner arranged to determine whether the merchant device is authorised; a transmitter arranged to send a second message to the merchant device, the second message indicating that the merchant device is authorised to effect payment; and a channel establisher arranged to set up a secure channel between the merchant device and the customer payment application in a secure element being adapted to be comprised in a mobile communication terminal, wherein all communication between the merchant device and the customer payment application is controlled by the security server. Corresponding methods, merchant device, computer programs and computer program products are also presented.