Abstract: It is provided a method for controlling access to a physical space using an emergency delegation. The method is performed in a lock device and comprises the steps of: receiving an access request from an electronic key; obtaining a plurality of delegations, wherein each delegation is a delegation from a delegator to a delegatee, the plurality of delegations collectively forming a chain of delegations wherein when two delegations are chained together, the delegatee of one delegation is the delegator of the next delegation; determining that a delegation in the chain of delegations is an emergency delegation, the emergency delegation indicating that access should only be granted when an emergency situation occurs; determining when an emergency situation occurs; and granting access to the physical space when the chain of delegations starts in the lock device and ends in the electronic key; and when the emergency situation occurs.

Abstract: It is provided a method performed by a key device for supporting duress signalling. The method comprises the steps of: determining that a user is under duress; entering a wait state after the step of determining that a user is under duress; exiting the wait state and establishing a communication channel with a lock device, the communication channel being intended to be used for access control signalling; generating a duress signal; and transmitting, over the communication channel, the duress signal to the lock device.

Abstract: It is provided a method for providing access to a physical space for provision of a service. The method is performed in an access coordinator and comprises the steps of: receiving an approval signal indicating that the service consumer allows a service provider agent of a service provider to open the lock; deriving service provider access data being necessary for the service provider agent to open the lock; transmitting the service provider access data to a service provider server, for storage by the service provider server; deleting the service provider access data from the access coordinator; receiving the service provider access data and a request to assign a service provider agent to open the lock; generating service agent access data; and transmitting the service agent access data to a service provider agent device associated with the service provider agent.

Abstract: It is presented method for providing access to a lock for provision of a service. The method is performed in a lock manager and comprises the steps of: receiving a request for access to the lock, the request being based on the service consumer ordering a service requiring access to a physical space which is secured by the lock; sending a first consumer request to a service consumer device, asking whether to grant access to the lock for a service provider agent to provide the service; receiving a first positive consumer response from the service consumer device, indicating that the service consumer allows the service provider agent to access the physical space secured by the lock; generating a temporary credential for the service provider agent; providing the temporary credential to the service provider agent; and configuring the lock to accept the temporary credential.

Abstract: It is provided a method for controlling access to a physical space using an emergency delegation. The method is performed in a lock device and comprises the steps of: receiving an access request from an electronic key; obtaining a plurality of delegations, wherein each delegation is a delegation from a delegator to a delegatee, the plurality of delegations collectively forming a chain of delegations wherein when two delegations are chained together, the delegatee of one delegation is the delegator of the next delegation; determining that a delegation in the chain of delegations is an emergency delegation, the emergency delegation indicating that access should only be granted when an emergency situation occurs; determining when an emergency situation occurs; and granting access to the physical space when the chain of delegations starts in the lock device and ends in the electronic key; and when the emergency situation occurs.

Abstract: It is provided a method for requesting remote unlocking of an electronic lock controlling access to a physical space. The method is performed in a user device and comprises steps of: sending a control message to an access controller, the control message comprising user authentication information, the control message causing the access controller to trigger the electronic lock to emit an alert signal; and sending an unlock message to the access controller comprising the user authentication information, in order to unlock the electronic lock.

Abstract: It is provided a method for controlling access to a physical space. The method is performed in an access control device and comprises the steps of: communicating with an electronic key to obtain an identity of the electronic key; obtaining a plurality of delegations; determining, from one of the delegations, that there is an auxiliary condition, wherein the auxiliary condition is that access is approved for the electronic key by an auxiliary party, authenticated by a digital signature by the auxiliary party; and granting access to the physical space when the plurality of delegations comprises a sequence of delegations covering a delegation path from the access control device to the electronic key such that, in the sequence of delegations, the delegator of the first delegation is the access control device, the receiver of the last delegation is the electronic key, and the auxiliary condition is fulfilled.

Abstract: It is provided a method performed by a key device for supporting duress signalling. The method comprises the steps of: determining that a user is under duress; entering a wait state after the step of determining that a user is under duress; exiting the wait state and establishing a communication channel with a lock device, the communication channel being intended to be used for access control signalling; generating a duress signal; and transmitting, over the communication channel, the duress signal to the lock device.

Abstract: It is provided a method for providing access to a physical space secured by a lock for provision of a service. The method comprises the steps of: receiving an approval signal from a service consumer device of the service consumer, the approval signal indicating that the service consumer allows a service provider agent of a service provider to open the lock; receiving, from the service provider device, a request to assign a service provider agent to open the lock; communicating with the service provider device to use a private key of a cryptographic key pair accessible to the service provider device, the private key being used to generate service agent access data that is specific for the service provider agent, to allow the service provider agent to open the lock; and transmitting the service agent access data to a service provider agent device associated with the service provider agent.

Abstract: It is presented a method for providing access to a lock for provision of a service. The method comprises the steps of: receiving a request for access to the lock, the request being based on the service consumer ordering a service requiring access to a physical space, the request comprising a first public key associated with a co-ordinator and a second public key associated with a service provider agent; presenting a first consumer query to the service consumer; receiving a first positive consumer response indicating that the service consumer allows the service provider agent to access the physical space; and delegating access to the lock to the co-ordinator, which comprises encrypting at least part of a delegation using the first public key, encrypting at least part of the delegation using the second public key, and electronically signing the delegation, enabling further delegation to the service provider agent.

Abstract: It is provided a method for requesting remote unlocking of an electronic lock controlling access to a physical space. The method is performed in a user device and comprises steps of: sending a control message to an access controller, the control message comprising user authentication information, the control message causing the access controller to trigger the electronic lock to emit an alert signal; and sending an unlock message to the access controller comprising the user authentication information, in order to unlock the electronic lock.

Abstract: It is presented a method for providing access to a lock for provision of a service. The method comprises the steps of: receiving a request for access to the lock, the request being based on the service consumer ordering a service requiring access to a physical space, the request comprising a first public key associated with a co-ordinator and a second public key associated with a service provider agent; presenting a first consumer query to the service consumer; receiving a first positive consumer response indicating that the service consumer allows the service provider agent to access the physical space; and delegating access to the lock to the co-ordinator, which comprises encrypting at least part of a delegation using the first public key, encrypting at least part of the delegation using the second public key, and electronically signing the delegation, enabling further delegation to the service provider agent.

Abstract: It is provided a method for managing administration privileges of an electronic lock. The method is performed in the electronic lock and comprises the steps of: receiving a first signal from a first mobile device, the first signal comprising a first code entered by a user to the first mobile device, and an identifier of the first mobile device; determining that the first mobile device has administration privileges to the electronic lock; storing the first code in memory of the electronic lock; receiving a second signal from a second mobile device, the second signal comprising a second code entered by a user to the second mobile device, and an identifier of the second mobile device; and granting administration privileges to the lock for the second mobile device only when the second code matches the first code.

Abstract: It is provided a method for providing access to a physical space secured by a lock for provision of a service. The method comprises the steps of: receiving an approval signal from a service consumer device of the service consumer, the approval signal indicating that the service consumer allows a service provider agent of a service provider to open the lock; receiving, from the service provider device, a request to assign a service provider agent to open the lock; communicating with the service provider device to use a private key of a cryptographic key pair accessible to the service provider device, the private key being used to generate service agent access data that is specific for the service provider agent, to allow the service provider agent to open the lock; and transmitting the service agent access data to a service provider agent device associated with the service provider agent.

Abstract: It is provided a method for providing access to a physical space for provision of a service. The method is performed in an access coordinator and comprises the steps of: receiving an approval signal indicating that the service consumer allows a service provider agent of a service provider to open the lock; deriving service provider access data being necessary for the service provider agent to open the lock; transmitting the service provider access data to a service provider server, for storage by the service provider server; deleting the service provider access data from the access coordinator; receiving the service provider access data and a request to assign a service provider agent to open the lock; generating service agent access data; and transmitting the service agent access data to a service provider agent device associated with the service provider agent.

Abstract: It is presented a method for providing access to a lock for provision of a service. The method comprises the steps of: receiving a request for access to the lock, the request being based on the service consumer ordering a service requiring access to a physical space, the request comprising a first public key associated with a co-ordinator and a second public key associated with a service provider agent; presenting a first consumer query to the service consumer; receiving a first positive consumer response indicating that the service consumer allows the service provider agent to access the physical space; and delegating access to the lock to the co-ordinator, which comprises encrypting at least part of a delegation using the first public key, encrypting at least part of the delegation using the second public key, and electronically signing the delegation, enabling further delegation to the service provider agent.

Abstract: It is presented method for providing access to a lock for provision of a service. The method is performed in a lock manager and comprises the steps of: receiving a request for access to the lock, the request being based on the service consumer ordering a service requiring access to a physical space which is secured by the lock; sending a first consumer request to a service consumer device, asking whether to grant access to the lock for a service provider agent to provide the service; receiving a first positive consumer response from the service consumer device, indicating that the service consumer allows the service provider agent to access the physical space secured by the lock; generating a temporary credential for the service provider agent; providing the temporary credential to the service provider agent; and configuring the lock to accept the temporary credential.

Abstract: It is provided a method for controlling access to a physical space. The method is performed in an access control device and comprises the steps of: communicating with an electronic key to obtain an identity of the electronic key; obtaining a plurality of delegations; determining, from one of the delegations, that there is an auxiliary condition, wherein the auxiliary condition is that access is approved for the electronic key by an auxiliary party, authenticated by a digital signature by the auxiliary party; and granting access to the physical space when the plurality of delegations comprises a sequence of delegations covering a delegation path from the access control device to the electronic key such that, in the sequence of delegations, the delegator of the first delegation is the access control device, the receiver of the last delegation is the electronic key, and the auxiliary condition is fulfilled.

Abstract: Credential data representing users seeking access to a well-defined space are registered in a reader unit associated with an access-control-related building component. A linked address associates the credential data with a first credential data receiver (EAC1) and/or at least one second credential data receiver (EAC2). The address is stored in a memory at the reader unit or on a portable carrier holding the credential data. If the address identifies the first credential data receiver (EAC1), the reader unit forwards the registered credential data to this unit (EAC1). If the address (A) identifies a particular second credential data receiver (EAC2), the reader unit instead forwards the registered credential data (CD) to this unit (EAC2). When receiving the credential data, the units (EAC1; EAC2) effect at least one decision concerning the well-defined space independently of one another.

Abstract: Credential data representing users seeking access to a well-defined space are registered in a reader unit associated with an access-control-related building component. A linked address associates the credential data with a first credential data receiver (EAC1) and/or at least one second credential data receiver (EAC2). The address is stored in a memory at the reader unit or on a portable carrier holding the credential data. If the address identifies the first credential data receiver (EAC1), the reader unit forwards the registered credential data to this unit (EAC1). If the address (A) identifies a particular second credential data receiver (EAC2), the reader unit instead forwards the registered credential data (CD) to this unit (EAC2). When receiving the credential data, the units (EAC1; EAC2) effect at least one decision concerning the well-defined space independently of one another.