11 Certificates

22.1053GPPRelease 17Services and service capabilitiesTS

Certificates may be used for a global scale authorization infrastructure for various applications and services based on the 3GPP system security architecture. Services may be provided by parties that are not necessarily trusted by the cellular operators nor by cellular subscribers. Therefore technical means to securely deliver and authenticate services from other parties are necessary. For 3GPP, only the certificates issued by operators are relevant. There are two types of such certificates: subscriber certificates are issued to cellular subscribers and operator CA certificates are self-signed or issued to other operators. Issuing subscriber certificates allows operators to offer authorization and accounting of other services. Operator CA certificates obtained via a trusted channel can be used as root certificates.

In addition to these certificates, there are other types of certificates. For example, service provider certificates (provided by service providers), and third party certificates (provided by third parties, e.g. Value Added Service Providers) etc. These certificates are described and standardized by other fora such as IETF PKIX working group and WAP forum.

Authorization of such services may be based on credentials like digital signatures. The service provider and the network operator shall use subscriber certificates to verify these credentials. The UE may also use operator CA certificates and other certificates to verify the credentials supplied by service providers and third parties. Operator-issued certificates in 3GPP must be such that they are compatible with other systems that allow the storage, selection, and use of certificates (e.g., WAP, LCS).

Example usage scenarios of the subscriber certificate feature are payment via subscriber phone bill and location information offered by the operator to other service providers. It should be noted that the service using this feature may be outside of scope of 3GPP or implemented using existing 3GPP toolkits.

The 3GPP system shall provide support for issuing certificates to the UE over the authenticated network connection. This feature shall be based on existing 3GPP system security principles and mechanisms as far as possible. The certificate management procedures must be authenticated and integrity-protected. It shall be possible to issue certificates for service usage both in the home and visited networks. It should be possible for the home operator to exercise control over service usage in the visited network.

For further information on certificates see TS 33.102[13].

Annex A (informative):
Examples of services built from service capabilities features

Call Barring

In standard GSM, the Call Barring services allow to prevent outgoing calls to certain sets of destinations, based on the number dialled and whether the user is roaming. It is proposed that this service allows to block outgoing calls based on a wider range of parameters which could include factors such as the time of day, day of week, location, type of call requested, cost of the service and/or destination. This would allow to develop Call Barring services tailored to business and personal markets to avoid abuse.

This service is invoked during the initial outgoing call set-up procedure and allow the call to be blocked prior to incurring any charges. This Service can be applied to any teleservice for both connection-oriented and connectionless-oriented services.

Call Filtering/Forwarding

In standard GSM, there is no call filtering service. All calls are presented to the user unless a call forwarding service is used to re-direct calls; there is no different call handling depending on the incoming call parameters (although differentiation on call type (voice/data) is possible).

The call filtering service allows the control of whether incoming calls are accepted, forwarded or terminated. The parameters which can be used to determine the final destination of a call may include the caller ID (CLI), original number dialled, time of day, current user location/network, user profile settings and current state of the terminal.

This service shall be two-stage; immediate call filtering (handled regardless of whether the terminal is online or not) and late call filtering (handled only if the terminal is online). It shall be possible to create and operate new call filtering services which can access any of the key parameters to handle calls in this way.


This service allows an established call to be maintained, whilst suspending use of the bearer from the incoming access point of the network. This saves on both air interface and network traffic resources when a call is temporarily suspended. The incoming access point in the network means either the originating terminal, or interworking point with another network.


This service allows either an established or held call to be redirected to another destination. This may either be used by setting up a new call to the destination first, or simply redirecting the existing call to the new destination. It shall be possible to revert such a call back to the diverting terminal at any time before it is accepted (answered) by the new destination. The system shall ensure that an optimal traffic route is used after the call has been answered by its new (final) destination.

Call-back When Free

This service can be invoked where a call (or a connectionless message) cannot be delivered to its destination because it is in use. The system shall inform the requesting entity when the destination is next able to accept the call, allowing a new call to be originated. This allows existing GSM services, such as Call-back When Free to be implemented. Where multiple requests are outstanding for a terminal which becomes available, the system shall determine in which order the requests are handled, probably in a serial manner. Ideally, it shall be possible to create the service logic which determines the order used from a range of accessible parameters.

Annex B (informative):
Description and analysis of communication schemes

This annex gives a high level classification and description of communications requirements from end users and applications.