E.4 Signalling flows demonstrating a failure in subscriber certificate enrolment
24.1093GPPBootstrapping interface (Ub) and network application function interface (Ua)Protocol detailsRelease 17TS
The signalling flow in figure E.3.1-1 describes the message exchange between UE and PKI portal using HTTP Digest Authentication. This clause describes a failure in the subscriber certificate enrolment, related to PKI procedures. Thus, it assumed that subscriber certificate enrolment procedure has proceeded to step 6 as described in clause E.3.1.
6. Authentication and certificate generation at PKI portal
The verification procedures described in clause E.3.1 step 6 are successfully completed.
The PKI portal encounters an error during the internal enrolment procedure. For example, the PKI portal is not allowed to issue a certificate to the subscriber due operator’s internal policies, i.e. the subscriber’s profile in the HSS indicates that the enrolment is not allowed.
7. Error notification (PKI portal to UE) – see example in table E.4-1
The PKI portal sends 403 Forbidden response to the UE to indicate that the subscriber certificate enrolment is allowed. The PKI portal generates a HTTP response containing the error notification. The PKI portal can use key material Ks_NAF to authenticate the response.
Table E.4-1: Error notification (PKI portal to UE)
HTTP/1.1 403 Forbidden
Server: Apache/1.3.22 (Unix) mod_perl/1.27
Content-Type: text/html
Authentication-Info: qop=auth-int, rspauth="6629fae49394a05397450978507c4ef1", cnonce="6629fae49393a05397450978507c4ef1", nc=00000001
Date: Thu, 08 Jan 2004 10:50:35 GMT
Expires: Fri, 09 Jan 2004 10:50:36 GMT
Authentication-Info: This carries the protection
Expires: Gives the date/time after which the response is considered stale.
8. Authentication at UE
The UE receives the response and verifies the Authentication-Info header. If the verification succeeds, the UE is notified of the failure of the subscriber certificate enrolment.