E.4 Signalling flows demonstrating a failure in subscriber certificate enrolment

24.1093GPPBootstrapping interface (Ub) and network application function interface (Ua)Protocol detailsRelease 17TS

The signalling flow in figure E.3.1-1 describes the message exchange between UE and PKI portal using HTTP Digest Authentication. This clause describes a failure in the subscriber certificate enrolment, related to PKI procedures. Thus, it assumed that subscriber certificate enrolment procedure has proceeded to step 6 as described in clause E.3.1.

6. Authentication and certificate generation at PKI portal

The verification procedures described in clause E.3.1 step 6 are successfully completed.

The PKI portal encounters an error during the internal enrolment procedure. For example, the PKI portal is not allowed to issue a certificate to the subscriber due operator’s internal policies, i.e. the subscriber’s profile in the HSS indicates that the enrolment is not allowed.

7. Error notification (PKI portal to UE) – see example in table E.4-1

The PKI portal sends 403 Forbidden response to the UE to indicate that the subscriber certificate enrolment is allowed. The PKI portal generates a HTTP response containing the error notification. The PKI portal can use key material Ks_NAF to authenticate the response.

Table E.4-1: Error notification (PKI portal to UE)

HTTP/1.1 403 Forbidden

Server: Apache/1.3.22 (Unix) mod_perl/1.27

Content-Type: text/html

Authentication-Info: qop=auth-int, rspauth="6629fae49394a05397450978507c4ef1", cnonce="6629fae49393a05397450978507c4ef1", nc=00000001

Date: Thu, 08 Jan 2004 10:50:35 GMT

Expires: Fri, 09 Jan 2004 10:50:36 GMT

Authentication-Info: This carries the protection

Expires: Gives the date/time after which the response is considered stale.

8. Authentication at UE

The UE receives the response and verifies the Authentication-Info header. If the verification succeeds, the UE is notified of the failure of the subscriber certificate enrolment.