TR 33.700-22
Study on Security aspects of Common API Framework (CAPIF) Phase 3

3GPP‑Page fToC_↓ Partial Content _→

V19.2.0 (Wzip) 2025/09 … p.

Rapporteur:: Mr. Rathod, Niraj
Ericsson LM

full Table of Contents for TR 33.700-22 Word version: 19.2.0

each clause number in 'red' refers to the equivalent title in the Partial Content

Scope p. 10

References p. 10

Definitions of terms, symbols and abbreviations p. 11

3.1	Terms p. 11
3.2	Symbols p. 11
3.3	Abbreviations p. 11

High-level architectures p. 11

4.0	Introduction p. 11
4.1	High-level architecture for RNAA p. 12
4.2	High-level architecture for CAPIF interconnection p. 12

Key issues p. 14

5.1

Key Issue #1: Security of resource owner authorization management and CAPIF-8 reference point p. 14

5.1.0

Introduction p. 14

5.1.1

Key Issue #1.1: CAPIF-8 reference point p. 14

5.1.1.1	Key issue details p. 14
5.1.1.2	Security threats p. 14
5.1.1.3	Potential Security Requirement p. 14

5.1.2

Key Issue #1.2: Resource owner authorization management p. 14

5.1.2.1	Key issue details p. 14
5.1.2.2	Security threats p. 15
5.1.2.3	Potential security requirement p. 15

5.1.3

Key Issue #1.3: Finer granular authorization p. 15

5.1.3.1	Key issue details p. 15
5.1.3.2	Security threats p. 15
5.1.3.3	Potential Security Requirement p. 15

5.2

Key issue #2: CAPIF interconnection security p. 15

5.2.1	Key issue details p. 15
5.2.2	Security threats p. 16
5.2.3	Potential security requirements p. 16

5.3

Key Issue #3: Authorizing API invoker on one UE accessing resources related to another UE p. 16

5.3.1	Key issue details p. 16
5.3.2	Security threats p. 17
5.3.3	Potential security requirements p. 17

5.4

Key issue #4: Nested API invocation p. 17

5.4.1	Key issue details p. 17
5.4.2	Security threats p. 17
5.4.3	Potential security requirements p. 17

5.5

Key Issue KI#5: Authenticating multiple API invokers of the same Resource Owner p. 18

5.5.1	Key Issue details p. 18
5.5.2	Security threats p. 18
5.5.3	Security requirements p. 18

5.6

Key Issue KI#6: Onboarding security issues p. 18

5.6.1	Key issue details p. 18
5.6.2	Threats p. 18
5.6.3	Potential requirements p. 18

Proposed solutions p. 19

6.0

Mapping of solutions to key issues p. 19

6.1

Solution #1: Security protection mechanism for CAPIF-8 reference point p. 20

6.1.1	Introduction p. 20
6.1.2	Solution details p. 20
6.1.3	Evaluation p. 20

6.2

Solution #2: CAPIF-8 reference point security p. 20

6.2.1

Introduction p. 20

6.2.2

Solution details p. 21

6.2.2.1	Mutual authentication p. 21
6.2.2.2	Protection of messages between ROF -AZF/CCF p. 21

6.2.3

Evaluation p. 21

6.3

Solution #3: Security procedures for CAPIF-8 reference points p. 21

6.3.1	Introduction p. 21
6.3.2	Solution details p. 21
6.3.3	Evaluation p. 22

6.4

Solution #4: resource owner authorized revocation p. 22

6.4.1

Introduction p. 22

6.4.2

Solution details p. 22

6.4.2.1	Authorization procedure p. 22
6.4.2.2	Revocation procedure p. 22

6.4.3

Evaluation p. 23

6.5

Solution #5: Security of resource owner authorization management and CAPIF-8 p. 23

6.5.1	Introduction p. 23
6.5.2	Solution details p. 23
6.5.3	Evaluation p. 25

6.6

Solution #6: Security procedures for resource owner authorization management p. 25

6.6.1

Introduction p. 25

6.6.2

Solution details p. 25

6.6.2.1	Security procedure for obtaining resource owner authorization p. 25
6.6.2.2	Security procedure for authorizing the API invoker in RNAA p. 26
6.6.2.3	Security procedure for revoking resource owner authorization p. 27

6.6.3

Evaluation p. 27

6.7

Solution #7: RO permission/ management p. 27

6.7.1

Introduction p. 27

6.7.2

Solution details p. 28

6.7.2.0	General p. 28
6.7.2.1	Notifications for permissions / wakeup p. 28

6.7.3

Evaluation p. 30

6.8

Solution #8: Resource owner triggered revocation procedure p. 30

6.8.1	Introduction p. 30
6.8.2	Solution details p. 30
6.8.3	Evaluation p. 31

6.9

Solution #9: Resource owner authentication and authorization mechanism p. 32

6.9.1	Introduction p. 32
6.9.2	Solution details p. 32
6.9.3	Evaluation p. 33

6.10

Solution #10: resource-level and/or API-level authorization and revocation p. 33

6.10.1

Introduction p. 33

6.10.2

Solution details p. 33

6.10.2.1	Service operation/resource level authorization p. 33
6.10.2.2	Service operation/resource level revocation p. 34

6.10.3

Evaluation p. 34

6.11

Solution #11: Client initiated backchannel authorization (CIBA) p. 34

6.11.1	Introduction p. 34
6.11.2	Solution details p. 34
6.11.3	Evaluation p. 35

6.12

Solution #12: Security method retrieval in CAPIF interconnect p. 35

6.12.1

Introduction p. 35

6.12.2

Solution details p. 36

6.12.2.1	Summary p. 36
6.12.2.2	Information flow p. 36

6.12.3

Evaluation p. 37

6.13

Solution #13: Requesting security information from another CCF in order to authenticate using TLS-PSK in CAPIF interconnect p. 37

6.13.1

Introduction p. 37

6.13.2

Solution details p. 37

6.13.2.1	Summary p. 37
6.13.2.2	Information flow p. 38

6.13.3

Evaluation p. 39

6.14

Solution #14: Authentication aspect in CAPIF interconnect when API invoker has not included CCF information p. 39

6.14.1

Introduction p. 39

6.14.2

Solution details p. 39

6.14.2.1	Summary p. 39
6.14.2.2	Information flow p. 40

6.14.3

Evaluation p. 40

6.15

Solution #15: Authorization token request handling in CAPIF interconnect p. 41

6.15.1

Introduction p. 41

6.15.2

Solution details p. 41

6.15.2.1	Summary p. 41
6.15.2.2	Information flow p. 42

6.15.3

Evaluation p. 43

6.16

Solution #16: Mapping an API invoker authorization request to the correct CCF in CAPIF interconnect p. 44

6.16.1

Introduction p. 44

6.16.2

Solution details p. 44

6.16.2.1	Introduction p. 44
6.16.2.2	Summary p. 45
6.16.2.3	Information flow p. 45

6.16.3

Evaluation p. 45

6.17

Solution #17: Security procedures for CAPIF interconnection p. 46

6.17.1

Introduction p. 46

6.17.2

Solution details p. 46

6.17.2.1	Security procedure for API invoker authentication and authorization using Method 3 in CAPIF interconnection p. 46
6.17.2.2	Security procedure for API invoker offboarding in CAPIF interconnection p. 48

6.17.3

Evaluation p. 48

6.18

Solution #18: API invoker authentication mechanism in CAPIF interconnection scenarios p. 49

6.18.1

Introduction p. 49

6.18.2

Solution details p. 49

6.18.2.1	TLS-PSK based authentication mechanism for CCF interconnection scenarios p. 49
6.18.2.2	TLS-PKI based authentication mechanism for CCF interconnection scenarios p. 50

6.18.3

Evaluation p. 50

6.19

Solution #19: API invoker authorization mechanism in CAPIF interconnection scenarios p. 51

6.19.1	Introduction p. 51
6.19.2	Solution details p. 51
6.19.3	Evaluation p. 53

6.20

Solution #20: Security method negotiation mechanism in CAPIF interconnection scenarios p. 53

6.20.1	Introduction p. 53
6.20.2	Solution details p. 53
6.20.3	Evaluation p. 54

6.21

Solution #21: Solution for CAPIF interconnection security p. 55

6.21.1

Introduction p. 55

6.21.2

Solution details p. 55

6.21.2.1	General p. 55
6.21.2.2	Security Method negotiation p. 55
6.21.2.3	Authentication and Authorization p. 57

6.21.3

Evaluation p. 60

6.22

Solution #22: CAPIF interconnection p. 60

6.22.1	Introduction p. 60
6.22.2	Solution details p. 61
6.22.3	Evaluation p. 62

6.23

Solution #23: Security protection mechanism for CAPIF-6 and CAPIF-6e reference points p. 62

6.23.1	Introduction p. 62
6.23.2	Solution details p. 62
6.23.3	Evaluation p. 62

6.24

Solution #24: Security procedure for CAPIF interconnection p. 62

6.24.1

Introduction p. 62

6.24.2

Solution details p. 63

6.24.2.1

Security method negotiation in CAPIF interconnection p. 63

6.24.2.2

Authentication and authorization p. 64

6.24.2.2.1	Authentication and authorization with security method TLS-PSK or PKI p. 64
6.24.2.2.2	Authentication and authorization with security method TLS with OAuth token p. 65

6.24.3

Evaluation p. 67

6.25

Solution #25: Backend based solution for UE-deployed API invoker accessing resources not owned by that UE p. 67

6.25.1	Introduction p. 67
6.25.2	Solution details p. 67
6.25.3	Evaluation p. 69

6.26

Solution #26: Nested API invocation p. 69

6.26.1	Introduction p. 69
6.26.2	Solution details p. 69
6.26.3	Evaluation p. 70

6.27

Solution #27: Authorization for nested API invocation p. 71

6.27.1

Introduction p. 71

6.27.2

Solution details p. 71

6.27.2.0	General p. 71
6.27.2.1	Access token claims p. 73

6.27.3

Evaluation p. 73

6.28

Solution #28: Authenticating multiple API invokers of the same RO p. 73

6.28.1	Introduction p. 73
6.28.2	Solution Details p. 73
6.28.3	Evaluation p. 75

6.29

Solution #29: Enhancing authorization through finer level access token granularity. p. 75

6.29.1

Introduction p. 75

6.29.2

Solution details p. 75

6.29.2.1	Summary p. 75
6.29.2.2	Information flow p. 76

6.29.3

Evaluation p. 77

6.30

Solution #30: Authentication of the origin API invoker in nested API invocation p. 77

6.30.1	Introduction p. 77
6.30.2	Solution Details p. 77
6.30.3	Evaluation p. 78

6.31

Solution#31: Authorization mechanism for nested API invocation p. 79

6.31.1	Introduction p. 79
6.31.2	Solution details p. 79
6.31.3	Evaluation p. 80

6.32

Solution #32: Validation of correct GPSI in API invoker information p. 81

6.32.1	Introduction p. 81
6.32.2	Solution Details p. 81
6.32.3	Evaluation p. 81

6.33

Solution #33: Onboarding of API Invoker residing in UE p. 81

6.33.1	Introduction p. 81
6.33.2	Solution details p. 82
6.33.3	Evaluation p. 82

6.34

Solution #34: UE-deployed API invoker accessing resources not owned by that UE p. 83

6.34.1

Introduction p. 83

6.34.2

Solution details p. 83

6.34.2.1	Obtaining resource owner authorization and authorization revocation information p. 83
6.34.2.2	UE-deployed API invoker accessing resources not owned by that UE p. 84

6.34.3

Solution evaluation p. 85

6.35

Solution #35: Onboarding of UE-hosted API invoker p. 86

6.35.1	Introduction p. 86
6.35.2	Solution details p. 86
6.35.3	Solution evaluation p. 87

6.36

Solution #36: Reusing existing mechanism to enable cross-UE authorization p. 87

6.36.1	Introduction p. 87
6.36.2	Solution details p. 87
6.36.3	Evaluation p. 87

6.37

Solution #37: Enabling mTLS between ROF and CCF using AKMA p. 88

6.37.1	Introduction p. 88
6.37.2	Solution details p. 88
6.37.3	Evaluation p. 90

6.38

Solution #38: Renewal of onboarding p. 90

6.38.1	Introduction p. 90
6.38.2	Solution details p. 90
6.38.3	Evaluation p. 92

6.39

Solution #39: ROF certificate generation p. 93

6.39.1	Introduction p. 93
6.39.2	Solution details p. 93
6.39.3	Evaluation p. 94

Conclusions p. 94

7.1

- p. 94

7.1.1

Conclusions for KI#1.1 CAPIF-8 reference point p. 94

7.1.2

Conclusions for KI#1.2 Resource owner authorization management p. 95

7.1.2.0	Introduction p. 95
7.1.2.1	Authentication and authorization of the end points and security of transferred authorization data p. 95
7.1.2.2	Resource owner authorization data p. 95
7.1.2.3	Revocation p. 95

7.1.3

Conclusions for KI#1.3 Finer granular authorization p. 95

7.2

Conclusion for KI #2: CAPIF interconnection security p. 95

7.2.0	General p. 95
7.2.1	Conclusion for CAPIF 6/6e security p. 95
7.2.2	Conclusion for security method negotiation p. 96
7.2.3	Conclusion for API invoker authentication and authorization mechanism p. 96

7.3

Conclusion for KI #3: Authorizing API invoker on one UE accessing resources related to another UE p. 96

7.4

Conclusion for KI #4: Nested API Invocation p. 96

7.5

Conclusion for KI #5: Authenticating multiple API invokers of the same Resource Owner p. 97

7.6

Conclusion for KI #6: Onboarding security issues p. 97

Change history p. 98

TR 33.700-22 Study on Security aspects of Common API Framework (CAPIF) Phase 3

full Table of Contents for TR 33.700-22 Word version: 19.2.0

TR 33.700-22
Study on Security aspects of Common API Framework (CAPIF) Phase 3