Tech-invite3GPPspaceIETF RFCsSIP

Content for  TR 33.924  Word version:  16.0.0

Top   Top   None   None   Next
0…   4…


0  IntroductionWord‑p. 4

3GPP SA3 outlined the interworking of the operator controlled GBA with the Liberty Alliance Identity Management. This was sufficient for the time of writing, but now new additional systems are deployed and used. If we want to enable interworking of operator centric identity management, then smooth interworking with those new systems need to be outlined. If this is not done, then a seamless interworking is not possible on global scale and it would be difficult to leverage the existing customer base and security level that operators have.

1  ScopeWord‑p. 5

The objective is to extend the current identity management as outlined in TS 33.220, TS 33.222, TS 29.109 and TR 33.980 with the latest developments on identity management outside of the 3GPP sphere. This will allow a better integration and usage of identity management for services in 3GPP and seamless integration with existing services that are not standardized in 3GPP. This report outlines the interworking of GBA and OpenID.

2  References

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
TR 21.905: "Vocabulary for 3GPP Specifications".
TS 33.220: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture".
TS 24.109: "Bootstrapping Interface (Ub) and Network Application Function Interface (Ua); Protocol Details".
TR 33.980: "Interworking of Liberty Alliance Identity Federation Framework (ID-FF), Identity Web Service Framework (ID-WSF) and the Generic Authentication Architecture (GAA)".
TS 33.222: "Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS)".
TS 33.223: "Generic Bootstrapping Architecture (GBA) Push Function".
TS 29.109: "Generic Authentication Architecture (GAA); Zh and Zn Interfaces based on the Diameter Protocol; Stage 3".
OpenID Foundation "OpenID Authentication 2.0",
OpenID Foundation "OpenID Attribute Exchange 1.0",
OpenID Foundation "OpenID Provider Authentication Policy Extension 1.0",
OASIS Reed, D.; McAlpin, D.: "Extensible Resource Identifier (XRI) Syntax v2.0";
OpenID Foundation,
OpenID Site Directory,
TS 33.259: "Key Establishment between a UICC hosting device and a remote device".
RFC 4006,  "Diameter Credit Control",
W3C, "HTML 4.01 Specification"!,
RFC 2617  (1999): "HTTP Authentication: Basic and Digest Access Authentication".
RFC 3761  (2004): "The E.164 to Uniform Resource Identifiers (URI) Dynamic Delegation Discovery System (DDDS) Application (ENUM)".

3  Definitions, symbols and abbreviationsWord‑p. 6

3.1  Definitions

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905. The GAA / GBA specific definitions are originated from [2] and the OpenID definitions are originated from [8]. In case of conflict [2] and [8] take precedence.
An attribute is used in the OpenID Attribute Exchange service extension [9]. This extension provides a mechanism for moving identity related information between sites. An attribute is associated with a Subject Identifier. An attribute has a type identifier and a value. An attribute type identifier is a URI. An attribute value can be any kind of data.
Bootstrapping Server Function (BSF):
A Bootstrapping Server Function (BSF) is hosted in a network element under the control of an MNO. BSF, HSS/HLR, and UEs participate in GBA in which a shared secret is established between the network and a UE by running a bootstrapping procedure. The shared secret can be used between NAFs and UEs, for example, for authentication purposes.
GBA User Security Settings:
GUSS contains the BSF specific information element and the set of all application-specific USSs.
An Identifier in OpenID is either an "http" or "https" URL, or an XRI [11]. OpenID [8] defines various kinds of identifiers depending on the context.
Network Application Function (NAF):
A NAF is hosted in a network element. GBA may be used between NAFs and UEs for authentication purposes, and for securing the communication path between the UE and the NAF.
OpenID Provider (OP):
An OpenID Provider (OP) is an OpenID Authentication Server on which a Relying Party relies for an assertion that the end user controls an Identifier.
OpenID Provider driven identifier selection:
OpenID Provider driven identifier selection is the ability for a user to enter the URL of their OpenID Provider into an OpenID field rather than their personal OpenID URL. This allows the web site (RP) to start the OpenID authentication flow and send the user over to the correct OpenID provider. The user can then authenticate to the OpenID provider, select a particular OpenID URL and persona if they have multiple, This will result in an actual user OpenID URL or an anonymous OpenID URL being returned to the RP.
OP Endpoint URL:
The URL which accepts OpenID Authentication protocol messages, obtained by performing discovery on the User-Supplied identifier. This value must be an absolute HTTP or HTTPS URL.
Relying Party (RP):
A Relying Party is a web application that wants a proof that the end user controls an Identifier.
User Supplied Identifier:
An Identifier that was presented by the end user to the RP, or selected by the user at the OpenID Provider. During the initiation phase of the protocol, an end user may enter either their own Identifier or an OP Identifier. If an OP Identifier is used, the OP may then assist the end user in selecting an Identifier to share with the RP.

3.2  Abbreviations

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
Authentication and Key Agreement Protocol
Authentication Vector
Bootstrapping Server Function
Identity Provider
Generic Authentication Architecture
Generic Bootstrapping Architecture
GBA Push Information
GBA User Security Settings
Home Location Register
Home Subscriber Server
Mobile Equipment
Mobile Network Operator
Network Application Function
OpenID Provider
Provider Authentication Policy Extension
Relying Party
Subscriber Locator Function
Service Provider
User Equipment
User Security Settings

Up   Top   ToC