5.5.4 Default HTTP message and other information elements

36.579-13GPPMission Critical (MC) services over LTEPart 1: Common test environmentRelease 15TS

5.5.4.1 General

The HTTP Messages are specified in RFC 2616 [26]. Wherever another reference apply to their content it is explicitly indicated.

The following conditions apply throughout clause 5.5:

Table 5.5.4.1-1: Conditions

Condition

Explanation

AUTH

Message/IE sent only as part of an MCPTT UE authentication

UEINITIALCONFIG

Message/IE sent only as part of an MCPTT UE initial configuration

USERAUTH

Message/IE sent only as part of an MCPTT UE user authentication

UECONFIG

Message/IE sent only as part of an MCPTT UE configuration

UEUSERPROF

Message/IE sent only as part of an MCPTT UE User profile configuration

UESERVCONFIG

Message/IE sent only as part of an MCPTT UE service configuration

GROUPCONFIG

Message/IE sent only as part of an MCPTT group configuration

TEMPGROUP

Message/IE sent only in temporary group creation scenario

TOKEN

Message/IE sent only as part of an MCPTT token exchange

KMSINIT

Message/IE sent only as part of an MCPTT KMS initialisation

KMSKEY

Message/IE sent only as part of an MCPTT KMS key exchange

5.5.4.2 GET

Table 5.5.4.2-1: HTTP GET

Derivation Path: RFC 2616 [26]

Information Element

Value/remark

Comment

Reference

Condition

Request-Line

Method

"GET"

Request-URI

uri

tsc_MCX_IdMS_auth_UriPath

points to the Authorisation endpoint of the IdM Server

TS 33.180 [94]

AUTH

px_MCX_InitialConfigServer_UriPath

points to initial UE Configuration document

TS 24.484 [14]

UEINITIALCONFIG

tsc_MCX_CMSXCAPRootURI & "/" & AUID1 & "/users/" & XUID & "/" & MCSUEID & "/mcptt-ue-configuration.xml"

points to UE Configuration document

(NOTE 1a, 2, 3)

TS 24.484 [14]

UECONFIG

tsc_MCX_CMSXCAPRootURI & "/" & AUID2 & "/users/" & XUID & "/mcptt-user-profile-" & profile-index & ".xml"

points to UE User Profile document

(NOTE 1b, 2, 4)

TS 24.484 [14]

UEUSERPROF

tsc_MCX_CMSXCAPRootURI & "/" & AUID3 & "/global/service-config.xml"

points to UE Service Configuration document

(NOTE 1c, 2)

TS 24.484 [14]

UESERVCONFIG

tsc_MCX_GMSXCAPRootURI & "/" & "org.openmobilealliance.groups/global/byGroupID/" & px_MCPTT_Group_A_ID

points to group configuration document

TS 24.481 [11]

GROUPCONFIG

query

As described in Table 5.5.4.10.1-1

TS 33.180 [94]

AUTH

HTTP-Version

"HTTP/1.1"

Cache-Control

RFC 2616 [26]

cache-directive

"no-cache"

Authorization

RFC 2617 [72]

UECONFIG

UEUSERPROF

UESERVCONFIG

GROUPCONFIG

authentication-scheme

“Bearer”

RFC 6750 [104]

b64token

Access token as assigned to the UE by Token Response

RFC 6750 [104]

Authorization

not present

Content-Type

AUTH

media-type

"application/x-www-form-urlencoded"

Content-Type

Not present

Message-body

Not present

NOTE 1a: AUID1 = "org.3gpp.mcptt.ue-config" for Condition MCPTT
AUID1 = "org.3gpp.mcvideo.ue-config" for Condition MCVideo
AUID1 = "org.3gpp.mcdata.ue-config" for Condition MCData

NOTE 1b: AUID2 = "org.3gpp.mcptt.user-profile" for Condition MCPTT
AUID2 = "org.3gpp.mcvideo.user-profile" for Condition MCVideo
AUID2 = "org.3gpp.mcdata.user-profile" for Condition MCData

NOTE 1c: AUID3 = "org.3gpp.mcptt.service-config" for Condition MCPTT
AUID3 = "org.3gpp.mcvideo.service-config" for Condition MCVideo
AUID3 = "org.3gpp.mcdata.service-config" for Condition MCData

NOTE 2: XUID = "sip:" & px_MCPTT_ID_User_A for Condition MCPTT
XUID = "sip:" & px_MCVideo_ID_User_A for Condition MCVideo
XUID = "sip:" & px_MCData_ID_User_A for Condition MCData

NOTE 3: MCSUEID = Instance id of the UE (derived from the IMEI according to 23.003 [69] clause 13.8)

NOTE 4: profile-index is the same as in the <user-profile-index> attribute of the corresponding document

5.5.4.3 POST

Table 5.5.4.3-1: HTTP POST

Derivation Path: RFC 2616 [26]

Information Element

Value/remark

Comment

Reference

Condition

Status-Line

Method

"POST"

Request-URI

uri

tsc_MCX_IdMS_auth_UriPath

points to the Authorisation endpoint of the IdM Server

TS 33.180 [94]

AUTH, USERAUTH

tsc_MCX_IdMS_userauth_UriPath

points to the endpoint verifying the user authentication; same URI as provided to the UE in the action attribute of the HTML login form

TS 33.180 [94]

HTML 4.01 Specification [105]

USERAUTH

tsc_MCX_IdMS_token_UriPath

points to the Token endpoint of the IdM Server

TS 33.180 [94]

TOKEN

tsc_MCX_KMS_init_UriPath

"KMS Initialize" request according to TS 33.180 [94] D.2.3

TS 33.180 [94]

KMSINIT

tsc_MCX_KMS_keyprov_UriPath

"KMS KeyProvision" request according to TS 33.180 [94] D.2.4

TS 33.180 [94]

KMSKEY

tsc_MCX_GMSXCAPRootURI & "/" & "org.openmobilealliance.groups/users/" & px_MCPTT_GroupCreationXUI & "/" & px_MCPTT_Group_T_ID

Points to the temporary group configuration document to be created

TS 24.481[11] clause 6.3.14.2

TEMPGROUP

HTTP-Version

"HTTP/1.1"

Cache-Control

RFC 2616 [26]

cache-directive

"no-cache"

Authorization

RFC 2617 [72]

KMSINIT, KMSKEY, TEMPGROUP

authentication-scheme

“Bearer”

RFC 6750 [104]

b64token

Access token as assigned to the UE by Token Response

RFC 6750 [104]

Content-Type

AUTH, USERAUTH, TOKEN

media-type

"application/x-www-form-urlencoded"

Content-Type

present in case of KMS request security

(KMSINIT OR KMSKEY) AND pc_MCX_KMS_RequestSecurity

media-type

"application/xml"

RFC 7303 [112]

Content-Type

TEMPGROUP

media-type

"application/vnd.3gpp.GMOP+xml"

Message-body

AUTH

Authentication Request

As described in Table 5.5.4.10.1-1

Message-body

HTML 4.01 Specification [105]

USERAUTH

user

px_MCX_User_A_username

password

px_MCX_User_A_password

Message-body

TOKEN

Token request

As described in Table 5.5.4.10.3-1

Message-body

present in case of KMS request security

(KMSINIT OR KMSKEY) AND pc_MCX_KMS_RequestSecurity

Signed KMS Request

As described in Table 5.5.4.10.9-1

Message-body

TEMPGROUP

Temporary Group Creation Document"

As described in Table 5.5.7.1-3

5.5.4.4 PUT

Table 5.5.4.4-1: HTTP PUT

Derivation Path: RFC 2616 [26]

Information Element

Value/remark

Comment

Reference

Condition

Request-line

Method

"PUT"

Request-URI

tsc_MCX_GMSXCAPRootURI & "/" & "org.openmobilealliance.groups/users/" & px_MCPTT_GroupCreationXUI & "/" & document name (NOTE 1)

XCAP URI in users tree where the XUI is set to a group creation XUI configuration parameter

TS 24.481 [11]

clause 6.3.2.2.1

GROUPCREATE

Cache-Control

RFC 2616 [26]

cache-directive

"no-cache"

Authorization

TS 24.482 [12] A.2.3: Expected by the server to validate and identify the client

RFC 2617 [72]

authentication-scheme

“Bearer”

RFC 6750 [104]

b64token

Access token as assigned to the UE by Token Response

RFC 6750 [104]

Content-Type

GROUPCREATE

media-type

application/vnd.oma.poc.groups+xml

Message-body

GROUPCREATE

Group Creation Document

As described in Table 5.5.7.1-2

NOTE 1: document name is the name of the group document contained in the message body

Condition

Explanation

GROUPCREATE

Message/IE sent only in group creation scenario

NOTE: For further conditions see table 5.5.1-1

5.5.4.5 DELETE

Table 5.5.4.5-1: HTTP DELETE

Derivation Path: RFC 2616 [26]

Information Element

Value/remark

Comment

Reference

Condition

Request-line

Method

"DELETE"

Request-URI

tsc_MCX_GMSXCAPRootURI & "/" & "org.openmobilealliance.groups/users/" & px_MCPTT_GroupCreationXUI & "/" & px_MCPTT_Group_T_ID

Points to the group configuration document

TS 24.481 [11]

TEMPGROUP

Cache-Control

RFC 2616 [26]

cache-directive

"no-cache"

Authorization

TS 24.482 [12] A.2.3: Expected by the server to validate and identify the client

RFC 2617 [72]

authentication-scheme

“Bearer”

RFC 6750 [104]

b64token

Access token as assigned to the UE by Token Response

RFC 6750 [104]

5.5.4.6 HTTP 200 (OK)

Table 5.5.4.6-1: HTTP 200 (OK)

Derivation Path: RFC 2616 [26]

Information Element

Value/remark

Comment

Reference

Condition

Status-Line

HTTP-Version

"HTTP/1.1"

Status-Code

"200"

Reason-Phrase

"OK"

Cache-Control

RFC 2616 [26]

cache-directive

"no-store"

Pragma

RFC 2616 [26]

pragma-directive

"no-cache"

Content-Length

value

length of message-body

Content-Type

media-type

"application/json;charset=UTF-8"

TS 33.180 [94]

TOKEN

media-type

"application/xml"

Editor’s note:

Message-Body contains an XML document but there is no media-type specific for “urn:3gpp:ns:mcsecKMSInterface:1.0"

"application/xml" to be confirmed

TS 33.180 [94]

KMSINIT

media-type

"application/xml"

Editor’s note:

Message-Body contains an XML document but there is no media-type specific for “urn:3gpp:ns:mcsecKMSInterface:1.0"

"application/xml" to be confirmed

TS 33.180 [94]

KMSKEY

media-type

"application/vnd.3gpp.mcptt-ue-init-config+xml"

TS 24.484 [14]

UEINITIALCONFIG

media-type

"application/vnd.3gpp.mcptt-ue-config+xml"

TS 24.484 [14]

UECONFIG

media-type

"application/vnd.3gpp.mcptt-user-profile+xml"

TS 24.484 [14]

UEUSERPROF

media-type

"application/vnd.3gpp.mcptt-service-config+xml"

TS 24.484 [14]

UESERVCONFIG

media-type

"application/vnd.oma.poc.groups+xml"

TS 24.481 [11]

GROUPCONFIG

media-type

"application/vnd.3gpp.GMOP+xml"

TS 24.481 [11]

TEMPGROUP

Message-body

TOKEN

Token response

As described in Table 5.5.4.10.4-1

Message-body

KMSINIT

KMS Certificate

As described in Table 5.5.4.10.6-1

Message-body

KMSKEY

KMS Key Set

As described in Table 5.5.4.10.8-1

Message-body

UEINITIALCONFIG

mcptt-initial-UE-configuration

As described in Table 5.5.8.1-1

Initial UE Configuration document returned

Message-body

UECONFIG

mcptt-UE-configuration

As described in Table 5.5.8.2-1

UE Configuration document returned

Message-body

UEUSERPROF

mcptt-user-profile

As described in Table 5.5.8.3-1

UE User Profile document returned

Message-body

UESERVCONFIG

service-configuration-info

As described in Table 5.5.8.4-1

UE Service Configuration document returned

Message-body

GROUPCONFIG

group-configuration

As described in Table 5.5.7.1-1

Group Configuration document returned

Message-body

TEMPGROUP

gmop:document

gmop:response

gmop:group-regroup-creation-response

temporary-group-document-ETag

unique value arbitrarily selected by the SS

5.5.4.7 HTTP 201 (Created)

Table 5.5.4.7-1: HTTP 201 (Created)

Derivation Path: RFC 2616 [26]

Information Element

Value/remark

Comment

Reference

Condition

Status-Line

HTTP-Version

"HTTP/1.1"

Status-Code

"20"

Reason-Phrase

"Created"

Cache-Control

RFC 2616 [26]

cache-directive

"no-store"

Pragma

RFC 2616 [26]

pragma-directive

"no-cache"

ETag

RFC 2616 [26]

entity-tag

unique value arbitrarily selected by the SS

Location

RFC 7231 [118] clauses 4.3.3, 6.3.2, 7.1.2

uri

tsc_MCX_GMSXCAPRootURI & "/" & "org.openmobilealliance.groups/global/byGroupID/" & px_MCPTT_Group_B_ID

URI referring to the created MCPTT GROUP B document

5.5.4.8 HTTP 302 (Found)

Table 5.5.4.8-1: HTTP 302 (Found)

Derivation Path: RFC 2616 [26]

Information Element

Value/remark

Comment

Reference

Condition

Status-Line

HTTP-Version

"HTTP/1.1"

Status-Code

"302"

Reason-Phrase

"Found"

Location

AUTH

Location-URI

uri

px_MCX_OAuth_RedirectURI_A

Identifier of the MCPTT client making the API request

TS 33.180 [94]

query

As described in Table 5.5.4.10.2-1

5.5.4.9 HTTP 409 (Conflict)

Table 5.5.4.9-1: HTTP 409 (Conflict)

Derivation Path: RFC 2616 [26]

Information Element

Value/remark

Comment

Reference

Condition

Status-Line

HTTP-Version

"HTTP/1.1"

Status-Code

"409"

Reason-Phrase

"URI constraint violated"

Conflict reason

TS 24.484 [14]

5.5.4.10 HTTP Message Bodies

5.5.4.10.1 Authentication Request

Table 5.5.4.10.1-1: Authentication Request

Derivation Path: TS 33.180 [94], clause B.4.2.2

Information Element

Value/remark

Comment

Reference

Condition

response-type

"code"

For native MCPTT clients the value shall be set to "code"

OpenID Connect 1.0 [95]

client_id

px_MCX_OAuth_ClientId_A

Identifier of the MCPTT client making the API request

OpenID Connect 1.0 [95]

Scope

"openid"

Scope values are expressed as a list of space-delimited, case-sensitive strings which indicate which MCS resource servers the client is requesting access to.

"openid" is defined by the OpenID Connect standard and is mandatory

TS 33.180 [94]

OpenID Connect 1.0 [95]

"3gpp:mc:ptt_service" "3gpp:mc:ptt_key_management_service" "3gpp:mc:ptt_config_management_service" "3gpp:mc:ptt_group_management_service"

NOTE: The list may contain further scope values which are not checked

Additional authorization scopes when the UE supports MCPTT

MCPTT

"3gpp:mc:video_service" "3gpp:mc:video_key_management_service" "3gpp:mc:video_config_management_service" "3gpp:mc:video_group_management_service"

NOTE: The list may contain further scope values which are not checked

Additional authorization scopes when the UE supports MCVideo

MCVIDEO

"3gpp:mc:data_service" "3gpp:mc:data_key_management_service" "3gpp:mc:data_config_management_service" "3gpp:mc:data_group_management_service"

NOTE: The list may contain further scope values which are not checked

Additional authorization scopes when the UE supports MCData

MCDATA

redirect_uri

px_MCX_OAuth_RedirectURI_A

The URI of the MCPTT client to which the IdM server will redirect the MCPTT client’s user agent in order to return the authorization code

OpenID Connect 1.0 [95]

state

any value as selected by the UE

An opaque value used by the MCPTT client to maintain state between the authentication request and authentication response

OpenID Connect 1.0 [95]

acr-values

"3gpp:acr:password"

Space-separated string that specifies the acr values that the IdM server is being requested to use for processing this authentication request

TS 33.180 [94]

code-challenge

any value

base64url-encoded SHA-256 challenge: hash of the code_verifier selected by the UE

TS 33.180 [94]

RFC 7636 [100]

codechallenge-method

"S256"

The hash method used to transform the code verifier to produce the code challenge

TS 33.180 [94]

RFC 7636 [100]

5.5.4.10.2 Authentication Response

Table 5.5.4.10.2-1: Authentication Response

Derivation Path: TS 33.180 [94], clause B.4.2.3

Information Element

Value/remark

Comment

Reference

Condition

code

"SplxlOBeZQQYbYS6WxSbIA"

The authorization code generated by the authorization endpoint and returned to the MCPTT client via the authentication response

TS 33.180 [94]

state

same value as in the Authentication Request

The value shall match the exact value used in the authorization request

TS 33.180 [94]

5.5.4.10.3 Token Request

Table 5.5.4.10.3-1: Token Request

Derivation Path: TS 33.180 [94], clause B.4.2.4

Information Element

Value/remark

Comment

Reference

Condition

grant-type

"authorization_code"

RFC 2616 [26]

code

same value as assigned by the SS in the Authentication Response

The authorization code generated by the authorization endpoint and returned to the MCPTT client via the authentication response

TS 33.180 [94]

client_id

px_MCX_OAuth_ClientId_A

Identifier of the MCPTT client making the API request

TS 33.180 [94]

redirect_uri

px_MCX_OAuth_RedirectURI_A

The URI of the MCPTT client to which the IdM server will redirect the MCPTT client’s user agent

TS 33.180 [94]

code_verifier

Value selected by the UE: The SS shall check that the code-challenge in the Authentication Request is the base64url-encoded SHA-256 hash of the code-verifier

A cryptographically random string that is used to correlate the authorization request to the token request;
the minimum length is 43 characters, the maximum length of 128 characters

TS 33.180 [94]

RFC 7636 [100]

5.5.4.10.4 Token Response

Table 5.5.4.10.4-1: Token Response

Derivation Path: TS 33.180 [94], clause B.4.2.5

Information Element

Value/remark

Comment

Reference

Condition

access_token

The access token. The access token is opaque to the MCPTT client

RFC 6749 [77]

TS 33.180 [94]

{

{

Header Algorithm

"kid"

"jws-rsa"

hint indicating which key was used to secure the JWS: name of the RSA public key in case of RS256

Editor’s note:

value to be confirmed

RFC 7515 [102]

"alg"

"RS256"

identifies the cryptographic algorithm used to secure the JWS: RSASSA-PKCS1-v1_5 SHA-256 digital signature

Editor’s note:

value to be confirmed

RFC 7515 [102]

}

{

Payload Data

RFC 7519 [101]

"mcptt_id"

px_MCPTT_ID_User_A

URI of the MCPTT client User this is a globally unique identifier within the MCPTT service that represents the MCPTT user

TS 24.380

TS 24.483

"scope"

"openid"

list of space-delimited, case-sensitive strings to inform the client of the scope of the access token issued and is OPTIONAL, if identical to the scope requested by the client otherwise REQUIRED

"openid" is defined by the OpenID Connect standard and is mandatory regardless from the MCS context in which the message is used

RFC 6749 [77]

TS 33.180 [94] B.2.2.2

OpenID Connect 1.0 [95]

"3gpp:mc:ptt_service" "3gpp:mc:ptt_key_management_service" "3gpp:mc:ptt_config_management_service" "3gpp:mc:ptt_group_management_service"

MCPTT

"3gpp:mc:video_service" "3gpp:mc:video_key_management_service" "3gpp:mc:video_config_management_service" "3gpp:mc:video_group_management_service"

MCVIDEO

"3gpp:mc:data_service" "3gpp:mc:data_key_management_service" "3gpp:mc:data_config_management_service" "3gpp:mc:data_group_management_service"

MCDATA

"exp"

Current system time + 7199 seconds;

the system time is the number of seconds since 00:00:00 UTC on 1 January 1970

Number containing a NumericData value identifies the expiration time on or after which the JWT MUST NOT be accepted for processing

Editor’s note: value to be confirmed

RFC 7519 [101]

TS 33.180 [94]

“client_id”

Same value as received in the token request

Identifier of the MCPTT client making the API request

TS 33.180 [94]

}

Signature

HASH [base64UrlEncode(header) + "." + base64UrlEncode(payload))

Created by the hash algorithm corresponding to the algorithm provided in the header

RFC 7515 [102]

}

refresh_token

"Y7NSzUJuS0Jp7G4SKpBKSOJVHIZxFbxqsqCIZhOEk9"

Arbitrarily selected string:
The refresh token that can be used to refresh the access token and avoid having to prompt the user for authentication again

RFC 6749 [77]

id_token

The MCPTT client may validate the user with the ID token and configure itself for the user

RFC 6749 [77]

TS 33.180 [94]

{

{

Header Algorithm

RFC 7515 [102]

"kid"

"jws-rsa"

hint indicating which key was used to secure the JWS

Editor’s note: value to be confirmed

"alg"

"RS256"

identifies the cryptographic algorithm used to secure the JWS

Editor’s note: value to be confirmed

}

{

Payload Data

RFC 7519 [101]

“mcptt_id”

px_MCPTT_ID_User_A

URI of the MCPTT client User this is a globally unique identifier within the MCPTT service that represents the MCPTT user

TS 24.380

TS 24.483

"sub"

"1234567890"

Arbitrarily selected string: case-sensitive string containing a StringOrURI value which identifies the principal that is the subject of the JWT,

and is optional

RFC 7519 [101]

"aud"

client_id as received in token request

Audience: identifies the recipients that the JWT is intended for and is optional

RFC 7519 [101]

"iss"

px_MCPTT_IdM_Server_URI

Issuer:
case-sensitive string containing a StringOrURI value which identifies the principal that issued the JWT and is optional

RFC 7519 [101]

"exp"

Current system time + 7199 seconds;

the system time is the number of seconds since 00:00:00 UTC on 1 January 1970

Number containing a NumericData value identifies the expiration time on or after which the JWT MUST NOT be accepted for processing

RFC 7519 [101]

TS 33.180 [94]

"iat"

Current system time

Epoch time: number of seconds since 00:00:00 UTC on 1 January 1970

Numeric value which identifies the time at which the JWT was issued

and is optional

RFC 7519 [101]

TS 33.180 [94]

}

Signature

HASH (base64UrlEncode(header) + “.” + base64UrlEncode(payload))

Created by the hash algorithm corresponding to the algorithm provided in the header

RFC 7515 [102]

}

token-type

"Bearer"

The token type for access

RFC 6749 [77]

expires-in

"7199"

Token expiry time

RFC 6749 [77]

Editor’s note: It is to be clarified whether the identifiers for mcdata and mcvideo are to be added in the table above or whether explicit tables are to be defined.

5.5.4.10.5 Void
5.5.4.10.6 KMS Certificate

Table 5.5.4.10.6-1: KMS Certificate

Derivation Path: TS 33.180 [94], clause D.3.2

Information Element

Value/remark

Comment

Reference

Condition

SignedKmsResponse

Id

“kmsResponse”

arbitrarily selected id which the Signature’s Reference URI refers to

KmsUri

tsc_MCX_KMS_Hostname

The URI of the KMS which issued the key set

UserUri

tsc_MCX_MC_ID_User_A

Editor’s note: to be clarified whether the MC ID can be used in this context or whether there are restrictions how to set the UserUri

The MC ID with which the user has used for authentication

Time

Current system time of the SS

Time stamp of KMS message

ClientReqUrl

tsc_MCX_KMS_ClientReqUrl_init

URL of the client making the key request

KmsMessage

KmsInit

Version

"1.0.0"

KmsCertificate

Version

"1.1.0"

The version number of the certificate type

Role

"Root"

This shall indicate whether the certificate is a "Root" or "External" certificate

CertUri

tsc_MCX_KMS_CertUri

The URI of the Certificate (this object)

KmsUri

tsc_MCX_KMS_Hostname

The URI of the KMS which issued the Certificate

Issuer

Not present

(Optional) String describing the issuing entity

ValidFrom

Not present

(Optional) Date from which the Certificate may be used

ValidTo

Not present

(Optional) Date at which the Certificate expires

Revoked

false

(Optional) A Boolean value defining whether a Certificate has been revoked

UserIDFormat

"2"

Shall contain the value ‘2’

UserKeyPeriod

"2592000"

The number of seconds that each user key issued by this KMS should be used

(2592000 seconds are 30 days)

UserKeyOffset

CurrentTimestamp MODULO UserKeyPeriod

UserKeyOffset so that KeyPeriod starts at current system time; CurrentTimestamp is the current system time in seconds since 0h on 1st Jan 1900

PubEncKey

SAKKE Public Key Z_T derived from master secret z_T according to RFC 6508

The SAKKE Public Key, "Z_T". This is an OCTET STRING encoding of an elliptic curve point

RFC 6508 [99]

PubAuthKey

ECCSI Public Key KPAK derived from private key KSAK according to RFC 6507

The ECCSI Public Key, "KPAK". This is an OCTET STRING encoding of an elliptic curve point

RFC 6507 [98]

ParameterSet

Not present

(Optional) The choice of parameter set used for SAKKE and ECCSI

KmsDomainList

Not present

(Optional) List of domains associated with the certificate

SignedInfo

CanonicalizationAlgorithm

"xml-c14n"

XML Signature processing

SignatureAlgorithm

"HMAC-SHA-256"

Hashing algorithm to be applied to sign the SignedInfo with the key given in the KeyInfo

Reference

URI

“#kmsResponse”

referring to the data object for which the hash is generatet (KMS response element in this case)

DigestAlgorithm

"SHA-256"

Hashing algorithm to be applied to sign the data object

DigestValue

Hash signing the data object (referred to by the URI)

SignatureValue

Hash signing the SignedInfo

The signing key is derived from the InK (px_MCX_InK) according to TS 33.180 [94] Annex F.1.4 with

FC = 0x52

XPK-ID = InK-ID (px_MCX_InK_ID)

KeyInfo

KeyName

base64 encoded InK-ID (px_MCX_InK_ID)

5.5.4.10.7 Void
5.5.4.10.8 KMS Key Set

Table 5.5.4.10.8-1: KMS Key Set

Derivation Path: TS 33.180 [94], clause D.3.2.2

Information Element

Value/remark

Comment

Reference

Condition

Signed KmsResponse

Id

“kmsResponse”

arbitrarily selected id which the Signature’s Reference URI refers to

KmsUri

tsc_MCX_KMS_Hostname

The URI of the KMS which issued the key set

UserUri

tsc_MCX_MC_ID_User_A

Editor’s note: to be clarified whether the MC ID can be used in this context or whether there are restrictions how to set the UserUri

The MC ID with which the user has used for authentication

Time

Current system time of the SS

Time stamp of KMS message

ClientReqUrl

tsc_MCX_KMS_ClientReqUrl_keyprov

URL of the client making the key request

KmsMessage

KmsKeyProv

Version

"1.0.0"

The version number of the key provision XML

KmsKeySet[1]

Version

"1.1.0"

The version number of the key set XML

KmsUri

tsc_MCX_KMS_Hostname

The URI of the KMS which issued the key set

CertUri

Not present

(Optional) The URI of the Certificate which may be used to validate the key set

Issuer

Not present

(Optional) String describing the issuing entity

UserUri

px_MCPTT_ID_User_A

The user’s MCPTT ID

px_MCVideo_ID_User_A

The user’s MCVideo ID

MCVIDEO

px_MCData_ID_User_A

The user’s MCData ID

MCDATA

UserID

UID generated according to annex F.2.1 of TS 33.180 [94] with MCPTT-Id as identifier

Editor’s note: to be clarified how to convert the UID into charstring (e.g. hexstring representation or base64 encoding)

UID corresponding to the key set

TS 33.180 [94]

ValidFrom

Not present

(Optional) Date and time from which the key set may be used

ValidTo

Not present

(Optional) Date and time at which the key set expires

KeyPeriodNo

FLOOR((CurrentTimestamp – UserKeyOffset) / UserKeyPeriod)

Current Key Period:
CurrentTimestamp is the current system time in seconds since 0h on 1st Jan 1900;
UserKeyOffset and UserKeyPeriod are given in the KMS Certificate (Table 5.5.4.10.6-1) in seconds

TS 33.180 [94]

Revoked

"false"

(Optional) A Boolean value defining whether the key set has been revoked

UserDecryptKey

The SAKKE "Receiver Secret Key" (RSK). This is an OCTET STRING encoding of an elliptic curve point

RFC 6508 [99]

EncryptionAlgorithm

"AES256"

Encryption algorithm to use

KeyInfo

KeyName

base64 encoded TrK-ID (px_MCX_TrK_ID)

CipherData

CipherValue

encrypted RSK

The encryption key is derived from the TrK (px_MCX_TrK) according to TS 33.180 [94] Annex F.1.4 with

FC = 0x51

XPK-ID = TrK-ID (px_MCX_TrK_ID)

UserSigningKeySSK

The ECCSI private Key, "SSK". This is an OCTET STRING encoding of an integer; the PVT is generated using the UID as contained in the UserID of the KSM message

RFC 6507 [98]

EncryptionAlgorithm

"AES256"

Encryption algorithm to use

KeyInfo

KeyName

base64 encoded TrK-ID (px_MCX_TrK_ID)

CipherData

CipherValue

encrypted SSK

The encryption key is derived from the TrK (px_MCX_TrK) according to TS 33.180 [94] Annex F.1.4 with

FC = 0x51

XPK-ID = TrK-ID (px_MCX_TrK_ID)

UserPubTokenPVT

The ECCSI public validation token, "PVT". This is an OCTET STRING encoding of an elliptic curve point;

the PVT is generated using the UID as contained in the UserID of the KSM message

RFC 6507 [98]

EncryptionAlgorithm

"AES256"

Encryption algorithm to use

KeyInfo

KeyName

base64 encoded TrK-ID (px_MCX_TrK_ID)

CipherData

CipherValue

Encrypted PVT

The encryption key is derived from the TrK (px_MCX_TrK) according to TS 33.180 [94] Annex F.1.4 with

FC = 0x51

XPK-ID = TrK-ID (px_MCX_TrK_ID)

Signature

SignedInfo

CanonicalizationAlgorithm

"xml-c14n"

XML Signature processing

SignatureAlgorithm

"HMAC-SHA-256"

Hashing algorithm to be applied to sign the SignedInfo with the key given in the KeyInfo

Reference

URI

“#kmsResponse”

referring to the data object for which the hash is generatet (KMS response element in this case)

DigestAlgorithm

"SHA-256"

Hashing algorithm to be applied to sign the data object

DigestValue

Hash signing the data object (referred to by the URI)

SignatureValue

Hash signing the SignedInfo

The signing key is derived from the InK (px_MCX_InK) according to TS 33.180 [94] Annex F.1.4 with

FC = 0x52

XPK-ID = InK-ID (px_MCX_InK_ID)

KeyInfo

KeyName

base64 encoded InK-ID (px_MCX_InK_ID)

5.5.4.10.9 Signed KMS Request

Table 5.5.4.10.9-1: Signed KMS Request

Derivation Path: TS 33.180 [94], clause D.2.2

Information Element

Value/remark

Comment

Reference

Condition

SignedKmsRequest

KmsRequest

Id attribute

any value

value as used as reference in the signature

Version attribute

"1.1.0"

UserUri

px_MCPTT_ID_User_A

The user’s MCPTT ID

px_MCVideo_ID_User_A

The user’s MCVideo ID

MCVIDEO

px_MCData_ID_User_A

The user’s MCData ID

MCDATA

KmsUri

tsc_MCX_KMS_Hostname

The URI of the KMS to which the request is sent

Time

any value

Date/time that the request is made by the client

ClientId

any value if present

A string representing the client

DeviceId

any value if present

A string representing the device

ClientReqUrl

URI with same path as in the request URI of the HTTP request

The resource URI to which the HTTP POST request is sent

KrrList

not present

ClientError

not present

Signature

SignedInfo

CanonicalizationAlgorithm

"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"

XML Signature processing

SignatureAlgorithm

"http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"

Hashing algorithm to be applied to sign the SignedInfo with the key given in the KeyInfo

Reference

URI

URI referring to the Id of the request

same value as the Id attribute of the request with leading "#"

DigestAlgorithm

"http://www.w3.org/2001/04/xmlenc#sha256"

Hashing algorithm applied to sign the data object

DigestValue

Hash signing the data object (referred to by the URI)

SignatureValue

Hash signing the SignedInfo;

shall be validated by the SS

The signing key is derived from the InK (px_MCX_InK) according to TS 33.180 [94] Annex F.1.4 with

FC = 0x52

XPK-ID = InK-ID (px_MCX_InK_ID)

KeyInfo

KeyName

base64 encoded InK-ID (px_MCX_InK_ID)