OMA – SUPL Security

1. OMA – SUPL Security • SUPL 1.0 has reliable security for H-SLP non-emergency location of a SET • 3GPP solution 1: GBA (Generic Bootstrap Architecture) support of PSK-TLS • 3GPP solution 2: root certificate public key authentication of H-SLP by SET plus IP address binding to SET MSISDN to authenticate SET • 3GPP2 solution: PSK-TLS using shared secret keys in H-SLP and SET (in SUPL 2.0, GBA is also being added)

2. OMA – SUPL Security SUPL 2.0 is adding security for Location of IP Based Emergency Calls • An E-SLP in the serving network now replaces the normal H-SLP in the user’s home network • E-SLP = H-SLP only if SET is not roaming (can then use SUPL 1.0 security) • If SET is roaming, solutions 1 and 2 will be adapted for the E-SLP for both 3GPP and 3GPP2 • Provisional details for solution2 (not yet approved) • Define a default E-SLP FQDN based on the serving network MCC and MNC • E-SLP can also include a different FQDN in the SUPL INIT • SET can verify E-SLP IP address corresponds to the FQDN using DNS • SET can authenticate E-SLP FQDN using a root certificate • SET can also receive a white list of known E-SLPs (e.g. FQDNs) for its current location from the H-SLP (e.g. periodically) • E-SLP can authenticate the SET using the known SET IP address used for the emergency call (e.g. as provided by the E-CSCF) • TLS can then be used • An alternate solution using tunneling of SUPL messages via the secure SIP connection between the SET and E-CSCF is also being studied which would avoid the need for additional authentication and ciphering capabilities