SIM-S

SEAL Identity Management Server

Security
Introduced in Rel-16
A network-based functional component that acts as the server in the SEAL identity management framework. It facilitates the issuance, verification, and management of decentralized identities and verifiable credentials for edge services. It acts as a trust anchor and intermediary between identity issuers, holders (SIM-C), and verifiers.

Description

The SEAL Identity Management Server (SIM-S) is a server-side functional entity specified within the 3GPP SEAL architecture for the Identity Management Enabler. It is typically deployed within a network operator's domain or a trusted third-party domain at the edge or in the cloud. The SIM-S provides identity management services to SEAL Identity Management Clients (SIM-Cs) and other SEAL enablers. Its core function is to support operations related to Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) as defined by W3C and adapted within the 3GPP framework.

Architecturally, the SIM-S may implement several roles from the VC model, such as a Verifiable Data Registry (a trusted system for recording DIDs and their associated public keys), a DID Resolver (a service that fetches DID documents from a registry), or a trusted intermediary between issuers and holders. It exposes northbound and southbound APIs. Southbound, it communicates with SIM-Cs using RESTful APIs over secure channels (e.g., TLS with mutual authentication). Northbound, it may interface with credential issuers (e.g., an operator's backend that issues subscription credentials), other SIM-S instances, or verifiers (edge application servers). The SIM-S maintains necessary trust anchors, such as public keys of trusted issuers or root certificates for DID methods.

How it works involves mediating key identity lifecycle events. For issuance, an issuer (like a mobile operator) can instruct the SIM-S to create a DID and issue a corresponding verifiable credential for a subscriber/device. The SIM-S may manage the DID on a registry and then deliver the credential to the subscriber's SIM-C. For verification, when an edge service (a verifier) needs to check a credential presented by a SIM-C, it may query the SIM-S to resolve the relevant DID, fetch the issuer's public keys, or validate the credential's status (e.g., check for revocation). The SIM-S performs these checks based on its configured trust relationships and returns the verification result. It thus offloads complex trust management and cryptographic verification logic from lightweight edge verifiers and provides a centralized point of policy enforcement for identity within the SEAL ecosystem. It enables scalable and interoperable trust across different administrative domains in edge computing.

Purpose & Motivation

The SIM-S was created to provide a standardized, network-hosted authority for managing modern decentralized identities within the 5G service enabler architecture. As edge computing proliferates, services require a way to verify user/device attributes quickly and locally without constant referral to the central core network. Traditional HSS/UDM-centric authentication is not designed for fine-grained, attribute-based authentication to third-party edge applications.

It solves the problem of trust brokerage in a fragmented edge environment. Without a SIM-S, each edge application provider would need to establish direct trust relationships with every potential identity issuer (e.g., every mobile operator), which is impractical. The SIM-S acts as a trusted intermediary that applications can query. For operators, it provides a controlled way to extend the trust of the mobile subscription into the edge domain by issuing and managing verifiable credentials derived from that subscription.

The motivation stems from enabling secure and privacy-respecting service access for new 5G verticals. By adopting W3C-standard models for verifiable credentials, SIM-S facilitates interoperability with broader digital identity ecosystems outside telecom. It allows users to prove specific claims (e.g., "over 18," "has premium subscription") to edge services without revealing their full identity (IMSI/SUPI), supporting privacy-by-design principles. Its creation formalizes the operator's role as an identity provider in the edge computing value chain, opening new revenue streams and enhancing service security.

Key Features

  • Server-side implementation of SEAL Identity Management protocols for decentralized identity
  • Acts as a Verifiable Data Registry and/or DID Resolver for managing Decentralized Identifiers
  • Facilitates the issuance, revocation, and status checking of Verifiable Credentials
  • Provides credential verification services to edge application servers (verifiers)
  • Manages trust anchors and policies for identity issuers within the SEAL ecosystem
  • Exposes standardized northbound and southbound RESTful APIs for interoperability

Evolution Across Releases

Rel-16 Initial

Introduced as a new functional component within the SEAL (Service Enabler Architecture Layer) framework for 5G. The SIM-S was defined as the server entity for the Identity Management Enabler, specifying its role as a trust intermediary and service endpoint for managing decentralized identities and verifiable credentials to enable secure edge service access. Initial architecture and service APIs were defined.

TS 24.547TS 33.434

Defining Specifications

SpecificationTitle
TS 24.547 3GPP TS 24.547
TS 33.434 3GPP TR 33.434