104 Copyright © 2011 Open Geospatial Consortium, Inc. All Rights Reserved. Whenever an OGC Web Service supports KVP encoded requests via HTTP GET andor plain XML encoded requests via HTTP POST, the use of the well known GetCapabilities request can be used for bootstrapping because all the required information is contained in the Capabilities document. For each network endpoint indicated by a URL, the use of either the HTTP GET or POST method is given, in addition to other parameters as defined by OWS Common However, if SOAP is required then the Capabilities document does not carry enough information. The use of SOAP may involve a particular format to include security related metadata into the headers. Different OASIS standards such as WS-Policy or WS-SecurityPolicy exist that allow encoding constraints to indicate what the service expects in terms of security metadata when a clients tries to execute it. Other information, such as the required use of HTTP headers such as SOAPAction, cannot be specified in the Capabilities document. Therefore, the bootstrapping of an OWS that requires SOAP should be done by a WSDL document that describes in more detail the requirements to get going with the service. In terms of publish-find-bind, it is up to the service provider to publish the appropriate bootstrapping mechanism in a registry or catalogue. For HTTP GET and POST OWS this should be the Capabilities document and for SOAP OWS it should be the WSDL document. Both can be provided via a simple online document and do not require the client to perform an additional service request. This relaxes the opportunities for bootstrapping a protected OWS. Access to the Capabilities or the WSDL document can always be unprotected. In case that the service is protected and the user does not have the required rights, he will find out after the first service execution attempt. In the end, the group agreed to not use SOAP during the testbed for WFS interactions as the additional features that it could have supported were not required there. The WFS service that initially only supported SOAP was enhanced to also support KVP and XML based operation invocations.

10.2.3 SOAP Version

When talking about SOAP and support for it by a given web service, it is important to acknowledge that there are two versions of SOAP: 1.1 and 1.2. Communities may require support for SOAP 1.1 or 1.2 or both or any one of them while allowing the other. There may be different reasons for doing so, such as backwards compatibility or integration with existing systems. Therefore, OWS standards should be SOAP version agnostic even though usually more options are not favorable for achieving interoperability. The Sensor Web Enablement 2.0 standards are written in a SOAP version agnostic way. They rely on OWS Common 1.1, which does not specify any requirement regarding SOAP. In addition, they do not have any requirement that prevents a SWE service from using a particular SOAP version. Other OWS standards used in the OWS-8 Aviation thread are not SOAP version agnostic: WCS 2.0 builds upon OWS Common 2.0, which requires SOAP 1.2. Copyright © 2011 Open Geospatial Consortium, Inc. All Rights Reserved. 105 WFS 2.0 builds on OWS Common 1.1 which - as said before - does not define SOAP in any way, but the WFS 2.0 specification itself requires SOAP 1.1. Apparently some harmonization is needed. Until that is achieved, aviation clients may need to support both versions of SOAP in a SOAP based service environment.

10.2.4 Security

The use of SOAP - as a particular format for XML messages exchanged with a network endpoint - provides hooks for enabling metadata with the actual information exchanged in an interoperable way. One useful way is to use these hooks for including message based security metadata to cope with Integrity, Confidentiality and potentially Authenticity for the XML encoded information enclosed by the SOAP message tags. This is important in architectures where there is no direct connection between the service itself and the client that executes the service, because lower ISOOSI stack security measures such as SSL or TLS only provide a secure communication channel between two machines and not between the actual applications running on it. Therefore, in a workflow or a real message based system such as an Enterprise Service Bus e.g. SWIM it is important to provide a method that enables securing the exchanged information the message from one application to another end-to-end. This is achieved by explicitly encrypting a message before it is delivered via the network to the recipient. However, in an architecture where a Web Browser or a desktop client executes one or multiple services according to the transparent chaining pattern OGC Topic 12, the use of SOAP does not seem to bring any advantages compared to using an HTTPS HTTP + SSLTLS connection, because the difference between point-to-point and end-to-end is not meaningful here. It actually tends to be more complex for application and service developers, because the use of secured SOAP messages requires to encrypt and decrypt each individual requestresponse inside the application compared to simply using the security features that are already provided and automatically handled by the transport protocol HTTPS. As encryption based security was not required in OWS-8, the use of SOAP was not necessary. This was also beneficial for the access control use cases, as the PEP did not need to perform addition processing to unwrap the actual request contained in a SOAP message.

10.2.5 Message Size

Implementers reported a doubling of size of exchanged web service messages when SOAP was used - for example for GetCapabilities requests. Some observations regarding the statement are listed in the following: A very basic GetCapabilities request encoded in XML can be very small. The same can be true for other OWS operations. In these cases simply wrapping the request with a SOAP envelope and body element indeed represents overhead that