Copyright © 2009 Open Geospatial Consortium, Inc. 107

10.2 Standards for securing Communication on the Binding Layer

10.2.1 HTTPS see [13] HTTPS is defined as HTTP over TLS in the IETF RFC 2818. It defines how HTTP leverages TLS to establish a secure communication over the Internet using the https: URI scheme. Simply speaking is the result of an HTTPS connection communication of encrypted messages using the standard port 443.

10.3 Standards for securing Communication on the Message Security

10.3.1 WS-Security see [5] The prime goal of this OASIS specification is to enable secure exchange of XML messages using the SOAP see [6] protocol between communication end-points. It provides support implementing message integrity and confidentiality as well as client user authentication. This can be obtained by applying XML Digital Signature see [7] and XML Encryption see [8] to an XML message in a specific fashion. This standard describes the processing rules in order to create message integrity or confidentiality. It also describes the structure of SOAP messages and the structure or relevant metadata so that they can be processed by web services in an interoperable way. This standard also supports different security tokens to obtain client authentication. It defines processing rules of how to attach security tokens to messages. These security tokens are currently supported: ―Username‖ token provides support to share knowledge about the identity of a user. ―Password‖ expresses the password associated with this token. In addition, ―Nonce‖ and ―Created‖ are supported to enable strong digested passwords. ―X.509‖ token supports exchange and use of X.509 certificates for the matter of authentication, digital signatures and encryption. ―SAML‖ include SAML assertions as a token. ―Kerberos‖ token allows to the use of Kerberos tickets. ―REL‖ token can be used to attach license information.

10.4 Standards associated to Message Content Security

This section of the document provides an overview of standards and recommendations and other literature related for establishing message content security. 10.4.1 XML Digital Signature see [7] This W3C Recommendation specifies the processing rules how to apply digital signatures to any type of information; in particular XML structures information and represent the 108 Copyright © 2009 Open Geospatial Consortium, Inc. result as well as the relevant metadata in XML. It supports different kinds of digital signatures: ―Enveloped‖ signatures are processed over the content that includes the digital signature element itself. ―Enveloping‖ signatures are processed over content that is part of the signature element. ―Detached‖ signatures are processed over content that is external to the signature element. 10.4.2 XML Encryption see [8]