6 Copyright © 2009 Open Geospatial Consortium, Inc. PKI Public Key Infrastructure SAML Security Assertion Markup Language SOAP Simple Object Access Protocol STS Security Token Service XACML eXtensible Access Control Markup Language 5 Security Overview Security has several aspects, which have to be addressed separately. OWS-6 is focused on access control, which may require security features such as confidentiality, integrity, authenticity and non-repudiation of the service communication Not all security features are required in every use case. Moreover, security requirements have to be evaluated and security measures have to be derived individually. Thus, a security framework defines a toolbox, providing a set of security mechanisms, all of them fulfilling different security requirements. After deciding on the required level of security, a system’s designer is then able to select those security features needed in a certain use case. This testbed did not attempt to define any concrete set of security requirements or attack scenarios but examined one approach to the use of the technologies. 6 Security Requirements Security requirements differ for different applications. Thus, an actual security solution always has to match the individual security requirements. This section discusses the most relevant security requirements within OWS-6 and beyond, being relevant for securing OGC Web services. These requirements only address message exchange, which is relevant when defining Web service interfaces and protocols. There may be other requirements addressing physical or organizational protection as well as the protection of data, but this is out of scope for this document.

6.1 Confidentiality

Providing confidentiality means protecting messages against unauthorized reading. It has to be ensured that only the designated communication partners typically the sender and the receiver of a message can access the content of a message. Confidentiality is provided by encryption, either on message level or on transport level. See section 7.2.1 for further details. Copyright © 2009 Open Geospatial Consortium, Inc. 7

6.2 Authenticity

Authenticity provides evidence for for the actual origin of the communication message with the authenticated party. A variety of methods and standards that may be used to provide authentication for OGC web services as shown below: • HTTP Authentication • Session Management Cookies • SAML • Shibboleth • OpenID • WS-Security For authentication a variety of different mechanisms exist. Typically, authenticity can be guaranteed on message level by applying digital signatures to messages. These signatures are validated against the public key of the sender, and thus valid signatures can only be generated by the owner of the corresponding private key. Therefore, if a signature can be validated against a certain public key, the owner of this key pair has to be the originator of this signature. On transport level, authenticity can be provided by requiring an adequate certificate during the handshake of the secure connection, which is derived by a trusted root certificate. Once this connection is established, authenticity is provided for all messages being submitted by the communication partner who provided this certificate sender andor receiver. In OWS-6, development and demonstrations were focused on use of WS-Security, SAML and OpenID.

6.3 Integrity

Integrity protects messages against unnoticed modifications. Typically, integrity is provided by the use of digital signatures. These signatures are tightly bound to the message to be protected. Whenever there was a modification of this message after the signature was applied, a validation of this signature will fail. If security on transport level is provided, integrity is ensured once the secure communication session is established.

6.4 Non-Repudiation