Copyright © 2015 Open Geospatial Consortium.
47 choice of entity does not introduce a security risk, as the actual login credentials – of
course – are never stored in any Cookie.
8.2 Implementation of the Common Security based on SOAP
Implementation of the outlined frameworks using SOAP comes with the interoperability limitations as outlined earlier in section 4.4.3.3. However, the use of SOAP XML
encoded requests introduces the option to leverage WS-Security and related standards to build your own interoperability stack for the Integrity, Confidentiality and Authentication
frameworks independent from the communication layer: HTTP. However, the use of HTTP+TLS can be seen as an optional improvement.
In order to support the use of WS- based implementation of Common Security, the OGC Web Service standards must normatively reference the appropriate suite of Web Security
standards. Detailing which standards these are in detail is outside the scope of this ER. However, this ER includes the relevant standards in the Reference section and a basic
view of the WS- family standards are given in figure 4. A comprehensive introduction that may help to conclude is available in [1].
Note that the use of WS-Security applies encryption to XML and therefore, the W3C standards XML Digital Signatures and XML Encryption are also mandatory. In addition,
good practice is to remind implementers that the use of XML Signature introduces many pitfalls like XML canonicalization and digital signatures on external transformations that
may result in applying integrity to any content. Therefore, we recommend considering the W3C Best Practices on how to use XML Digital Signatures see [23] for details.
8.3 Implementation of the Common Security on the client side
When introducing the options for implementing Common Security on the service side, the standardization must pick-up on the client side as well and give normative guidance
what to implement, how to process requests and responses and in particular how to act on exceptions.
Since OWS Common does not reference any security related standards creates a huge disadvantage, as most clients for OGC Web Services do not or only partly support the
implementation of the different security frameworks as Common Security. This limitation is very important, as on the server side security enabled proxies can be deployed to add
Common Security.
In order to outline relevant requirements and standards to implement Common Security on clients that are able to interact with secured OGC Web Services, consider
functionalities common to main stream IT clients. For a better classification of client types, this ER separates applications that are executed in a Web Browser Web Browser
applications and applications that are executed on the OS desktop clients.
48
Copyright © 2015 Open Geospatial Consortium.
8.4 Support for Common Security in typical modern Web Browser based applications