Copyright © 2015 Open Geospatial Consortium. 47 choice of entity does not introduce a security risk, as the actual login credentials – of course – are never stored in any Cookie.

8.2 Implementation of the Common Security based on SOAP

Implementation of the outlined frameworks using SOAP comes with the interoperability limitations as outlined earlier in section 4.4.3.3. However, the use of SOAP XML encoded requests introduces the option to leverage WS-Security and related standards to build your own interoperability stack for the Integrity, Confidentiality and Authentication frameworks independent from the communication layer: HTTP. However, the use of HTTP+TLS can be seen as an optional improvement. In order to support the use of WS- based implementation of Common Security, the OGC Web Service standards must normatively reference the appropriate suite of Web Security standards. Detailing which standards these are in detail is outside the scope of this ER. However, this ER includes the relevant standards in the Reference section and a basic view of the WS- family standards are given in figure 4. A comprehensive introduction that may help to conclude is available in [1]. Note that the use of WS-Security applies encryption to XML and therefore, the W3C standards XML Digital Signatures and XML Encryption are also mandatory. In addition, good practice is to remind implementers that the use of XML Signature introduces many pitfalls like XML canonicalization and digital signatures on external transformations that may result in applying integrity to any content. Therefore, we recommend considering the W3C Best Practices on how to use XML Digital Signatures see [23] for details.

8.3 Implementation of the Common Security on the client side

When introducing the options for implementing Common Security on the service side, the standardization must pick-up on the client side as well and give normative guidance what to implement, how to process requests and responses and in particular how to act on exceptions. Since OWS Common does not reference any security related standards creates a huge disadvantage, as most clients for OGC Web Services do not or only partly support the implementation of the different security frameworks as Common Security. This limitation is very important, as on the server side security enabled proxies can be deployed to add Common Security. In order to outline relevant requirements and standards to implement Common Security on clients that are able to interact with secured OGC Web Services, consider functionalities common to main stream IT clients. For a better classification of client types, this ER separates applications that are executed in a Web Browser Web Browser applications and applications that are executed on the OS desktop clients. 48 Copyright © 2015 Open Geospatial Consortium.

8.4 Support for Common Security in typical modern Web Browser based applications