following we will only enumerate the authentication method and point to the WSS token profile

8.1.1 Username Password

Username Password authentication is described in the Username Token Profile v1.1 available at the following address: http:www.oasis-open.orgcommitteesdownload.php16782wss-v1.1-spec-os- UsernameTokenProfile.pdf Although this authentication method is quite trivial, the above mentioned specification does a good job by adding features that help protecting the password and avoiding reply attacks. These features include the use of hashed passwords, nonces and or creation dates. Furthermore a key derivation algorithm is presented which can be used when computing Message Authentication Codes MACs or as a symmetric key for encryption. This authentication method was used during OWS4, see section 9.1.1 for details.

8.1.2 Kerberos

Kerberos is a computer network authentication protocol which allows individuals communicating in an insecure network to prove their identity to one another in a secure fashion. Kerberos is a project originating from MIT, which has various implementations, one of them being used in Microsoft Windows networks. The Kerberos Token Profile v1.1 with errata is available at the following address: http:docs.oasis-open.orgwssv1.1wss-v1.1-spec-errata-os-KerberosTokenProfile.pdf The document describes the use of Kerberos tokens with respect to WS-Security. It specifies how to encode Kerberos tickets in SOAP messages and how use these tokens for digital signatures and encryption. This authentication method was not used during OWS4.

8.1.3 PKI X509 Certificates

An X.509 certificate specifies a binding between a public key and a set of attributes that includes at least a subject name, issuer name, serial number and validity interval. Public Key Infrastructures based on X.509 certificates are widely deployed today for authentication usually done by means of digital signatures and encryption. The use of X.509 authentication framework in the context of SOAP web services is described in X.509 Token Profile v1.1 with errata, available at the following address: http:docs.oasis-open.orgwssv1.1wss-v1.1-spec-errata-os-x509TokenProfile.pdf The document describes how X.509 certificates or references to them can be attached to SOAP messages. Furthermore the document describes how digital signatures and encryption blocks can reference keys attached in this fashion. Copyright © 2007 Open Geospatial Consortium 37 If a digital signature is verified and the key used for the digital signature is associated to an identity, a service provider can assert, using the X.509 certificate attached to the message and assuming that this certificate is valid the identity of the message emitter. Authentication via X.509 certificates has been used during OWS4, see section 9.1.2 for details.

8.1.4 SAML