OGC Web Services Security.

Abstract

Information Assurance (IA)[1] Controls for OGC Web Services (OWS) have been implemented for years. However, these implementations break interoperability, as they are not standardized by OGC Web Service standards. Interoperability between secured OGC Web Services and clients is limited to systems custom built to work with an IA implementation. The goal of the OWS Common Security Standard is to allow the implementation of IA controls and to advertise their existence in an interoperable way with minimal impact to existing implementations using a backwards-compatible approach. That goal is being pursued in two ways: Identify and document IA Controls for supporting authentication in a register maintained through the OGC. Specify how a service can advertise their IA controls through the Service Capabilities Document. This OGC standard applies to OWS deployed on HTTPS. It specifies how conformant OWS Services shall advertise their IA Controls and additional security features. The advertisement uses XML elements that are already part of the Capabilities document structure. This ensures that existing client implementations will not break. The standard also describes the governance process for the IA Control registers, examples of register contents, and descriptions on how this information should be used. Next, this standard defines conformance classes and requirements classes to be used for reaching compliance and their validation via conformance tests. Finally, this standard defines client behavior to ensure interoperable processing of advertised security controls.