A number of services might be accessed over HTTP. For the Presence Service, it shall be possible to manage the data on the Presence Server over the Ut reference point, which is based on HTTP. Other services like conferencing, messaging, push, etc. might be accessed using HTTP.
Access to services over HTTP can be done in a secure manner. The present document describes how the access over HTTP can be secured using TLS in the Generic Authentication Architecture.
The present document specifies secure access methods to Network Application Functions (NAF) using HTTP over TLS in the Generic Authentication Architecture (GAA), and provides Stage 2 security requirements, principles and procedures for the access. The present document describes both direct access to an Application Server (AS) and access to an Application Server through an Authentication Proxy (AP).
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
GBA web session:
A GBA web session consists of a sequence of related HTTP request/response transactions together with some associated server-side state with the following additional requirement: During a GBA web session, a NAF can identify that the messages relate to the same individual GBA enabled terminal and a particular browser instance running in that terminal. The lifetime of the session is the lifetime of the Ks_js_NAF which is equal or shorter than the Ks_NAF lifetime and it is also equal or shorter than the lifetime of the TLS session, which was used to derive the Ks_js_NAF.
HTML5 is a W3C specification  that defines the fifth major revision of the Hypertext Markup Language (HTML), the standard language for describing the contents and appearance of Web pages.
A HTML form is a section of a HTML document containing normal content, markup, special elements called controls (checkboxes, radio buttons, text fields, password fields, etc.) and labels on those controls. End users generally "complete" a form on a web page by modifying its controls (entering text, selecting radio buttons, etc.), before submitting the form to an agent for processing (e.g., to a web server).HTTPS: For the purpose of this document, HTTPS refers to the general concept securing the HTTP protocol using TLS. In some contexts, like in the IETF, the term HTTPS is used to refer to the reserved port number (443) for HTTP/TLS traffic.
A reverse proxy is a web server system that is capable of serving web pages sourced from other web servers (AS), making these pages look like they originated at the reverse proxy.
Same origin policy:
Same origin policy is a security mechanism in a client browser that permits webpage scripts to access their associated website's data and methods but restricts its access to scripts and data stored by other websites.
Session management mechanism:
A mechanism for creating stateful sessions when using the HTTP protocol.