Depending on the underlying physical network, messages may be encrypted at lower layers, in addition to the security features provided specifically for the application layer. This clause describes the security features that are provided at the application layer and that are REQUIRED for use over all networks.
Securing transactions between clients and servers is based on using HTTP over TLS (IETF RFC 2818) (also known as HTTPS) using TLS version 1.2 (IETF RFC 5246). The TLS records are then transported using TCP. The TLS handshake mechanism provides mutual authentication based on device certificates or self-signed certificates and TLS records provide encryption and message authentication using the AES- CCM mode of operation. Access control lists allow or deny use of resources based on authentication level and address information. A registration list is used for authorizing clients.