Copyright © 2009 Open Geospatial Consortium, Inc. 127 see [18] – can be used to collect, distribute and process biographic identity information. SAML integration with LDAP see [17] is possible in a seamless manner.

10.15.2 Access Control

Access control is one aspect to secure information while stored on a service where it is accessible for users and other services. For cross domain cross jurisdiction access control, it is important to use a standard that supports the interoperable exchange and the collaborative process to define access rights as well as the automated electronic enforcement. The eXtensible Access Control Markup Language XACML from OASIS see [19] - [22] or the Geospatial eXtensible Access Control Markup Language GeoXACML from OGC see [23] - [25] support that. SAML also supports the means of Kerberos see [16] based authentication.

10.15.3 Digital Rights Management DRM

DRM provides functions to control the use and ensure the unauthorized disclosure of classified data even after it is obtained and stored on the local computer. This is in particular important for the observation data that is produced for dual use. This persistent protection can be achieved by a DRM- or GeoDRM-System. In addition to strong encryption to protect the data, licenses must be issued that contain the usage rights that prevent unauthorized use and disclosure. Up to now, Rights Expression Language standards for the expression of non geo-specific licenses exist; see [26] - [28]. There is as of today no standard available for expressing licensed rights for geospatial data.

10.15.4 Confidentiality

For a secure Sensor Web, two different aspects of confidentiality must be taken under consideration: i confidentiality of information while in transit and ii confidentiality of classified information. Confidentiality of information while in transit must be ensured when exchanging messages with services over insecure networks. This can be achieved on the network layer using IPSec [2] or VPN. However, this solution has shortcomings and might not always be possible as it depends on the constraints of the network topology. For single connections where end-to-end confidentiality is sufficient, HTTPS see [3] and [4] can also be used. Another solution that is independent from the security constraints of the network and its topology is provided by message level security. Based on SOAP messages, WS- Security see [5] defines how to apply XML Encryption see [8] to the information or parts of it. XML Encryption and XML Digital Signatures is based on X.509 see [14] and relies on a Public Key Infrastructure that can be established and maintained 128 Copyright © 2009 Open Geospatial Consortium, Inc. using XKMS see [9]. Whenever using X.509 certificates, revocation mechanisms are essential s defined in see [15]. An information flow control must be established as part of the persistent control for confidentiality of classified information. For the Secure Sensor Web, the traditional flow control in the intelligence domain between two different classified networks through a network data diode is not applicable. This is, because the creator of a sensor tasking request can decide how much of the task information is confidential and to which other entity. Again, ABAC with XACML or GeoXACML can be used to ensure the correct flow of information according to the Bell-La Padula model independent from the network topology.

10.15.5 Integrity