Copyright © 2009 Open Geospatial Consortium, Inc. 129 produced observation data. Here, the client must acknowledge the receiving of downloaded observation data. Non-repudiation is also important with financial transactions associated to commercial use of dual-use observation data. In order to ensure non-repudiation, trusted audit is required. In addition, the OASIS Committee Draft WS-Reliable Messaging see [38] and the standards WS-Security see [5], WS-Trust see [36] and WS-Addressing see [31] can be used.

10.15.7 Audit and Alarms

For the purpose of creating trusted log-files for the purpose of audit, it is essential to have a 3 rd party that stamps communicated messages with tamper resistant information at the sender and receiver side of the communication. This protocol functionality is one possible implementation for ensuring non-repudiation of a communication. There is currently no standard know that defines how to do this for the purpose of secure messages. However, the principal is that specific metadata of the communication or even the entire message traffic is digitally signed by the trusted audit components, which ensures integrity of the logged information. For a Policy based Access Control system based on XACML or GeoXACML Policies, certain conditions can be defined to fire off alarms. This enables to inform personnel in charge administrators of certain violations to enforced policies. In addition, it is important for a secure Service Oriented Architecture that communication with services, resp. between services takes place only if certain conditions are met. WS- Policy see [33], WS-Policy Attachment see [34] and WS-SecurityPolicy see [35] can be used to express these constraints and WS-MakeConnection see [40] can be used establish a secure communication. WS-MetadataExchange see [42] can be used to structure messages that are relevant to be exchanged during the connection negotiation sequence. The pure use of WS-Security is limited to use asymmetric encoding of messages to ensure confidentiality and integrity, which has a drawback on performance. In order to use symmetric encoding to ensure message integrity and confidentiality for a sequence of messages, WS-SecureConversation see [37] can be used.

10.16 Implementing Integrity and Confidentiality

For possible future certification, basically three different architectural alternatives exit to implement confidentiality and integrity:

10.16.1 Rely on secure Network and Access Control

The certification of this approach is based on the fundaments of existing procedures for certifying network security. Therefore, no additional cryptographic functionality is required to secure messages in transit towards integrity and confidentiality. By doing so, it is assumed that no man-in-the-middle attacks will take place on messages in transit, because the communication takes place over a secure communication. 130 Copyright © 2009 Open Geospatial Consortium, Inc. In order to secure the integrity and confidentiality of information, while stored on services, Access Control is required. After authentication by usernamepassword, a user can access certain information as defined in the Policy of the associated Access Control System. Towards certification it is important to note that authentication is also not based on keys. The requirements for certification and the required certification procedure should be evolved.

10.16.2 Secure Messages in Transit based on PKI and Access Control

The certification of this approach is based on an existing, already certified Public Key Infrastructure PKI. Based on the keys of the PKI, optional message integrity and confidentiality can be ensured by applying the WS-Security standard from OASIS. In addition, the X.509 certificates of the PKI can be used for authentication to proof identities for users, clients, applications and services. This can be one part of information, relevant for Access Control. The requirements for certification and the required certification procedure should be evolved.

10.16.3 Use of Security Token Service and Access Control

The use of a Security Token Service STS enables two things: It provides security tokens that can be used for ensuring message integrity and confidentiality and It provides authentication tokens and provides identity pseudonyms, relevant for identity federation. This approach does not require a key management like the PKI, because the STS will provide applicable tokens for different means. The requirements for certification and the required certification procedure should be evolved. Copyright © 2009 Open Geospatial Consortium, Inc. 131 11 Discussion of the applicability of the security requirements and their relationship to the identified attacks

11.1.1 Applicability of Authentication