Copyright © 2009 Open Geospatial Consortium, Inc. 137
For the implementation of trusted Audit and Alarms, it is also relevant to have a PKI in place and trusted third parties that undertake and guarantee the correctness and
confidentiality of audit information.
13.2 Services shall support SOAP and WS-Security
In simple architectures that are based on transparent chaining, only direct communication links exist between the client and many services. Here, the use of HTTPS can be
leveraged in order to secure the communication and the security context information that is exchanged between the client and the secured service.
But in a more generic architecture, where a translucent or even opaque chaning of services shall be possible, the use of SOAP based interfaces leveraging WS-Securtiy for
securing the communication is recommended. Depending on the security model that is to be supported, X.509 certificates or other types of tokens must be created. This requires
naturally the existing of the associated infrastructure.
13.3 Describe security constraints for the service using WS-PolicySecurePolicy
Whenever a secured service, e.g. a Sensor Web Service, is provided, it is important to give the caller client or another service relevant and sufficient information to
understand the security constraints in order to execute the service. It is recommended to use WS-Policy or WS-SecurityPolicy to describe the constraints of the service. The link
to such a policy document can be hooked into the WSDL description of the service.
13.4 Protect Transient Handles
Whenever a client hence operator of a sensor web has to achieve a particular takes, it typically involve to call different interfaces of either the same service or of different
services. As the services are stateless, the relevant state information must be stored on the client side. This is done by so called transient handles. As the undertaken evaluation has
shown, it is extremely important to protect these handles towards tampering and unauthorized reading as the effect can have different consequences on the asset.
For example, the SAS returns a PublicationID, SubscriptionID and an XMPP MUC URI; the SOS returns SensorID, AssignedSensorID, ObervationID, ObservationTemplateID;
the SPS returns sensorID and taskID to the client. Transporting these transient handles in clear text creates the vulnerability that they can be read by an attacker and used in the
context of another request. It is therefore necessary to protect this part of the message in a specific way. We thing that the use of SAML profiles is a sound approach, but we also
thing that further investigations are relevant to proof this.
13.5 Support AssetIdentity based Access Control
In general, all interface operations except the GetCapabilities operation should be protected by access control. But as we have shown in the evaluation sections of this ER,
the access is not simply to be regulated for registered users. Instead, the Discretionary Access Rights Management must be used to regulate the access. For example, upon a
successful Submit operation with the SPS, the created task is owned by the caller. And
138 Copyright © 2009 Open Geospatial Consortium, Inc.
therefore, only the owner – or all identites to which the owner has granted rights to – can
call Cancel or Modify for that task. Any other user will receive deny.
13.6 Support Single-Sign-On and Identity Management Federations