128 Copyright © 2009 Open Geospatial Consortium, Inc. using XKMS see [9]. Whenever using X.509 certificates, revocation mechanisms are essential s defined in see [15]. An information flow control must be established as part of the persistent control for confidentiality of classified information. For the Secure Sensor Web, the traditional flow control in the intelligence domain between two different classified networks through a network data diode is not applicable. This is, because the creator of a sensor tasking request can decide how much of the task information is confidential and to which other entity. Again, ABAC with XACML or GeoXACML can be used to ensure the correct flow of information according to the Bell-La Padula model independent from the network topology.

10.15.5 Integrity

For a secure Sensor Web, three different aspects of integrity must be taken under consideration: i integrity of information while in transit, ii integrity of information as part of common sensor tasking requests and iii integrity of produced results. Integrity of information while in transit must be ensured when exchanging messages with services over insecure networks. This can be achieved on the network layer using IPSec or VPN. However, this solution has shortcomings and might not always be possible as it depends on the constraints of the network topology. For single connections where end-to-end integrity is sufficient, HTTPS can also be used. Another solution that is independent from the security constraints of the network and its topology is provided by message level security. Based on SOAP messages, WS- Security defines how to apply XML Digital Signatures to the information or parts of it. Whenever a user creates a sensor tasking request that is dedicated for common use, it is important to ensure that certain information cannot be modified by others. In order to ensure integrity of information according to the Biba Model, ABAC and XACML or GeoXACML for geospatial information can be used. As an alternative, Digital Signatures can be applied. Whenever the result of a sensor tasking request is ready to be obtained, it is important that the information can never be modified without notice. This can be applied by digitally signing the information before storage or sending over the network. WS- Security and XML Digital Signature see [7] can be used to achieve this.

10.15.6 Non-repudiation

For a secure Sensor Web, different scenarios exist where non-repudiation of communication is applicable. For example, the creator of a sensor tasking request likes to be sure that the task is received by the operation control centre and that he gets informed upon completion. Also, non-repudiation is required for communication of classified Copyright © 2009 Open Geospatial Consortium, Inc. 129 produced observation data. Here, the client must acknowledge the receiving of downloaded observation data. Non-repudiation is also important with financial transactions associated to commercial use of dual-use observation data. In order to ensure non-repudiation, trusted audit is required. In addition, the OASIS Committee Draft WS-Reliable Messaging see [38] and the standards WS-Security see [5], WS-Trust see [36] and WS-Addressing see [31] can be used.

10.15.7 Audit and Alarms