IT-Standards and Technologies in the context of security and access control for OpenGIS® Web Services

The realization of particular security requirements highly depend on the existing architecture and on the usage of the geographic information. In order to provide protected geographic information over the Internet does not require geo-specific standards with one exception: If dealing with access control based on the geographic characteristics of the data. So the main task is to apply IT standards to the “geo world”. In order to achieve fulfilment on some typical requirements, the following standards are important:

·         Confidentiality for the communication between services is not only important for exchanging personal information as it is applicable for cadastre inquiries. For encrypting XML structured information to achieve confidentiality, the XML Encryption standard of the W3C can be used. It uses X.509 certificates, as proposed by the IETF in the RFC 3280.

·         Integrity is important for all communication where the information is legally binding. In order to achieve integrity for XML structured information, XML Digital Signature a standard from the W3C can be used. As XML Encryption, it is based on X.509 certificates.

·         Authentication of users (and services or clients) is important to establish access control. The  Securtiy Assertion Markup Language (SAML) a standard from OASIS can be used in a Service Oritented Architecture.

·         Access control for geographic information requires the possibility to declare and enforce access rights, perhaps based on the geographic characteristics of the information. The OASIS standard eXtensible Access Control Markup Language (XACML) provides the capabilities to declare and enforce access rights for XML structured information. But it lacks to do so for geographic information if the rights depend on geometry. The Geospatial XACML (GeoXACML) defines a geo-specific extension to XACML in order to support this. As of today (05/18/2007) GeoXACML exists as a Draft Implementation Specification published for a 30 day public comment (