Tuesday, December 19, 2006

OWS4 is over! Long live my vacation!

At the beginning of December I was in New Jersey for the demonstration event of the OWS4 project. This weekend I finally finished recording our implementation in this project. The movie can be found here.

There is also a website documenting what we implemented in this project: http://iisdemo.informatik.unibw-muenchen.de/ows4/

Written from at home / Munich / while trying to get over the jet lag

GITA Conference 2007

Next year at the beginning of March, I will be organizing a 4 hour seminar that will be part of the 30th Annual GITA Conference (Thank You GITA! for asking me to organize it) . The seminar is entitled "Security for GeoWeb Services: From Problem Statement to Implementation". Please check the website! I'm really enthusiastic about it, I'm definitively sure that it will be a good one!

Yesterday I finished an overview of the tutorial and thought it might be a good idea to post this here. I'm really happy with how it came out. Do feel free to give me feedback on this!



When it comes to security a lot of people have misconceptions about it. For example, a popular one is that the only goal of computer security is secrecy – keeping the names of the secret agents away from the enemy. In the case of Web services, the emphasis is on sharing and interoperability – which is totally the opposite of secrecy. So, how could this be? Is it actually possible to have secure Web services?

Security in different flavors

The tutorial starts by introducing the different aspects of security: computer security, communications security, physical security. In a Service Oriented world, communications security is important, and this is the type of security that this tutorial focuses on. Because too often it happens that people think that security and access control are one and the same, we continue the by presenting the different challenges that security has to deal with: (1) Authentication – Who the user is?, (2) Authorization (also known as Access Control) – What the user is allowed to do?, (3) Integrity – Ensuring that exchanged data is safe while in transit, (4) Confidentiality – Ensuring that data is not eavesdropped while in transit, (5) Non-Repudiation - Ensuring that a transferred message has been sent / received by the parties claiming to have sent / received the message. Furthermore, in some cases a successful security implementation also needs to deal with the following issues: Identity Management, Delegation, Privacy, Availability and Accounting.

To illustrate all these problems and show how they relate to the geospatial world and geospatial Web services, we developed a scenario (see fig. 1) which is based on real-world applications. In this scenario we introduced four businesses offering services to two clients. The businesses are: a Surveying Agency offering base maps (for profit), an Environment Protection Agency serving maps with different ecological maps (for free), an Electricity Company serving maps with its cable network and a Cadastre Agency serving cadastre information. There are two clients: the (Dumb) Citizen that has different needs and requires data the first three businesses and a Public Notary that requires data from the Cadastre Agency. As it will be seen there are different security requirements for each of the businesses which are driven by various factors such as business model, legislation, etc.

Fig. 1 – Scenario inspired from real-world applications

Security and the existing IT standards & technologies

The second part of the tutorial will be oriented on more technical aspects and will show how the exiting mainstream solutions from the general IT industry can be used to solve some of the requirements identified in the first part of our tutorial. For this part we will focus on securing Web services described by the Open Geospatial Consortium (such as WMS, WFS, WCS, CSW, etc.).

The starting point for this part of the tutorial is the remark that in many aspects geospatial Web services are just like other Web services, and therefore security technologies and standards from organizations such as W3C, IETF and OASIS that are used in the broader IT industry can be successfully applied to the geospatial world. Although there are plenty of standards to choose form, sometimes it is not possible to simply use an existing standard. In order to accommodate the geospatial dimension, sometimes existing standards need to be extended / profiled. We will show existing approaches for this.

As a guide to securing geospatial Web services, we will use the OSI stack (see picture). We will start from the Psychical Layer and go all the way up to the Application Layer and SOAP messaging showing how existing protocols can be leveraged to fulfill security requirements without modifying the protocols specified by the OGC. The following technologies will be showed in practice: SSL/TLS, VPN, Firewalls, HTTP Authentication, Cookies, SOAP and WS-Security, XML Encryption, XML Digital Signature, SAML, XACML / GeoXACML. For each of the presented technologies we will explain which of the requirements identified in the first part it addresses and which of the four businesses from our scenario can make use of it.

Figure 2 – The OSI Protocol Stack

Figure 3 – Security Standards: Plenty to choose from!

Security and the OGC

Within the OGC, security was not an issue until April 2004 when the GeoDRM (Geospatial Digital Rights Management) Working Group was formed. The main achievement of the group is the “Geospatial Digital Rights Management Reference Model (GeoDRM-RM)” which currently awaits approval to become an OGC Abstract Specification in early 2007. It gives the ground for the upcoming activities of the group, which will focus on Implementation Specifications.

Upon maturing concepts for putting together the GeoDRM-RM, it was realized that it is essential to have a strong security system in place that supports the DRM system. So, in June 2006 the Security Working Group was formed. The mission of the WG is to provide a security system for the OGC Reference Architecture, which includes the support for the DRM system, by using existing standards wherever possible.

To support the GeoDRM-RM, two different OGC Web Services Initiatives have been completed: in OWS-3 (2005), the objective was to develop a click-through mechanism for OGC Web Services. Following this initiative, OWS-4 (finished in December 2006) focused on a variety of aspects: from License negotiation to using End-User-Licenses for performing transactions on a Web Feature Service in order to manipulate stored features.

Both initiatives completed the mission under the motto “change OGC specifications as little as possible” and used existing (IT-) standards wherever possible. A lot of the standards described in the second section of the tutorial (WS-Security, WS-Trust, WS-Policy, SAML, XACML) have been used to provide to enhance OGC services with authentication and authorization.


This seminar will introduce the subject of security on the Web including spatial data infrastructure, security requirements for geospatial Web services, communications security and standards, data integrity, and confidentiality. Many facets of the behind-the-scenes activities that exist and function on the Web will be examined. This presentation will take this potentially technical and complex arena and demystify and describe it for all audience levels. Participants will come away with a newfound understanding and an increased comfort level of using Web-based applications.

OGC Newsletter

In the OGC Newsletter for this month, one of my posts is mentioned! Cool!

Trusted Geoservices IPR

I came back from the OGC meeting in San Diego this weekend. Even though this is my third night in Munich, I'm still having difficulties adjusting to the time zone. Yesterday I tried counting sheep and it did not work out, today I'll try to do things I always forget doing (as for example posting my latest presentations on my blog).

Here is the link for it. The presentation describes an Interoperability Program Report (I'm the editor of this document): Trusted Geoservices IPR.

Friday, December 08, 2006

Authentication for OGC Web Services

Next week the OGC's Technical Committee Meeting will be held in San Diego, California. I'm really looking forward for the nice warm weather there. I will be making two presentations next week, so I just thought it might be nice to post them.

The slides for the presentation I'll be holding on Monday morning within the Security Working Group can be found here. I'm always happy on feedback, so don't be shy! The presentation is entitled "Authentication for OGC Web Services" and presents the results of the OGC Web Services Testbed 4.

I'll be also presenting within the GeoDRM Working Group meeting on Wednesdays. The slides for this presentation will follow (when I'll be ready with it).

Written from Jersey City / USA