Security

Since TaToo will facilitate discovery and access of a wide range of environmental resources and web-based services we have to think about how security can be provided in such an environment. Some of those services or resources may require a registration or usage fee, may be subject to copyright or lawful restrictions or may not be available to the public for some reason (Dihé et.al, 2010).

A service provider who is willing to make non-public services discoverable, accessible and tag-able by TaToo should be offered the possibility to control who can do what with his services. But not only the external services and resources accessed by TaToo may require protection. Also the access to TaToo’s public services (e.g. tagging and search) must be regulated to prevent potential misuse.

Access control

TaToo services, especially those services having public interfaces and allowing manipulation meta-information have to be access controlled. Access control encompasses registration / management of identities (“users”), their authentication (“login”) and the enforcement of the access restrictions (authorisation).

Terms and Definitions

• Access control: Ability to enforce a policy that identifies permissible actions on a particular resource by a particular subject.
• Authentication: Concerns the identity of the participants in an exchange. Authentication refers to the means by which one participant can be assured of the identity of other participants.
• Authorisation: Concerns the legitimacy of the interaction. Authorization refers to the means by which an owner of a resource may be assured that the information and actions that are exchanged are either explicitly or implicitly approved.
• Policy: Representation of a constraint or condition on the use, deployment, or description of a resource.