The delegation processes for transfer rights license agreements are activated using delegatet property, where the rights receiver owns the delegated rights but the rights owner might lose the rights temporarily or permanently. This is not true for some rights delegation scenarios where the rights owner and the rights receiver might have their rights concurrently. Thus, we create a rights duplicate delegation, indicated as delegated from a variety of transfer rights.
In this rights duplicate delegation property delegated, the rights original owner, concurrently has his or her own rights with the rights receiver after the rights duplicate delegation process is completed.
5.1 Prerequisites Expressions
We found that downstream rights receivers are receiving less rights in the rights delegation chain. An original content creator usually specifies his or her usage and transfer rights delegation with a reasonable number of depth d by constraint of ≤∃d hasT ransf erCount, where d is a constant and is decreased by one for each delegation. Thus, the rights delegation process can be enabled as long as the condition ≥1hasT ransf erCount is truth in a delegation policy (see rule (o4) in Section 5.2). In summary, we use extended OWL’s unary arithmetic operators to express a prerequisite that can be a constraint, a requirement, a condition, or even a delegation depth.
Constraints for prerequisite such as, prepaid conditions, permissible count of upper (or exact) limit of usage rights, permissible delegation depth of transfer rights, and the validity time interval of usage rights, are shown in the following:
– MaxCardinality:≤∃uhasU sageCount∃p.Asset – MaxCardinality: ≤∃thasT ransf erCount∃p.Asset – Cardinality: =∃ahasP repaid∃p.P arty
– Validity of time interval ∀T ime ∈ (t1, t2):
≥∃t1 hasDateT ime∃p.T ime ∧ ∃ ≤t2 hasDateT ime∃p.T ime
Sometimes, the usage rights prerequisite is enforced by a principal who is in charge of a counting action that collects all necessary mutable facts from the downstream rights receivers in the delegation chain. We show conditions as the following, where ∃ =∃uhasU sageCount∃p.Asset, ∃ ≥∃t1hasDateT ime∃p.T ime,
∃ ≤∃t2 hasDateT ime∃p.T ime, and ∃hasP repaid∃p.P arty, indicate which prin-cipal p is in charge of mutable constraint parameter computations and policy compliance checking [15]. All of these will be demonstrated in Section 5.3.
5.2 Usage Rights Transfer Delegation
The hasT ransf erRights is an abstract property describing the transfer rights delegation of usage rights for a principal x for an asset r. The domain class of property hasT ransf erRights is P arty and the range class is Asset. P rino
might use delegategto transfer usage rights only to P rinui, where i ∈ (1, · · · , n), but does not delegate his transfer rights to P rinui, where transfer rights ∈ (hasSelltRights, · · · ). Therefore, each P rinui cannot further delegate his usage rights to another P rinuj (see rule (o2)). If we use delegatetproperty, then any one of the transfer rights permissions ∈ (hasSelltRights, · · · ) and usage rights can be further propagated (see rule (o4)). The depth of transfer delegation can be specified in class Asset with cardinality shown as ∃ =∃nhasT ransf erCount.eBook, which indicates that the transfer rights permission for eBook can be propagated with the exact delegation depth of n:
– If party x has both usage and transfer rights for asset r, then he or she is allowed to transfer full (or partial) of both rights to another party but he or
she can not keep his or her own rights after delegation:
hasU sageRights(?x, ?r) ∧ hasT ransf erRights(?x, ?r)
=⇒ hasU sageT ransf erRights(?x, ?r) ←− (o1)
– Party x can only transfer his or her usage rights for asset r to another party y if his or her cumulative depleted usage count <∃u, where u is a constant indicating a count of upper limit of usage rights. Here, party y can have delegated usage rights but cannot have further delegation rights:
hasU sageT ransf erRights(?x, ?r)∧delegateg(?x, ?y)∧hasP repaid(?y, ?a)∧
<∃uhasU sageCount(?r) =⇒ hasU sageRights(?y, ?r) ←− (o2)
– If party x has usage rights permission for resource r and the cumulative depleted usage count is <∃u. Furthermore, party x’s current local date and time t ∈ (t1, t2) , then he or she is permitted to have these particular usage action, such as play, display, or print, etc:
hasU sageRights(?x, ?r)∧ <∃uhasU sageCount(?r)∧ ≥∃t1 hasDateT ime(?t)
∧ ≤∃t2 hasDateT ime(?t) =⇒ P ermitted(U sage, ?r) ←− (o3)
– Party x can transfer his or her usage and transfer rights for asset r to an-other party y so party y can have x’s both rights to transfer rights forward as long as x is not the final node in a delegation chain:
hasU sageT ransf erRights(?x, ?r)∧delegatet(?x, ?y)∧hasP repaid(?y, ?a)∧
≥1hasT ransf erCount(?r) =⇒ hasU sageT ransf erRights(?y, ?r) ←− (o4)
5.3 A Usage Rights Delegation Scenario
The following license agreement for a usage rights delegation scenario is adopted and modified from [18]. For reasons of space, a detailed discussion of the impli-cations of our complete operational semantics for this scenario is left to the full paper for further study. This might need a speech-act agent communication lan-guage to represent message passing ontology, which would then allow our agents to automatically exchange interactive information among themselves as shown in [11]:
– Natural Language (NL) denotation of license agreement:
Content distributor Charlie c makes an agreement with two content con-sumers, Alice a and Bob b. After each paying five dollars, and then both receiving acknowledgement from Charlie, Alice and Bob are given the usage rights and may each display an eBook asset, Harry Potter and the Deathly Hallows, up to five times. They may each print it only once. However, the
total number of actions, either displays or prints done by Alice and Bob, may be at most ten. The usage rights validity period is between 2007/05/07/09:00 - 2007/05/10/24:00.
– Human Readable Abstract Syntax denotation of license agreement:
agreement
between Charlie and {Alice,Bob}
about Harry Potter and the Deathly Hallows
with inSequence[prePay[5.00],attribution[Charlie]]
|==> not[and[Time < 2007/05/07/09:00,Time > 2007/05/10/24:00]]
|==> with count[10] ==>
and[forEachMember[{Alice,Bob};count[5]] ==> display, forEachMember[{Alice,Bob};count[1]] ==> print]
– First Order Logic (FOL) denotation of license agreement:
∀x((x = Alice ∨ x = Bob) =⇒
∃t1∃t2(t1< t2∧ P aid(5, t1) ∧ Attributed(Charlie, t2))) =⇒
∀t ∧ hasDateT ime(t) ≥ 2007/05/07/09 : 00 ∧ hasDateT ime(t) ≤ 2007/05/10/24 : 00 =⇒
count(Alice, id1) + count(Alice, id2) + count(Bob, id1) + count(Bob, id2) < 10 =⇒
(count(Alice, id1) < 5∧count(Bob, id1) < 5 =⇒ Permitted(x, display, ebook))
∧ (count(Alice, id2) < 1∧count(Bob, id2) < 1 =⇒ Permitted(x, print, ebook))) We use the ontologies+rules (SWRL) approach to enforce the semantics of rights delegation policies instead of the above pure FOL-based formula.
The following ontology, rules, and facts are a partial view from distributor Charlie c based on Fig. 1 and Fig. 2. In the bootstrapping stage, Charlie c has all of the usage and transfer (or duplicate) rights for the eBook class, in-cluding HarryPotter and the Deathly Hallows, which are shown as the facts in the following page. Ontology statements (c1) - (c3) indicate the constraints of associated usage counts shown in the above FOL formula. After consumers Alice a and Bob b paying five dollars, then we use rules (c4) - (c7) to derive facts (c8) and (c9) that become Alice0s a facts (a4) and (a5) and derive facts (c10) and (c11) that become Bob0s b facts (b2) and (b3). Rules (c4) and (c5) are specialized cases for rule (o1), while rules (c6) and (c7) are specialized cases for rule (o2), shown in Section 5.2. The mutable facts (c12) - (c14) in-dicate a snapshot of current usage, display, and print counts collected from both Alice a and Bob b; they will be taken into summation by Charlie c.
– SWRL (Ontologies + Rules) denotation of license agreement:
• Content distributor Charlie0s c site:
∗ Ontology:
hasDisplayRights v hasU sageRights hasP rintRights v hasU sageRights
≤ (hasDisplayCount{a,b}.eBook, hasU sageCountc.eBook)
≤ (hasP rintCount{a,b}.eBook, hasU sageCountc.eBook) {Alice, Bob}domain←− hasU sageRightsrange−→ R1,
where R1=≤10hasU sageCountc
∧ ≥2007/05/07/0900hasDateT imec.T ime
∧ ≤2007/05/10/2400hasDateT imec.T ime
∃ =α∃ = sum(∃ ≤5hasDisplayCounti.{HarryP otter}), i ∈ {a, b}, where α: ∃hasDisplayCountc.{HarryP otter} ←− (c1)
∃ =β ∃ = sum(∃ ≤1hasP rintCounti.{HarryP otter}), i ∈ {a, b}, where β: ∃hasP rintCountc.{HarryP otter} ←− (c2)
∃ =δ sum(α, β),
where δ : ∃hasU sageCountc{HarryP otter} ←− (c3)
∗ Rules:
hasDisplayRights(?x, ?r) ∧ hasSelldRights(?x, ?r)
=⇒ hasDisplaySelldRights(?x, ?r) ←− (c4) hasP rintRights(?x, ?r) ∧ hasSelldRights(?x, ?r)
=⇒ hasP rintSelldRights(?x, ?r) ←− (c5) hasDisplaySelldRights(?x, ?r) ∧ delegateg(?x, ?y)
∧ hasP repaid(?y, ?a)∧ =⇒ hasDisplayRights(?y, ?r) ←− (c6) hasP rintSelldRights(?x, ?r) ∧ delegateg(?x, ?y)
∧ hasP repaid(?y, ?a) =⇒ hasP rintRights(?y, ?r) ←− (c7)
∗ Facts:
eBook(HarryP otter)
hasDisplayRights(Charlie, HarryP otter) hasP rintRights(Charlie, HarryP otter) hasSelldRights(Charlie, HarryP otter)
hasDisplaySelldRights(Charlie, HarryP otter) hasP rintSelldRights(Charlie, HarryP otter)
∃ =5hasP repaid(Alice)
hasDisplayRights(Alice, HarryP otter) ←− (c8) hasP rintRights(Alice, HarryP otter) ←− (c9)
∃ =5hasP repaid(Bob)
hasDisplayRights(Bob, HarryP otter) ←− (c10) hasP rintRights(Bob, HarryP otter) ←− (c11) delegateg(Charlie, Alice)
delegateg(Charlie, Bob)
∃ =7hasU sageCountc(HarryP otter) ←− (c12)
∃ =6hasDisplayCountc(HarryP otter) ←− (c13)
∃ =1hasP rintCountc(HarryP otter) ←− (c14)
In the bootstrapping stage, all ontology statements, rules, and facts are described as license agreements and will be sent to Alice a and Bob b from Charlie0s c. Facts (a4) and (a5) and facts (b2) and (b3) were previously inferenced on Charlie c site via rule (c6) and (c7), where they were sepa-rately sent to Alice a and Bob b. Each time Alice a requests to display or print permission for HarryP otter, then associated rules (a1) or (a2) will be enforced to check whether conditions on the rule antecedents are all true. In fact, rules (a1) and (a2) are specialized cases of rule (o3) in Sec-tion 5.2. For example, if Alice a asks permission to print HarryP otter, her request will be granted because facts (a5), (a7), and (a8) imply that all of the conditions on rule (a2)0s antecedents are all true. Therefore, the conclusion P ermitteda(P rint, HarryP otter) is true. On the other hand, if Bob b asks permission to print HarryP otter, it will not be granted be-cause mutable fact (b5) implies that <1hasP rintCountb(HarryP otter) is false, so the conclusion P ermittedb(P rint, HarryP otter) can not be derived. In our policy framework, we assume that what is not explicitly permitted is forbidden. Therefore, a permission request to print will be denied.
• Content consumer Alice0s a site:
∗ Ontology:
Similar to content distributor Charlie0s c site’s ontology, except the usage rights constraints are local to Alice a
∗ Rules:
hasDisplayRights(?x, ?r)∧ <10hasU sageCountc(?r)
∧ <5hasDisplayCounta(?r)∧ ≥2007/05/07/09:00 hasDateT ime(?t)
∧ ≤2007/05/10:24:00 hasDateT ime(?t)
=⇒ P ermitteda(Display, ?r) ←− (a1)
hasP rintRights(?x, ?r)∧ <10hasU sageCountc(?r)
∧ <1hasP rintCounta(?r)
∧ ≥2007/05/07/09:00 hasDateT ime(?t)
∧ ≤2007/05/10:24:00 hasDateT ime(?t)
=⇒ P ermitteda(P rint, ?r) ←− (a2)
∗ Facts:
eBook(HarryP otter) ←− (a3)
hasDisplayRights(Alice, HarryP otter) ←− (a4) hasP rintRights(Alice, HarryP otter) ←− (a5)
∃ =1 hasDisplayCounta(HarryP otter) ←− (a6)
∃ =0 hasP rintCounta(HarryP otter) ←− (a7)
∃ =7 hasU sageCountc(HarryP otter) ←− (a8) hasDateT imea(2007/05/09/09 : 00) ←− (a9)
• Content consumer Bob0s b site:
∗ Ontology:
Similar to content distributor Charlie0s c site’s ontology, except the usage rights constraints are local to Bob b
∗ Rules:
Similar to content consumer Alice0s a site’s rules, except the condi-tion’s subscript is b in rules (a1) and (a2)
∗ Facts:
eBook(HarryP otter) ←− (b1)
hasDisplayRights(Bob, HarryP otter) ←− (b2) hasP rintRights(Bob, HarryP otter) ←− (b3)
∃ =5 hasDisplayCountb(HarryP otter) ←− (b4)
∃ =1 hasP rintCountb(HarryP otter) ←− (b5)
∃ =7 hasU sageCountc(HarryP otter) ←− (b6)
6 Discussion
In Fig 3, the XML-based rights expression languages (RELs), such as ODRL, XrML, and P3P, are convenient for automatic machine (or agent) processing but do not have formal semantics to represent and enforce access rights permission.
Therefore, policies based on these RELs to describe a license agreement (or contract) are usually written in Natural Language to indicate their meaning for the verification of access rights permission. As a result, these natural language policies sometimes are open to interpretation, which result in ambiguity of policy semantics. In order to remove this problem, people use FOL to represent and reason access rights control policies (see Fig 3). As we know, FOL-based policies have a formal and clear syntax and semantics, even these FOL-based policies usually have to limit their expressive power in order to capture those license agreements that are originally written in English. Unfortunately, policies shown as FOL always require policy writers and readers to be logicians. Furthermore, policies indicated as a generic full FOL may feature compliance checking that may be undecidable for their computation time.
To resolve this dilemma, we are going to explore the expressive power of different FOL-based policies representations to decide which conditions allow us to have both decidable and enforceable semantics capability of rights delega-tion policies. In order to have a decidable and tractable fragment of FOL-based policies to enforce respective compliance checking, we usually restrict policies as datalog Horn rules, where they are negation-free, function-free, and with limited number of parameter parities. Description Logic (DL) is a decidable fragment of
FOL and Logic Program (LP) is closely related to the Horn fragment of FOL.
In general, a full FOL is undecidable and intractable even under the datalog restriction. As shown in [5], Description Logic Programs (DLP) is an expres-sive fragment of FOL and it provides a significant degree of expresexpres-siveness and substantially greater power than the RDF-S fragment of DL. Based on DLP, the Semantic Web Rule Language (SWRL) is considerably more powerful than either the OWL DL ontology language or the datalog Horn style rule language alone because SWRL extends OWL with the basic kinds of datalog Horn rule, which states as predicates are limited to being OWL classes and properties with a maximum parity of two, etc [9].
Fig. 3. A license agreement to denote access rights permission from a variety of policy language representations, such as Natural Language, Controlled Natural Language, First Order Logic (FOL), and Rights Expression Languages (RELs), etc
Policies in datalog Horn rules always assume that what is not explicitly per-mitted is forbidden. In that case, we can not distinguish forbidden access rights from unregulated access rights in a license agreement. Furthermore, we might need function capability in FOL-based policies to support translating English policies to FOL ones. Therefore, a tractable sublanguage, Lithium, with bipo-lars restriction, e.g., no bipolar literals in the FOL rules, was proposed in [8]
to support its representation of denying policies and limited functions in their license agreement policies. Even though the Lithium policies are based on the relaxation of the datalog Horn rules, we still believe that this tractable policy
language is only located somewhere in a small subset of FOL language. There-fore, it still lacks a large portion of OWL-DL and datalog Horn rule expressive power to serve both right delegation ontology and usage (or transfer) rights delegation rules, as shown in Section 4 and Section 5.2.
In [20], KAoS and Rei policy languages were shown as originally from DAML
→ OWL and RDF-S so it is quite trivial that these two policy languages are merely a subset of SWRL. Therefore, the expressive power of KAoS and Rei are less than SWRL because the rights delegation policies cannot be shown as a pure OWL-DL ontology language alone. In [12], Rei was extended to be a policy and delegation framework that includes inter-related resources, policies, policy languages, and meta-policies. However, authorization delegation policies were not explicitly seen in this study.
In this paper, we utilize the power of SWRL combined language to demon-strate the possibility of semantic-driven enforcement of rights delegation policies.
A license agreement for a rights delegation policy is a policy set showing any number of prerequisites and relevant policies. A policy set is composed of facts, ontologies, and rules. These license agreements are distributed by distributor Charlie to consumers Alice and Bob. In this delegation scenario, the usage rights are applied to the entire eBook class instead of merely to the instance of HarryP otter’s eBook. In this policy-aware distributed DRM system, each trusted DRM node should faithfully enforce its rights delegation policies via its
“compliance checking” inference engine.
There are several mutable facts in each node that express a prerequisite’s dy-namic status. These mutable facts will be updated and passed between distribu-tor and consumers whenever a usage rights permission is granted and consumed.
The mutable facts updating activity will be initiated as an Event-Condition-Action (ECA) reaction rule, where event might be triggered by a user’s request or a message’s arrival. The condition is specified in each relevant rights dele-gation rule and the action includes usage rights enforcement and mutable fact updating actions.
7 Conclusions
We have shown that the semantic formal model for an ODRL-based rights dele-gation policy can be enforced by expressing them as a combination of ontologies and rules. Based on ODRL’s expressions and data dictionary, a rights delega-tion ontology is proposed in this study. Furthermore, we also express the rights delegation policy as a set of rules for usage and transfer (or duplicate) rights del-egations. When verifying ODRL formal semantics, our SWRL approach is much more superior to the generic restricted FOL model because of the greater avail-ability of a rights markup language and the higher expressive power of policy compliance checking from our SWRL language. A real usage rights delegation scenario is demonstrated in this paper to justify our formal semantic model.
References
1. Blaze, M., J. Feigenbaum, M. Strauss, Compliance Checking in the PolicyMaker Trust Management System, Pro. of the Financial Cryptography 198. LNCS, 1465, 1998, pp. 254-274.
2. Borgida, A., On the relative expressiveness of description logics and predicate logics, Artificial Intelligence. 82, 1996, pp. 353-367.
3. ContentGuard Inc. eXtensible rights Markup Language (XrML), Version 2.0.
4. Garcia, R., I. Gallego, and J. Delgado, Formalising ODRL Semantics using Web Ontologies, 2nd International ODRL Workshop. Lisbon, Portugal, 2005.
5. Grosof, N. B., et al., Description Logic Programs: Combining Logic Programs with Description Logic, WWW 2003. Budapest, Hungary, 2003, pp. 48-65.
6. Guth, S., G. Neumann, and M. Strembeck, Experiences with the Enforcement of Access Rights Extracted from ODRL-based Digital Contracts, DRM’03. 2003.
7. Halpern, Y. J. and V. Weissman, A Formal Foundation for XrML, Proc. of 17th IEEE Computer Security Foundations Workshop (CSFW’03). 2003, pp. 251-263.
8. Halpern, Y. J. and V. Weissman, Using First-Order Logic to Reason about Policies, Proc. of 17th IEEE Computer Security Foundations Workshop (CSFW’03). 2003, pp. 187-201.
9. Horrocks, I., et al., OWL rules: A proposal and prototype implementation, Journal of Web Semantics: Science, Services and Agents on the World Wide Web 3. 2005, pp. 23-40.
10. Iannella, R., Open Digital Rights Language (ODRL), W3C Note 19. September 2002, http://www.w3.org/TR/odrl/.
11. Kagal, L., T. Finin, and A. Joshi, A Policy Based Approach to Security for the Semantic Web, ISWC 2003. LNCS 2870, pp. 402-418, 2003.
12. Kagal, L., et al., Self-describing Delegation Networks for the Web, IEEE Workshop on Policy for Distributed Systems and Networks, Policy 2006. June 5-7, 2006.
13. LaMacchia, A. B., Key Challenges in DRM: An Industry Perspective, DRM 2002.
LNCS 2696. 2003, pp. 51-60.
14. Li, N., B. N. Grosof, and J. Feigenbaum, Delegation Logic: A Logic-based Approach to Distributed Authorization, ACM Trans. Information and System Security. 6(1), pp. 128-171, 2003.
15. Lutz,C., Description Logics with Concrete Domains - A Survey, Advances in Modal Logic. Vol. 4, World Scientific Publishing Co., 2003, pp. 265-296.
16. Pan, J. and I. Horrocks, Web Ontology Reasoning with Datatype Groups, ISWC 2003. LNCS 2870, Springer, pp. 47-63.
17. Park, J. and R. T. Sandhu, The U CONABC Usage Control Model, ACM Trans-actions on Information and System Security. 7(1), 2004, pp. 128-174.
18. Pucella, R. and V. Weissman, A Formal Foundation for ODRL, Workshop on Issues in the Theory of Security (WITS). 2004.
19. Stefik, M., Letting Loose the Light: Igniting Commerce in Electronic Publication, Internet Dreams: Archetypes, Myths, and Metaphors. MIT Press, 1996.
20. Tonti, G., et al., Semantic Web Languages for Policy Representation and Rea-soning: A Comparison of KAoS, Rei, and Ponder, ISWC 2003. LNCS 2870, pp.
419-437, 2003.
21. Weitzner, D. J., et al., Creating a Policy-Aware Web: Discretionary, Rule-based Access for the World Wide Web, Web and Information Security. Idea Group Inc., 2006.
Protection Polocies via the Combination of Ontologies and Rules," IEEE
International Workshop on Ambient Semantic Computing (ASC2008), Taichung, Taiwan, June 12, 2008..