A container of other conditions, all of which must be met simultaneously. Identifies a principal who must present several credentials to be authenticated. Specifies the terms, conditions, and obligations under which rights can be exercised. The conditions in a grant can have a known structure specifying that they all must be met simultaneously (a conjunction) or only one of them must be met. This known structure enables a generic engine with no specific knowledge of the semantics of the rights or conditions to compute the grants in effect through a chain of delegated rights. Optional constraint on the conditions of the grant. This pattern is evaluated against the subtree of the grant rooted at the condition. A substitution head for condition patterns. Elements that replace this element must represent a pattern that identifies conditions based pattern matching. Specifies the circumstances under which an associated grant may be delegated. If delegationControl is absent for a grant, that grant may not be delegated (unless that permission is conveyed by some other mechanism not yet defined). Provides the means to identify and retrieve the bits that comprise a particular digital resource. Identifies a possibly qualified universe of principals. The resource qualification under this element enables the specification of prerequisiteRight conditions similar to "everyone, possessProperty, resource". Requires that a grant or grantGroup exists that is the specified grant or grantGroup or matches the specified grantPattern or grantGroupPattern and that is issued (as one of the license's direct children) by one of the identified trusted issuers. Applies a universal quantifier to the referenced licensePart. The quantum within the license that bestows an authorization upon some principal. It conveys to a particular principal the sanction to exercise an identified right against an identified resource, possibly subject to first fulfilling some conditions. A container of several grants. A grantGroup does not define any semantic association, ordering relationship, and so on, between the grants it contains. A structure representing a predicate expression that can be evaluated against a grantGroup. All conditions imposed by this element's children are ANDed together to form the overall grantGroupPattern. Children that are singleton principals, conditions, grants, and so on, are compared for equality against their resource by canonicalizing both using a canonicalization algorithm and comparing the output as binary bit streams. Represents a predicate expression that can be evaluated against a grant. All conditions imposed by this element's children are ANDed together to form the overall grantPattern. Children that are singleton rights, resources, and so on are compared for equality against their resource by canonicalizing both using a canonicalization algorithm and comparing the output as binary bit streams. Represents the right to issue licenses corresponding to the attached resource, which must be a grant or grantGroup. This right can be used to embody the notion of being a certificate authority. Identifies the entity who signs the license, attesting to its validity. If more than one issuer signs the license, it is as if each signed it independently; one license with several issuers is equivalent to several copies of the same license, each with one issuer. Indeed, such a syntactic transformation can feasibly be made while preserving the signature validity. Identifies a principal who possesses a particular key. Typically, the key is a private key corresponding to a public key identified by this element, but it may be a symmetric key. The public key can be identified by several mechanisms defined in the XML Digital Signature specification. A container of one or more grants, each of which conveys to a principal a right to a resource under certain conditions. The license also specifies its issuer and other administrative information. A container of licenses. A licenseGroup does not define any semantic association, ordering relationship, and so on, between the licenses it contains. An abstract element from which the various specific parts of a license are derived. This element defines attributes common to all parts of a license. Represents the right to obtain the grant, grantGroup, or grantPattern specified as a resource associated with this right. Typically, this right is associated with conditions, such as a fee or validity interval. A structure representing a predicate expression that can be evaluated against any license part. A comparison is made to the contained licensePart using the XrML2 equality comparison. Represents the right to claim ownership of particular characteristics, which are listed as resources associated with this right. Requires that another right be possessed before exercising the associated right. The specified principal must be able to exercise the right on the resource under the authorization of the trustedIssuer. Represents the unique identification of a party involved in granting or exercising rights. Each principal identifies exactly one party. Optional constraint on the principal of the grant. A substitution head for principal patterns. Elements that replace this element must represent a pattern that identifies principals based pattern matching. The "noun" to which a principal can be granted a right. A resource can be a digital work (such as an e-book, an audio or video file, or an image), a service (such as an email service or B2B transaction service), or even a piece of information that can be owned by a principal (such as a name or an email address). Optional constraint on the resource of the grant. This pattern is evaluated against the subtree of the grant rooted at the resource. A substitution head for resource patterns. Elements that replace this element must represent a pattern that identifies resources based pattern matching. A maximum interval specifying how recently a signature on the license containing this grant must be checked for revocation. Beyond this interval, the grant may not be used as part of a proof of authorization. Represents the right to revoke a statement that one has made previously. The act of issuing a license implicitly grants one the right to revoke it. With this right, one may explicitly delegate that right to others. The "verb" that a principal can be granted to exercise against some resource under some condition. Typically, a right specifies an action (or activity) or a class of actions that a principal may perform on or using the associated resource. Optional constraint on the right of the grant. This pattern is evaluated against the subtree of the grant rooted at the right. A substitution head for right patterns. Elements that replace this element must represent a pattern that identifies rights based pattern matching. Provides the means to locate and interact with a concrete service. Specifically, this element identifies both an endpoint/address at which the service is located and meta information by which the type or interface for the endpoint can be understood. Defines a trust model based on a principal or set of principals who are trusted. Identifies the time interval during which the associated right is valid. Elements that replace this element must represent a pattern that identifies a set of valid XML trees based pattern matching. A container of other conditions, all of which must be met simultaneously. Identifies a principal who must present several credentials to be authenticated. Specifies the terms, conditions, and obligations under which rights can be exercised. The conditions in a grant can have a known structure specifying that they all must be met simultaneously (a conjunction) or only one of them must be met. This known structure enables a generic engine with no specific knowledge of the semantics of the rights or conditions to compute the grants in effect through a chain of delegated rights. Optional constraint on the conditions of the grant. This pattern is evaluated against the subtree of the grant rooted at the condition. A substitution head for condition patterns. Elements that replace this element must represent a pattern that identifies conditions based pattern matching. Specifies the circumstances under which an associated grant may be delegated. If delegationControl is absent for a grant, that grant may not be delegated (unless that permission is conveyed by some other mechanism not yet defined). Specifies the maximum depth of delegation chaining. A value of zero indicates that this grant may not be delegated. When a grant with this constraint is delegated, the contained count must be decremented by one. Specifies that an infinite chain of delegation is permitted. Indicates whether the delegated copy can specify conditions not contained in the original copy. If omitted, additional conditions can be specified; if present, the delegated copy must contain the same conditions as the original copy. Specifies a principal to whom the grant may be delegated. If more than one "to" element is specified, the principal may be any of those identified: all the "to" elements are ORed together. Provides the means to identify and retrieve the bits that comprise a particular digital resource. A non-cryptographically-secure reference to the bits that comprise a digital resource. An indirect, non-URI reference to the digital resource. The coupling to the referenced resource is made secure and unambiguous using cryptographic techniques. The bits that comprise the digital resource. An embedded digital resource, cast as an XML document fragment, within the current document. There is no standard way to embed an arbitrary full XML document within another due to issues such as local entities, character set differences, and document-global ID scope. A locator scheme invented by others. Represents an encryption of the XML element's contents. Identifies a possibly qualified universe of principals. The resource qualification under this element enables the specification of prerequisiteRight conditions similar to "everyone, possessProperty, resource". Requires that a grant or grantGroup exist and that is issued (as one of the license's direct children) by one of the identified trusted issuers. The grant element identifies shape grant that expresses the right which must be held in order to satisfy the existsRight. The trustedIssuer identifies one or more principals trusted to issue the right. Applies a universal quantifier to the referenced licensePart. The quantum within the license that bestows an authorization upon some principal. It conveys to a particular principal the sanction to exercise an identified right against an identified resource, possibly subject to first fulfilling some conditions. The encrypted contents of a grant. When decrypted, the clear text logically becomes the entire contents of the grant, replacing this encryptedGrant element. As specified in XML ENCRYPT, the encyptedGrant element must contain the "type" attribute with a value of "http://www.w3.org/2001/04/xmlenc#Content Type". A container of several grants. A grantGroup does not define any semantic association, ordering relationship, and so on, between the grants it contains. The encrypted contents of a grantGroup. When decrypted, the clear text logically becomes the entire contents of the grantGroup, replacing this encryptedGrantGroup element. As specified in XML ENCRYPT, the encyptedGrantGroup element must contain the "type" attribute with a value of "http://www.w3.org/2001/04/xmlenc#Content Type". A structure representing a predicate expression that can be evaluated against a grantGroup. All conditions imposed by this element's children are ANDed together to form the overall grantGroupPattern. Children that are singleton principals, conditions, grants, and so on, are compared for equality against their resource by canonicalizing both using a canonicalization algorithm and comparing the output as binary bit streams. Optional constraint imposed on the grant as a whole, evaluated against the subtree rooted at the grant. This element specifies a pattern (such as an Xpath) to evaluate against the resource grant as a whole. Represents a predicate expression that can be evaluated against a grant. All conditions imposed by this element's children are ANDed together to form the overall grantPattern. Children that are singleton rights, resources, and so on are compared for equality against their resource by canonicalizing both using a canonicalization algorithm and comparing the output as binary bit streams. Optional constraint imposed on the grant as a whole, evaluated against the subtree rooted at the grant. This element specifies a pattern (such as an Xpath) to evaluate against the resource grant as a whole. A container used to define elements frequently used throughout a license. These elements are defined in the inventory, and then referenced by ID wherever they are needed within the license. Represents the right to issue licenses corresponding to the attached resource, which must be a grant or grantGroup. This right can be used to embody the notion of being a certificate authority. Describes information associated with each issuer (signer) of a license. The SignedInfo in the Signature must contain a Reference that covers the whole license except for its immediate issuer children. Optionally, the SignedInfo may contain a second Reference that covers the details of the specific issuer. Boilerplate XPATH Transforms can be used for each Reference. Issuer-specific contributions to the license. Issuer-specific contributions to the license. The date at which the license was issued, as attested to by this issuer. For many purposes, validators cannot rely on this assertion, but instead require some disinterested third part to attest to the date of issuance. Optional time interval during which the issuer attests to the validity of that part of the license that the issuer signed. The semantics are as if the validityInterval was an additional condition ANDed with the conditions present in each grant. A mechanism by which the issuer may post notice of license revocation. Software checking for revocation may use any one of the identified mechanisms to check for revocation. Identifies a principal who possesses a particular key. Typically, the key is a private key corresponding to a public key identified by this element, but it may be a symmetric key. The public key can be identified by several mechanisms defined in the XML Digital Signature specification. A container of one or more grants, each of which conveys to a principal a right to a resource under certain conditions. The license also specifies its issuer and other administrative information. The optional licenseID attribute uniquely and globally identify this license over space and time. Note (by way of comparison to validity intervals in, say, X509) that as a pragmatic matter, each right in a license usually contains a time condition to limit its validity time. A handy set of phrases that describe this license. The intent is that these can be shown to human beings in user interfaces in which licenses need to be managed, such as pick-lists. A container used to define elements frequently used throughout a license. These elements are defined in the inventory, and then referenced by ID wherever they are needed within the license. Specifies any other information to be conveyed in a license, such as information peripherally related to authentication and authorization, but not part of the core infrastructure. These extended elements typically fall under the license signature(s). However, recipients at their discretion can and will choose to ignore these extensions. The encrypted contents of a License. When decrypted, the clear text logically becomes the entire contents of the License, replacing this encryptedData element. The encyptedLicense element must, per XML ENCRYPT, contain the 'type' attribute of 'http://www.w3.org/2001/04/xmlenc#Content Type'. A container of licenses. A licenseGroup does not define any semantic association, ordering relationship, and so on, between the licenses it contains. An abstract element from which the various specific parts of a license are derived. This element defines attributes common to all parts of a license. A license part can have an identifier or reference an identifier defined elsewhere in this license. This mechanism reduces verbosity by defining commonly-used elements in one place and referencing them elsewhere. However, this is a purely syntactic shorthand; no semantic connection between the definition site and use site is implied. A string and an optional xml:lang indication of the language in which it resides, which enables embedded XML structured content. A reference similar to dsig:ReferenceType, but lacking the cryptographic connection. Represents the right to obtain the grant, grantGroup, or grantPattern specified as a resource associated with this right. Typically, this right is associated with conditions, such as a fee or validity interval. A structure representing a predicate expression that can be evaluated against any license part. A comparison is made to the contained licensePart using the XrML2 equality comparison. Represents the right to claim ownership of particular characteristics, which are listed as resources associated with this right. Requires that another right be possessed before exercising the associated right. The specified principal must be able to exercise the right on the resource under the authorization of the trustedIssuer. Represents the unique identification of a party involved in granting or exercising rights. Each principal identifies exactly one party. Optional constraint on the principal of the grant. A substitution head for principal patterns. Elements that replace this element must represent a pattern that identifies principals based pattern matching. The "noun" to which a principal can be granted a right. A resource can be a digital work (such as an e-book, an audio or video file, or an image), a service (such as an email service or B2B transaction service), or even a piece of information that can be owned by a principal (such as a name or an email address). Optional constraint on the resource of the grant. This pattern is evaluated against the subtree of the grant rooted at the resource. A substitution head for resource patterns. Elements that replace this element must represent a pattern that identifies resources based pattern matching. A maximum interval specifying how recently a signature on the license containing this grant must be checked for revocation. Beyond this interval, the grant may not be used as part of a proof of authorization. Indicates the maximum amount of time that may elapse since the last time the grant was checked for revocation. A value of zero indicates that the grant must be explicitly checked each time it is exercised. Indicates that for this use of this condition, a check for revocation is not needed. Indicates a mechanism through which notice of revocation of licenses may be communicated. To allow others to define their own revocation communication mechanism, this element is extensible. Indicates a service instance to query for the status of a signature. Indicates a service through which to obtain a revocation list. Represents revocation mechanisms invented by others. Represents the right to revoke a statement that one has made previously. The act of issuing a license implicitly grants one the right to revoke it. With this right, one may explicitly delegate that right to others. The "verb" that a principal can be granted to exercise against some resource under some condition. Typically, a right specifies an action (or activity) or a class of actions that a principal may perform on or using the associated resource. Optional constraint on the right of the grant. This pattern is evaluated against the subtree of the grant rooted at the right. A substitution head for right patterns. Elements that replace this element must represent a pattern that identifies rights based pattern matching. Provides the means to locate and interact with a concrete service. Specifically, this element identifies both an endpoint/address at which the service is located and meta information by which the type or interface for the endpoint can be understood. Use the specified portion of the identified WSDL file for the full protocol and endpoint information. Identifies a particular WSDL file. Identifies a particular service within the WSDL file. WSDL services have zero or more ports and a binding between each port and an endpoint address. All ports of the same portType are considered equivalent. Identifies a specific port type if the WSDL service contains ports of more than one portType. For more information, refer to the WSDL specification. Separates the protocol information found in the WSDL file from the endpoint addressing information for the service. Identifies the abstract type of the web service, independent of its endpoint. Elements of this type indicate a particular type of web service without indicating where an instance of that web service is specifically available. Identifies the WSDL in which the type of the service is defined. Indicates the relevant portType and protocol binding in the WSDL file. Indicates the actual endpoint at which the service is located. Specifies that the UDDI Business Registry (or possibly a private UDDI registry) be used for protocol and endpoint information. Use means invented by others to connect to services. Provides contextual parameters that may be needed to interact with the service. The exact interpretation of each parameter is specific to the semantics of the service and is not specified here. Defines one raw parameter to be passed to the service. Lists optional transformations to be applied in sequence over datum. Indicates the means for identifying a principal trusted to perform a certain action. Extensions to this type might specify additional policies not articulated here. Specifies a list of principals, any of which can be used. A key that identifies a business, service, or other entity inside of UDDI. The universally unique identifier (UUDI), which is used by UUDI versions 1 and 2. For more information, refer to the UUDI specification. The uniform resource identifier (URI), which is used by UUDI version 3. For more information, refer to the UUDI specification. Contains an UddiServiceIdentifier as defined in the UDDI specification. Indicates the service's key in the registry. This value should be passed to the get_serviceDetail API of the public UDDI registry to locate the service. Identifies the UDDI registry in which the service is located. Intended for private UDDI deployments. If absent, the global UDDI Business Registry is implied. Identifies the time interval during which the associated right is valid. Identifies the beginning of the interval. Identifies the end of the interval. The substitution head for all patterns in XrML. Elements that replace this element must represent a pattern that identifies a set of valid XML trees based pattern matching. A Boolean expression in some identified XML expression language. The default language is XPath1. Identifier for a license part. Using this identifier, commonly-used elements can be defined in one place and referenced elsewhere, thus reducing verbosity. The name of a variable. A DCE Uuid. For example, 1FAC02A2-9C46-4ceb-ABD2-9D569A379218