eXtensible rights Markup Language (XrML) Core 2.1 Specification

Abstract

This specification defines the Core of the eXtensible rights Markup Language (XrML), a general-purpose language in XML used to describe the rights and conditions for using resources.

Status of this Document

Feedback and suggestions are welcome. Please report errors and provide comments on this document to the current editor at http://www.xrml.org/xrml_comments.asp.

Table of Contents

Introduction

Scope

This document explains the basic concepts for issuing rights in a machine-readable language and describes the language syntax and semantics. It does not provide specifications for security in trusted systems, propose specific applications, or describe the details of the accounting systems required.

One of the goals of this document is to develop an approach and language that can be used throughout industry to stipulate rights to use resources and the conditions under which those rights may be exercised and by whom. This document does not address the agreements, coordination or institutional challenges involved in achieving that goal.

Keyword Conventions

The keyword "XrML2" in this document is to be interpreted as referring to XrML version 2.1.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Schema Conventions

The syntax of XrML2 is described and defined using the XML Schema technology defined by the Worldwide Web Consortium (W3C). Significantly more powerful and expressive than DTD technology, the extensive use of XML Schema in XrML2 allows for significant richness and flexibility in its expressiveness and extensibility.

To that end, a principal design goal for XrML2 is to allow for and support a significant amount of extensibility and customizability without the need to make actual changes to the XrML2 core itself. Indeed, the core itself makes use of this extensibility internally. Others parties may, if they wish, define their own extensions to XrML2. This is accomplished using existing, standard XML Schema and XML Namespace mechanisms.

Readers of these schemas should notice that a certain editorial style has, for ease of comprehension, been uniformly adopted. The XML Schema artifacts found within the XrML2 core schema fall into three categories: attributes, elements, and types. The names of each have a different stylistic treatment: the names of types are in mixed case, with an initial capital letter, while the names of elements and attributes are in mixed case but with an initial lower case letter. For example, Grant is the name of a type, while grant is the name of an element and licensePartId is the name of an attribute.

This stylistic convention has also been used in this specification when referring to these elements and types:

• A passage herein which mentions an element as in "the grant" is using the word in a technical sense to refer to the notion of grant as an XML Schema element.
• A passage which mentions a type and prefixes the type with the word "type" as in "the type Grant" is using the word in a technical sense to refer to the notion of Grant as an XML Schema type.
• A passage which mentions a type and prefixes the type with an article such as "a" or "the" as in "a Grant" is using the word in a technical sense to refer to any element whose type is the type Grant or any derivation thereof. (Semantics assigned to a type in this way MUST NOT be overridden by type derivations or elements using the type; type derivations or elements that use the type MAY alter the semantics only as long as all the statements made about the type in these passages still hold for the type derivations and elements that use the type.)

Architectural Details of the XrML2 Core

At the heart of XrML2 is the XrML2 Core Schema. The elements and types defined therein define the core structural and validation semantics that comprise the essence of the specification. It is expected that every XrML2 validation processor will be aware of the semantics embodied in this core. That is not to say that each and every such processor need to implement and fully support all of the functionality herein described; rather, it indicates that such processors must be conscious of all the semantics defined therein that logically affect those core features they indeed do choose to support. This is also true for XrML2 extensions that these processors intend to process.

License

The single most important concept in XrML2 is that of the License. A License is conceptually a container of Grants, each one of which conveys to a particular Principal the sanction to exercise some identified Right against some identified Resource, possibly subject to the need for some Condition to be first fulfilled. A License is also a container of GrantGroups, each of which is in turn an eventual container of Grants. To avoid confusion, it should be noted that, while a License is a conceptual container, it is not only just a container: it is also the means by which License issuers convey authorization, as described below.

A License may be digitally signed by the party who issues it, signifying that the License issuer authorizes certain Grants and GrantGroups. This semantic notion of whether or not a Grant or GrantGroup has been authorized is an important one. A Grant or GrantGroup which has not been authorized conveys no authorization, it merely exists as an XML element. Unless otherwise indicated by this specification, Grants or GrantGroups which may physically appear in a License are not to be considered authorized.

Syntactically, multiple Issuers may each provide a signature on a given License; however no additional semantic is associated with their collective signing. The semantics are, rather, as if they had each independently signed their own copy of the License. Therefore, one can unambiguously speak of the Issuer of a given License.

License/title

Each of the zero or more title elements in a License provides a descriptive phrase about the License that is intended for human consumption in user interfaces and the like. Automated processors MUST NOT interpret semantically the contents of such title elements.

License/grant and License/grantGroup

The Grants and GrantGroups contained in a License are the means by which authorization policies are conveyed in the XrML2 architecture.

Each Grant or GrantGroup that is an immediate child of a License exists independently within that License: no collective semantic (having to do with their particular ordering or otherwise) is intrinsically associated with the presence of two or more of them within a certain one License (though there may be syntactic issues; see License Parts).

See below in this specification for an elaboration of the semantics of Grant and GrantGroup.

License/issuer

Each Issuer in a License may contain two pieces of information:

• a set of Issuer-specific details about the circumstances under which he issues the License, and
• a digital signature for the License.

The optional Issuer-specific details are found in the Issuer/details element, which is of type IssuerDetails. These details optionally include any of the following information:

1. the specific date and time at which this Issuer claims to have effected his issuance of the License.
2. an interval of time before and after which the Issuer does not intend his issuance of the License to be effective.
3. an indication of the mechanism or mechanisms by which the Issuer of the License will, if he later Revokes it, post notice of such revocation. When checking for revocation, XrML2 processing systems may choose to use any one of the identified mechanisms: that is, they are all considered equally authoritative as to the revocation status of the issuance of the License.

Let g be any Grant or GrantGroup which is an immediate child of a License l, and let i be the Issuer element of l. If the element i/details exists and if i/details contains a ValidityInterval v, then let the Grant or GrantGroup g' be defined to be that Grant or GrantGroup which is formed from a copy of g by replacing therein the (possibly absent) element g'/condition with an allConditions element containing both v and (the possibly absent) g/condition. Then g' is defined to be directly authorized by the presence of the signature of the Issuer on the License l (and g itself is not authorized). If instead no such ValidityInterval v exists, then, likewise, the Grant or GrantGroup g is defined to be directly authorized by the presence of the signature of the Issuer on the License.

The digital signature made by each Issuer of a License is manifest in an XML element of name dsig:Signature as defined by the XML-Signature Syntax and Processing standard of the W3C. However, when used within XrML2, some of the general freedoms and flexibilities permitted within that design are profiled and constrained. Specifically, with the aim of simplifying the determination of exactly which pieces of the License have and have not been actually signed by a given Issuer, the dsig:Signature/dsig:SignedInfo/dsig:Reference elements are restricted in how they may refer to pieces of the License. In concept, the restriction is that of the information in a License a signature may only reference

1. the whole License less its Issuer children, together with
2. the issuance details paired with this dsig:Signature

but not any other piecemeal subparts of the License (the dsig:Signature may still, if it wishes, reference items external to the License though such use is beyond the scope of this specification). Concretely, when an Issuer wishes to reference pieces of the License, to do so it MUST use a dsig:Signature/dsig:SignedInfo/dsig:Reference element r such that the following is true:

1. the attribute r/@dsig:URI MUST be omitted
2. the element r/dsig:Transforms MUST contain exactly one child dsig:Transform element t, where
   1. t MUST be empty
   2. the attribute t/@dsig:Algorithm MUST contain the value http://www.xrml.org/schema/2002/05/xrml2core#license

The transform algorithm so indicated is known as the XrML2 License Transform Algorithm .

A dsig:Transform element t indicating the use of the XrML2 License Transform Algorithm emits as output the most immediate ancestor of t that is of type License or a derivation thereof but with any element descendants of that License which occupy (perhaps through type derivation) the particle defined by the issuer child of the License wholly removed, except for that Issuer that contains t, which is kept, removing its dsig:Signature child instead.

It is RECOMMENDED that dsig:Signatures created by Issuers of XrML2 Licenses indicate the use of the Schema Centric Canonicalization algorithm.

Moreover, as a general note of good digital signature hygiene, it is RECOMMENDED that XrML2 Licenses explicitly (re)declare no higher up the XML element tree than at the License level any XML Namespaces that are used anywhere throughout the License. That is, a License SHOULD be a self-contained unit with respect to XML Namespace declarations, not relying on any such declarations to be imported from their surrounding XML context. This hygienic practice greatly facilitates the ability to manipulate Licenses as a self-contained XML unit within XrML2 processing systems.

License/inventory

XrML2 provides a syntactic mechanism for reducing redundancy and verbosity in Licenses. This syntactic macro-like mechanism can be used throughout a License, so long as there is in a given License only one definition to each LicensePartId. Such definitions can lie, for example, inside of grants or other semantically important structures. However, it is sometimes useful and convenient to be able to provide a definition of a part of a License without at the definition site necessarily associating any particular semantic with the part. The inventory element provides a means for doing this.

The inventory element of a License is a simple container of LicenseParts. The presence of such parts in the inventory container does not provide any semantic at all. The parts simply exist as syntactic structures within the inventory. Usefully and usually, parts in the inventory will have LicensePart/@licensePartId attributes so that they can be referenced from elsewhere in the License.

License/otherInfo

Using the wildcard construct from XML Schema, a License provides an extensibility hook within which License issuers may place additional content as they find appropriate and convenient. This can be useful for conveying information which is peripherally related to, for example, authentication and authorization, but is not part of the XrML2 core infrastructure. Such content will of necessity be referenced by the dsig:Signature of the Issuer of the License, and so can be considered as being attested to by the License's Issuer; indeed, it is the inclusion of this data in the signature which is likely the most important reason for contemplating the use of this facility.

It should, however, be carefully understood that not all processors of XrML2 Licenses will understand the semantics intended by any particular use of this extensibility hook. Processors of the License MAY choose wholly at their own discretion to completely ignore any such content that might be present herein.

License/encryptedLicense

A mechanism is provided by which the contents of a License may be encrypted and so hidden from view from inappropriate parties. This mechanism makes straightforward use of the XML Encryption Syntax and Processing standard.

Specifically, the XML content model of a License is a choice between a sequence containing the elements previously described in this section and an encryptedLicense element. encryptedLicense represents the encryption of the contents (but not the attributes) of the License element. See the type EncryptedContent for a more detailed discussion of the decryption process.

License Parts

Many of the types defined in XrML2 are, in the XML Schema sense, derivations of the type LicensePart, including Grants, Resources, and Rights, just to name a few.

The role of LicensePart is twofold:

1. LicensePart, through its licensePartId and licensePartIdRef attributes, which are both of type LicensePartId, defines a macro-like purely syntactic mechanism by which fragments of XML which must logically be present in several places within a License may avoid being literally written out multiple times.
2. In contrast, LicensePart, through its varRef attribute, defines a semantically important mechanism. As is later described herein, XrML2 defines a pattern-matching mechanism which may be used, for example, to denote sets of Principals that a grant might apply to or sets of grants that might be validly issued by an authorized authority. Such patterns logically describe sets of entities. When a pattern is applied to a concrete situation, a matching process occurs, resulting in a single entity that matches that pattern. It is useful to be able to, elsewhere in a License, talk about the entity that might match a given pattern when such matching process later occurs.

The matching process and its relationship to variables is somewhat involved, and a detailed discussion is provided later in this specification.

The macro-like facility of licensePartId and licensePartIdRef, on the other hand, is quite straightforward. Use of the licensePartId and licensePartIdRef attributes MUST adhere to the following constraints:

1. On any given LicensePart at most one of the attributes licensePartId and licensePartIdRef may appear. That is, it is illegal for both attributes to be present on one LicensePart.
2. For a given LicensePartId value v, there may be at most one LicensePart in a given License that contains a licensePartId attribute with the value v.
3. If a LicensePart p contains a licensePartIdRef attribute, then it MUST have empty content. As a corollary, therefore, it is required that all types which are derivations of LicensePart SHOULD allow their content to be empty (for otherwise they cannot usefully be used within the LicensePart infrastructure).
4. If a LicensePart p contains a licensePartIdRef attribute with a certain value v, then there must exist some (other) LicensePart q in the same License as p which has a licensePartId attribute with value v (and, per (2), there cannot be two such qs). It is further required that the expanded element name of p exactly match that of q. Moreover, it is required that q not be an ancestor of p (or, per (3), a descendant of p).

If a LicensePart p contains a licensePartIdRef attribute with a certain value v, and q is the LicensePart in the same License as p which has a licensePartId attribute with value v, then the semantics of the License containing p and q are as if:

1. p were removed from the License and replaced with a copy q' of the element q,
2. the licensePartId attribute were removed from q' and all of its descendants,
3. any "preserved" attributes that may be present on q'were removed therefrom, and
4. any "preserved" attributes that may be present on p were copied and added to q'.

where here a "preserved" attribute is any of the following:

1. any attribute of type xsd:ID
2. any attribute for which 'id' is the LocalPart of its qualified name

(It is the intent of the last of these points to allow for the useful definition of other identification systems on license parts beyond the document-global xsd:ID-typed identifiers.)

If a License contains no LicenseParts with a licensePartIdRef attribute, then the semantics of that License are as if the licensePartId attribute were removed from all LicenseParts with such a licensePartId.

With the exception of signature verification, both licensePartIdRef macro expansion and licensePartId removal MUST be carried out before the other License processing steps defined by this specification. In particular, it is carried out before such processing as the evaluation of variable references or the testing of equality.

Equality of XML Elements

XrML2 defines a formal notion by which two arbitrary XML elements can be compared and said to be " equal " or not. This notion is used extensively and heavily in the design in such places, for example, as determining whether a Grant in a particular License actually contains a particular Right which is attempting to be exercised. In order to determine this, the Right being exercised must be compared in a precise and technical manner against the Right in the Grant. Perhaps surprisingly, no existing notion of equality appears defined on XML elements. Accordingly, we define one here as follows.

Background

In order to address the question of equality, one must first consider the question of whether the notion of the XML information conveyed by a piece of XML is in fact well-defined. Fortunately, this is in fact the case: the XML Information Set specification normatively defines the abstract information contained in any the possible physical representations of a piece of XML. This information is, however, altered by XML Schema, in that the assessment of validation of an infoset by XML Schema augments that infoset with information contained in the schema(s) in question (for example, default values are inserted, the character content of elements of simple type is normalized, and so on). Thus, in order to understand the full set of information conveyed by a piece of XML, one must, generally speaking, validate the data according to its schemas.

If all the schemas in question are relatively fixed, and so their structure can be compiled into or otherwise cached by an application, then the assessment of whether two pieces of XML are equal or not is straightforward to implement efficiently. However, if the schemas involved are not so intimately known, then the task of assessing equality is much more complicated and subtle: considerable flexibility and latitude exists in XML Schema wherein possibly quite different XML infosets are considered to actually convey the same information. This is precisely the sort of situation which is likely to arise in many XrML2 applications, especially those that act as utility layers for solutions that exploit the extensibility and customizability of the XrML2 architecture.

What is needed, therefore, is an efficiently implementable, generic algorithm that evaluates whether two XML information items are equal according to the representational liberties permitted by the schemas of the items in question. It is the intent of this specification to define such an algorithm.

Overview of Equality Comparison

As was mentioned, the information conveyed by a piece of XML can generally speaking only be understood by considering the content of the information set for that XML together with the content of the schemas with which it is associated.

Fortunately, it was one of the central design goals of the Schema Centric Canonicalization algorithm to exactly capture this information. That is, the result of processing some XML through Schema Centric Canonicalization captures in its output all of the information content of the XML that was latent in the schemas with which it is associated; all the contributions such as default values, data type lexical canonicalization, and so on, are extracted and made explicitly manifest in the canonicalized form. Therefore, one can succinctly compare two XML information items for equality by comparing the bit strings of their respective processing by Schema Centric Canonicalization: the items are equal if and only if the bit strings are bit-for-bit identical.

Were that algorithm easy to efficiently implement, then little more need be said about the matter. Unfortunately, this is not the case: Schema Centric Canonicalization is to an approximation at least as complicated to implement as full-blown XML Schema validity assessment, which is, unfortunately, in many situations, more expensive than is reasonable. In order to address this, we therefore seek an additional, efficiently implementable algorithm that can, in certain identifiable common cases, evaluate whether two XML items are equal or not in the same sense as processing through Schema Centric Canonicalization would do, but without the expense involved (specifically, without the expense of retrieving and processing the associated schemas). When such an algorithm identifies that the common case is in use, it can quickly give a definitive answer; in other cases, the full treatment through the Schema Centric Canonicalization algorithm is necessary.

Of course, many such auxiliary algorithms are possible, differing (likely) in exactly which set of common cases they cover. We present one of these possible algorithms here (embodied in the equalQuickItem function defined below), one that we believe will be of broad general utility. Note, however, that implementations are free to alter or augment this algorithm in order to appropriately tailor and tune it for their specific needs.

Specification of Equality Comparison

Two XML information items, left and right, are to be considered equal or not equal according to the application of the function equalItem(left, right).

The equalItem function

The equalItem function takes two information items, left and right, as inputs and yields either the result equal or the result not equal as follows:

1. If equalQuickItem(left, right) is equal or not equal, then equalItem(left, right) is that value.
2. Otherwise, let leftBits and rightBits respectively be result of the execution of the Schema Centric Canonicalization algorithm on an infoset whose document information item contains in its [children] property the item left or right (respectively). Then if leftBits is the identical bit string to rightBits, then equalItem(left, right) is equal; otherwise, equalItem(left, right) is not equal.

The equalQuickItem function

The equalQuickItem function takes two information items, left and right, as inputs and yields either the result equal, not equal, or indeterminate according to whether it determines that the information items can be determined to be equal or not or that an evaluation by a more comprehensive algorithm is necessary. Let the notation x[y] be understood to represent the value of the property whose name is y of the information item x. Then the equalQuickItem function is defined as follows:

If left and right are different kinds of information item, then not equal is returned.

If left and right are both element information items, then the following steps are considered in order:

1. If left[namespace name] is not identical to right[namespace name] then not equal is returned.
2. If left[local name] is not identical to right[local name], then not equal is returned.
3. The sets left[attributes] and right[attributes] are examined to define the value attributesIdentical(left, right):
   1. If a permutation r' of right[attributes] exists such that equalQuickList(left[attributes], r') is equal, then attributesIdentical(left, right) is equal.
   2. Otherwise, if left[attributes] contains a member ll and right[attributes] contains a member rr where both
      1. ll[namespace name] is identical to rr[namespace name] and
      2. ll[local name] is identical to rr[local name]
      then if equalQuickItem(ll, rr) is not equal or indeterminate, then attributesIdentical(left,right) is not equal or indeterminate, respectively.
   3. Otherwise, attributesIdentical(left,right) is indeterminate, due to the potential existence of default attributes in the DTD or schema.
4. The ordered lists left[children] and right[children] are examined to define the value childrenIdentical(left, right). Let lec be the subsequence of left[children] and rec be the subsequence of right[children] consisting of only the element and character information items therein (thus, comment, processing instruction, and unexpanded entity reference items are ignored, just as they are by XML Schema).
   1. If equalQuickList(lec, rec) is equal, then childrenIdentical(left, right) is equal. That is, an exact match guarantees equality.
   2. Otherwise, let le and re be respectively the subsequences of lec and rec containing only element information items. If there does not exist a permutation rec' of rec such that equalQuickList(lec, rec') is equal or indeterminate, then childrenIdentical(left, right) is not equal. That is, because the potential existence in the schema of a model group with a {compositor} of all, possibly even in a content model with content type mixed, we must allow for potential reordering of the elements in comparing for equality. But if no such reordering can be made to work, then we can know for certain that no equality is possible.
   3. Otherwise, if one of the lists lec and rec is empty and the other contains only character information items, then childrenIdentical(left, right) is indeterminate, since the schema might indicate a default content value which is equal to the non-empty list.
   4. Otherwise, if both of the lists lec and rec contain only character information items, then childrenIdentical(left, right) is the value returned by equalQuickSimple(lec, rec, false). Element content consisting entirely of characters might be an occurrence of the use of simple types, and so must be conservatively evaluated as such.
   5. Otherwise, if at least one of lec and rec contains any element information items and at least one of lec or rec contains any non-whitespace character information items, then (the content type must be mixed, and so) let the character information items in lec and rec be divided respectively into sequences of sub-lists l₁ through l_k and r₁ through r_k such that k-1 is the number of element information items in each of lec and rec (necessarily the same due to 4(b) above) and any given l_i or r_i consists of all those character items in order in lec or rec that are separated therein by two consecutive element items or an element item and the start or end of the list as the case may be. If there exists any l_i and corresponding r_i such that equalQuickList(l_i, r_i) is not equal, then childrenIdentical(left, right) is not equal. That is, the characters used in mixed content must match exactly.
   6. Otherwise, childrenIdentical(left, right) is indeterminate.
5. If either attributesIdentical(left, right) is not equal or childrenIdentical(left, right) is not equal, then not equal is returned.
6. Otherwise, if either attributesIdentical(left, right) is indeterminate or childrenIdentical(left, right) is indeterminate, then indeterminate is returned.
7. Otherwise, equal is returned.

If left and right are attribute information items, the the following steps are considered in order:

1. If left[namespace name] is not identical to right[namespace name] then not equal is returned.
2. If left[local name] is not identical to right[local name], then not equal is returned.
3. Otherwise, equalQuickSimple(left[normalized value], right[normalized value], true) is returned.

If left and right are character information items:

1. If left[character code] is the same as right[character code] then equal is returned
2. Otherwise, not equal is returned.

Otherwise, indeterminate is returned.

The equalQuickList function

The equalQuickList function takes as input two ordered lists of information items left and right and returns equal, not equal, or indeterminate as follows.

1. If the size of left differs from the size of right, then not equal is returned.
2. If there exists any member ll of left and corresponding member rr of right such that equalQuickItem(ll, rr) is not equal, then not equal is returned.
3. If there exists any member ll of left and corresponding member rr of right such that equalQuickItem(ll, rr) is indeterminate, then indeterminate is returned.
4. Otherwise, equal is returned.

The equalQuickSimple function

It is intended that equalQuickSimple embody the appropriate comparison tests for a sequence of characters which are either known to be or may potentially be the data consisting of a simple type. The equalQuickSimple function takes as input two sequences of character information items left and right and a boolean isAlreadyNormalized and returns equal, not equal, or indeterminate as follows:

1. If equalQuickList(left, right) is equal, then equal is returned. That is, an exact match guarantees equality.
2. Otherwise, if alreadyNormalized is true, then indeterminate is returned. If left and right are not identical, then their canonicalized lexical representations still might be. A more elaborate implementation might perhaps consider each of the various data types and their possible canonicalized lexical representations in order to in some situations eke out a not equal instead of indeterminate, but such is not elaborated here.
3. Otherwise, if isAlreadyNormalized is false, then indeterminate is returned.

Patterns

Within XrML2, it is quite useful and important at times to be able to write in XML formal expressions that semantically denote particular sets of XML instance elements. To give but one example, a License that provides to a Principal the authorization that is analogous to that held by a "Certificate Authority" in X509 parlance needs to be able to precisely specify and carefully indicate exactly which set of Grants the Principal is authorized to issue. XrML2 has a rich architecture of "patterns" designed to address this and similar needs.

XmlPatternAbstract

All formal patterns in XrML2 have types which derive from the type XmlPatternAbstract. As such, this type forms the root of a type hierarchy of various flavors of patterns suitable for different pattern matching requirements. The corresponding element xmlPatternAbstract, which is of this type, usefully forms the head of a substitution group of all possible patterns.

XmlExpression

XmlExpression provides a means by which patterns written in formal expression languages defined outside of XrML2 can be straightforwardly incorporated herein. The particular expression language used is indicated by the lang attribute, which is a URI.

The default value for the lang attribute is http://www.w3.org/TR/1999/REC-xpath-19991116, which indicates that the contents of the XmlExpression contains a string which is an XPath expression. If the expression contained in that string is not of XPath type boolean, then it is to be automatically converted to such as if the function boolean were applied. An element is said to match an XmlExpression pattern if the enclosed expression evaluates to true over that element.

All XrML2 processing systems which choose to support the use of any form of XrML2 patterns at all MUST support the use of the http://www.w3.org/TR/1999/REC-xpath-19991116 expression language in XmlExpression elements.

The 'match-exact' XPath function

All XrML2 processing systems that support the XPath expression language MUST include an additional match-exact function in the library that is used to evaluate XPath expressions. This function, used to match regular expressions, is modeled after work carried out in the XPath2 design effort.

The syntax of this function is

match-exact (string $srcval, string $regexp) ==> boolean

This function returns a boolean which is true if the regular expression that is the value of $regexp matches the entirety of the value of $srcval and is false otherwise. The regular expression in the value of $regexp uses the syntax of regular expressions specified in Appendix F of [XML Schema Part 2: Datatypes]. Comparisons of characters and character strings are performed in the context of the collation sequence specified by the Unicode Collation Algorithm, though it should be noted that not all regular expressions are semantically sensitive to this collation.

The XPath specification defines that the names of XPath library functions are namespace-qualified. To that end, the match-exact function is defined to reside in the XrML2 core namespace: http://www.xrml.org/schema/2002/05/xrml2core.

PrincipalPatternAbstract / RightPatternAbstract / ResourcePatternAbstract / ConditionPatternAbstract

As an alternative to using patterns written in externally-defined expression languages, it is often useful to define new XML types and elements that, in their intrinsic semantic, define some pattern matching algorithm. This can, of course, be done by simply deriving from XmlPatternAbstract; but, if appropriate to a given situation, deriving one of the four types here might be more useful.

Patterns which are of types which derive from PrincipalPatternAbstract, RightPatternAbstract, ResourcePatternAbstract, and ConditionPatternAbstract are always evaluated in a context of an entire XML document which (respectively) contains exactly just one Principal, Right, Resource, or Condition. Such known contextual setting may make it possible to more succinctly express and define the semantics of the intended pattern.

Everyone

Everyone is a type which is derived from PrincipalPatternAbstract.

As such, it matches documents which are elements of some subset of the universe of Principals. That subset is defined as those Principals who posses a certain property described within the Everyone element.

More precisely, let e be an instance of Everyone, and let P be the set of Principals denoted by e. If e/propertyAbstract does not exist, then P is defined to be the entire universe of Principals. Otherwise, P is defined to be the set of those Principals p for which the following PrerequisiteRight condition q can be shown to be fulfilled with respect to the same tuple of Authorization Algorithm inputs within which e is being processed:

1. q/principal is equal to p
2. q/right is equal to the possessProperty element
3. q/resource is equal to e/propertyAbstract
4. q/trustedIssuer is a copy of e/trustedIssuer (if such is present) or is absent (otherwise).

PatternFromLicensePart

PatternFromLicensePart is a semantically simple pattern. Each element of this type contains exactly one LicensePart. The pattern is defined to match exactly those elements which are equal to this contained part.

GrantPattern

A GrantPattern is a relatively complex pattern which matches XML elements of type Grant. Let G be a GrantPattern, and let g be a target Grant against which one wishes to attempt to match G.

The GrantPattern G can contain four separate pieces, each of which provide sub-patterns which are matched (respectively) in the context of the Principal, Right, Resource, and Condition of the target Grant g, along with an optional fifth piece which is matched in the context of g as a whole. The overall GrantPattern G is considered to successfully match against the target Grant g if and only if each of the five pieces which may be present in G successfully match against their respective context.

The first piece of a GrantPattern, which is optional, contains either a literal Principal, or several patterns for a Principal. If a literal Principal p is provided, then the target Grant g must contain as its principal an element that is equal to p. If patterns for a Principal are provided, then each such pattern, when evaluated in a target context of a new XML document containing only the Principal from the target Grant g, must successfully match.

The second piece of a GrantPattern, which for technical reasons is not optional, contains either a literal Right, or several patterns for a Right. If a literal Right r is provided, then the target Grant g must contain as its right an element that is equal to r. If patterns for a Right are provided, then each such pattern, when evaluated in a target context of a new XML document containing only the Right from the target Grant g, must successfully match. Note that although this second piece of a GrantPattern is required, a pattern of the form

<rightPattern/>

can be used to match any Right.

The third piece of a GrantPattern, which is optional, contains either a literal Resource R, or several patterns for a Resource. If a literal Resource is provided, then the target Grant g must contain as its resource an element that is equal to R. If patterns for a Resource are provided, then each such pattern, when evaluated in a target context of a new XML document containing only the Resource from the target Grant g, must successfully match.

The fourth piece of a GrantPattern, which is optional, contains either a literal Condition c, or several patterns for a Condition. If a literal Condition is provided, then the target Grant g must contain as its Condition an element which is equal to c. If patterns for a Condition are provided, then each such pattern, when evaluated in a target context of a new XML document containing only the Condition from the target Grant g, must successfully match.

The fifth piece of a GrantPattern is also optional. If present, then it is an XmlExpression that, when evaluated in a target context of a new XML document containing the whole target Grant g, must successfully match.

GrantGroupPattern

Much as GrantPatterns provide a structured way to match against Grants, GrantGroupPatterns provide a structured way to match against GrantGroups. Let G be a GrantGroupPattern, and let g be a target GrantGroup against which one wishes to attempt to match G. G consists of possibly several pieces. The overall GrantGroupPattern G is considered to successfully match against the target GrantGroup g only if each of the pieces which may be present in G successfully match against their respective context.

The first piece of a GrantGroupPattern, which is optional, contains either a literal Principal, or several patterns for a Principal. If a literal Principal p is provided, then the target GrantGroup g must contain as its principal an element that is equal to p. If patterns for a Principal are provided, then each such pattern, when evaluated in a target context of a new XML document containing only the Principal from the target GrantGroup g, must successfully match.

The second piece of a GrantGroupPattern, which is optional, contains either a literal Condition c, or several patterns for a Condition. If a literal Condition is provided, then the target GrantGroup g must contain as its condition an element that is equal to c. If patterns for a Condition are provided, then each such pattern, when evaluated in a target context of a new XML document containing only the Condition from the target GrantGroup g, must successfully match.

The third piece of a GrantGroupPattern consists of a sequence of sub-patterns, each of which is either a literal Grant or pattern for a Grant, or a literal GrantGroup or a pattern for a GrantGroup. Each literal or pattern in this sequence, when evaluated in the context of a new XML document containing only the corresponding Grant or GrantGroup from the sequence thereof at the end of the target GrantGroup g, must successfully match. In doing so, sub-patterns which are Grants or GrantGroups are, as one would by now expect, to match elements which are equal to themselves. Further, the sequence of Grants and GrantGroups at the end of g can be no longer than that sequence in G.

The fourth piece of a GrantGroupPattern is also optional. If present, then it is an XmlExpression that, when evaluated in a target context of a new XML document containing just the whole target GrantGroup g, must successfully match.

Variable Definition and Referencing

A particularly powerful and useful construct in Grants and GrantGroups is the definition and use of variables therein. With variables, a single Grant or GrantGroup can be written (and thus can be issued or otherwise authorized) that allows some carefully controlled variation and flexibility in the rights actually conveyed.

Variable Definition

Variables are defined using universal quantification as embodied in elements of type ForAll.

Let f be an element of type ForAll. The varName attribute of f indicates the name of the variable being defined. The elemental contents of f are zero or more patterns which determine what the variable f/@varName binds to.

If x is any XML element, let d(x) be a new XML document containing the element x as the root. Define m(x) to be the boolean function which is true if and only if all of the patterns in f, when evaluated in a context of d(x), successfully matches. Let B(f) be that subset of the universe X of XML elements such that m(b) is true for every b in B(f) and is false for every b' in X-B(f)(note that this implies that if f contains no patterns that B(f) is the entire universe X). The set of bindings of the variable f/@varName is then defined to be the set B(f).

The element f has a scope within which the variable it defines may be referenced. Colloquially, that scope is the rest of the parent element in which f is contained, less the scope of any other element of type ForAll therein which happens to (re)declare the same variable. More precisely, let N(y) be that set of XPath nodes selected by the XPath location path:

following-sibling::*/descendent-or-self::node()

when evaluated with y as the contextual XPath node. For an element z of type ForAll, let O(z) be that set of XPath nodes selected by location path:

following-sibling::*/descendent-or-self::r:forAll[@r:varName=$fVarName]

(where the XML Namespace prefix r is bound to the XrML2 core namespace) when evaluated with z as the contextual XPath node and $fVarName as the value of z/@varName.

Let P(f) be the union over all w in O(f) of N(w). Then the scope of f is defined to be N(f) less P(f).

The set S(f) of the eligible bindings of the variable f/@varName, then, is defined to be that subset of B(f) such that s in B(f) is in S(f) if and only if for all elements t in the scope of f where t/@varRef equals f/@varName all of the following hold:

1. Either the expanded element name of s must exactly match that of t or s must be substitutable for t using substitution groups (that is, t is the head of a substitution group in which s resides).
2. Either the type of s must exactly match that of t or the type of s must derive (through any number of levels) from the type of t using type derivation.
3. If t is removed from its document and replaced with a copy of s, that document is (still) valid.

Variable Referencing

Variables are referenced using the varRef attribute of LicenseParts. Let t be a LicensePart, and suppose t/@varRef exists. Then it is required that t must be an empty element: from a conceptual perspective, the contents of t are determined by the binding of the variable that it references, not from local elements.

Moreover, the value in t/@varRef MUST be the name of some variable v whose scope includes t.

Extending Variable Definition

Extensions to XrML2 SHOULD NOT create new types derived from the type ForAll nor create new elements of type ForAll. If extensions need to define variables within the types and elements they define, they can use the forAll element directly.

Conceptually Abstract

Certain elements and types in XrML2 are designated as conceptually abstract. Conceptually abstract elements and types are used solely for the substitution heads and type bases, respectively, in XML Schema and, as such, do not refer to any concrete concepts. Common examples of concrete concepts are found in XrML2 and include the keyHolder element and the KeyHolder type, though additional useful concrete concepts can be defined in extensions to XrML2. While a conceptually abstract element MAY appear with a concrete type and a concrete element MAY appear with a conceptually abstract type, a conceptually abstract element MUST NOT appear with a conceptually abstract type except in the form of a variable reference, as described in the preceding section.

Grant

A Grant is an XML structure that expresses an assertion that some Principal may exercise some Right against some Resource, subject, possibly, to some Condition. This structure is at the heart of the rights-management and authorization-policy semantics that XrML2 is designed to express.

Especially in situations such as content-management scenarios, it is likely to be common practice that one License contain several Grants to the same Principal pertaining to the same Resource, but differing in the specific Right being authorized. One grant might authorize a play right, while another might authorize a print right, for example. In other situations, such as those that might mirror the semantics of X.509 certificates, a set of Grants in a License might share a Principal and a Right (perhaps the PossessProperty right), but differ in the Resource identified. In all such scenarios, it is expected that the syntactic mechanism of license parts, perhaps together with the use of the inventory in the License, will be often used to reduce verbosity and to increase the readability of the collective set of Grants.

Grant/forAll

At the start of each Grant may reside an optional sequence of elements of type ForAll. Because of the pattern matching facility therein, this powerful mechanism allows one authorized Grant instance to in fact authorize what would otherwise have to be authorized as a set of Grants, a task which may be cumbersome or logistically impossible to actually carry out.

The effect of these ForAll elements on the semantics of a Grant is straightforward. Let g be a Grant that contains at least one ForAll child element, and let f be the first such child in g. Let S(f) be the set of eligible bindings of the variable f/@varName. For each s in S(f), let g'(s) be a Grant which is equal to a copy of g except

1. (the copy of) f is not present in g'(s), and
2. throughout the scope of f in g, all elements containing references to the variable f/@varName are replaced in g'(s) by s.

Then, to say that g is authorized means that for all such s, g'(s) is authorized.

Definition: a Grant which lacks any children of type ForAll (or any constructs that are equivalent thereto, such as an ExistsRight condition with a GrantPattern) is considered primitive.

Grant/principal

The element in an instance of a Grant that validates against the principal particle thereof identifies the Principal that, under the authority of the Issuer of the License, may exercise the Right identified in the Grant.

While the principal particle of Grant is optional within the schema (primarily for the utility this provides to GrantGroups), it is semantically very dangerous to in fact authorize a Grant which contains no Principal that validates against the principal particle. An authorized Grant which contains no Principal element is considered to be equivalent to an authorized Grant that contains an allPrincipals with zero children, which in turn authorizes the Grant to any entity that is authenticated as at least zero Principals -- in short, any entity.

Grant/right

The element in an instance of a Grant which validates against the right particle thereof identifies what the Issuer of the containing License authorizes the indicated Principal to actually do.

Grant/resource

Many (but not all) Rights that might be issued are intended to be directed at and authorized against some particular target or Resource. For example, a content-management-related Right which authorizes a Principal to print must somehow identify exactly what digital resource the Issuer of the License intends may be printed. In XrML2, this target can be identified using the resource of a Grant. This is accomplished by providing in the Grant instance an element which validates against the resource particle thereof.

Grant/condition

Issuers who authorize Grants often desire the ability to somehow limit or constrain the situations in which the Grant may actually be used. The condition particle within a Grant provides a means by which this may be accomplished. If omitted, then no conditions are imposed: the authorized Grant may be used unconditionally. If a Condition is present, then the semantic obligations associated with the semantics of that particular Condition must be satisfied with respect to the indicated Grant before it may be used as the basis of an authorization decision.

Grant/delegationControl

Whenever a Grant is issued, the Issuer may optionally indicate in addition that the Grant may be delegated to others. This is accomplished by including in the Grant an element of type DelegationControl; absent such a DelegationControl element, a Grant is not (formally) delegable.

To say that an authorized Grant g is delegable means that the Issuer of g also authorizes every Grant g' where:

1. g'/forAll, g'/delegationControl, and g'/condition are all absent,
2. g'/principal is equal to g/principal,
3. g'/right is equal to the issue element
4. g'/resource is equal to a Grant g'' where
   1. the (possibly empty) sequence of ForAll elements that begins g appear as a prefix of the sequence of ForAll elements that begins g''
   2. g''/delegationControl is compatible with g/delegationControl
   3. g''/principal is one of the allowable destination principals of g/delegationControl
   4. g''/right is equal to g/right
   5. g''/resource is equal to g/resource
   6. g''/condition is either equal to g/condition, or, if g/ delegationControl/additionalConditionsProhibited is absent, is equal to the equivalent of an allConditions element which contains at least g/condition (if present)

Additional policies which control the circumstances under which g is legally delegable are expressed by the semantics embodied in the DelegationControl element; these are explained in detail below. It is to be understood that g may be encrypted, and that in such situations the constraints listed here are to be adhered to by the clear-text form of g.

Grant/encryptedGrant

A mechanism is provided by which the contents of individual Grants may be encrypted and so hidden from view from inappropriate parties. This mechanism makes straightforward use of the XML Encryption Syntax and Processing standard.

Specifically, the XML content model of a Grant is a choice between a sequence containing the elements previously described in this section and an encryptedGrant element. encryptedGrant is of type EncryptedContent and represents the encryption of the contents of the Grant element.

GrantGroup

Within the XrML2 architecture, GrantGroups occupy much the same niche as do their more straightforward cousins, Grants. That is, wherever a Grant may legally appear, it is (usually) the case that a GrantGroup may appear instead, where a GrantPattern may appear, a GrantGroupPattern may take its place, and so on. Indeed, from a point of view of the set of rights actually authorized, the semantics of a GrantGroup can be (and indeed are) specified in terms of the set of rights authorized by a particular set of related Grants. However, from a point of view of pattern matching and inseparability under delegation, issuance, etc., GrantGroups provide additional expressive power not otherwise found in Grants.

GrantGroup/forAll

At the start of each GrantGroup may reside an optional sequence of elements of type ForAll. Because of the pattern matching facility therein, this powerful mechanism allows one authorized GrantGroup instance to in fact authorize what would otherwise have to be authorized as a set of GrantGroups, a task which may be cumbersome or logistically impossible to actually carry out.

The effect of these ForAll elements on the semantics of a GrantGroup is straightforward. Let g be a GrantGroup that contains at least one ForAll child element, and let f be the first such child in g. Let S(f) be the set of eligible bindings of the variable f/@varName. For each s in S(f), let g'(s) be a GrantGroup which is equal to a copy of g except

1. (the copy of) f is not present in g'(s), and
2. throughout the scope of f in g, all elements containing references to the variable f/@varName are replaced in g'(s) by s.

Then, to say that g is authorized means that for all such s, g'(s) is authorized.

GrantGroup/principal and GrantGroup/condition

Having indicated what it means to say that a GrantGroup containing a ForAll element has been authorized, it remains to be specified what it means to say that a GrantGroup which lacks any ForAll element has been authorized. Let g be such a GrantGroup lacking a ForAll element, and consider the structure of g, which, as is evident in the XrML2 core schema, can be thought of as a sequence containing:

1. an optional DelegationControl element d,
2. an optional Principal element p,
3. an optional Condition element c,
4. one or more contained Grant or GrantGroup elements g'.

To say that g has been authorized, then, means the following:

1. Consider each such g' in g where g' is a Grant. Let p' and c' be (respectively) the (possibly absent) principal and (possibly absent) condition contained in g'. Let g'' be a Grant which is equal to g' except that

   1. within g'', p' is replaced by an element equivalent to an allPrincipals element p'' which in turn contains
      1. p (if present)
      2. p' (if present)
   2. within g'', c' is replaced by an element equivalent to an allConditions elementc'' which in turn contains
      1. c (if present)
      2. c' (if present)

   Then to say that the GrantGroup g is authorized means that the Grant g' is authorized.

2. Similarly, consider each such g' in g where g' is a GrantGroup. Let p' and c' be (respectively) the (possibly absent) principal and (possibly absent) condition contained in g'. Let g'' be a GrantGroup which is equal to g' except that

   1. within g'', p' is replaced by an element equivalent to an allPrincipals element p'' which in turn contains
      1. p (if present)
      2. p' (if present)
   2. within g'', c' is replaced by an element equivalent to an allConditions elementc'' which in turn contains
      1. c (if present)
      2. c' (if present)

   Then to say that the GrantGroup g is authorized means that the GrantGroup g' is authorized.

The set of authorized Grants which is related to the authorized GrantGroup g by means of exhaustive recursive application of Rules (1) and (2) is known as the set of descendent Grants of g.

GrantGroup/delegationControl

Whenever a GrantGroup is issued, the Issuer may optionally indicate in addition that the GrantGroup may be delegated to others. This is accomplished by including in the GrantGroup an element of type DelegationControl; absent such a DelegationControl element, a GrantGroup is not (formally) delegable.

To say that an authorized GrantGroup g is delegable means that the Issuer of g also authorizes every Grant g' where:

1. g'/forAll, g'/delegationControl, and g'/condition are all absent,
2. g'/principal is equal to g/principal,
3. g'/right is equal to the issue element
4. g'/resource is equal to a GrantGroup g'' where
   1. the (possibly empty) sequence of ForAll elements that begins g appear as a prefix of the sequence of ForAll elements that begins g''
   2. g''/delegationControl is compatible with g/delegationControl,
   3. g''/principal is one of the allowable destination principals of g/delegationControl
   4. g''/condition is either equal to g/condition, or, if g/condition/additionalConditionsProhibited is absent, is equal to the equivalent of an allConditions element which contains at least g/condition (if present)
   5. the Grants and GrantGroups contained as immediate children of g'' are copies of those contained as immediate children of g.

Additional policies which control the circumstances under which g is legally delegable are expressed by the semantics embodied in the DelegationControl element; these are explained in detail below. It is to be understood that g may be encrypted, and that in such situations the constraints listed in this section are to be adhered to by the clear-text form of g.

GrantGroup/encryptedGrantGroup

A mechanism is provided by which the contents of a GrantGroup may be encrypted and so hidden from view from inappropriate parties. This mechanism makes straightforward use of the XML Encryption Syntax and Processing standard.

Specifically, the XML content model of a GrantGroup is a choice between a sequence containing the elements previously described in this section and an encryptedGrantGroup element. encryptedGrantGroup is of type EncryptedContent and represents the encryption of the contents of the GrantGroup element.

DelegationControl

The use of elements of type DelegationControl provides the means by which policies which control and otherwise constrain the delegation of Grants and GrantGroups can be expressed.

Some such policies, namely those regarding constraints on delegated-to Principals and whether additional Conditions may be present in delegated Grants and GrantGroups, were described previously herein. Other policies may be defined in types which are derived from the type DelegationControl.

Allowable Destination Principals

Part of the policy expressed by a DelegationControl element d is the set of allowable Principals to whom the Grant or GrantGroup to which d is applied may be delegated.

If d/to is absent, then the set of allowable destination principals of d is the universe of all Principals.

Otherwise, at least one d/to is present.

Let z be a DelegationControl that contains at least one child element of type ForAll, and let f be the first such child in z. Let S(f) be the set of eligible bindings of the variable f/@varName. Let D be the universe of DelegationControl elements. Let D(z) be that subset of D where z' in D is in D(z) if and only if there exists an s in S(f) so that z' is equal to a copy of z except

1. (the copy of) f is not present in z' and
2. throughout the scope of f in z, all elements containing references to the variable f/@varName are replaced in z' by s.

Now, consider a function P defined on the domain D. For any z in D, let P(z) be defined as follows:

1. If z has at least one ForAll child element, then P(z) is the union, over all elements z' of the set D(z), of P(z').
2. If z does not have at least one ForAll child element, then P(z) is that set whose members are the Principals found in the to elements that are found in z.

Then the set of allowable destination principals of d is that set P(d).

Compatibility of DelegationControl Elements

Let d and d' be DelegationControl elements. d' is said to be compatible with d if they are equal except for the following variations:

1. If d/infinite is present, then d'/maxDepth may be present (with any nonnegative value)
2. If d/maxDepth is present, then d'/maxDepth must be present, and must contain any nonnegative value which is less than the value contained in d/maxDepth.
3. If d/additionalConditionsProhibited is absent, then d'/additionalConditionsProhibited may be present.
4. If d/to is absent, then any number of d'/to may be present and identify any Principals.
5. If at least n d/to's are present where n>1, then any n-1 of them may be omitted in d'.
6. If at least one d/to is present, then d'/to may contain any Principal which is equivalent to an allPrincipals Principal containing d/to/principal and zero or more arbitrary other Principals.

Notice that "is compatible with" is an antisymmetric and transitive relationship.

EncryptedContent

EncryptedContent modifies the semantics of enc:EncryptedDataType, its base type, by simply restricting the use of the enc:Type attribute therein to be the value http://www.w3.org/2001/04/xmlenc#Content, which is the type associated with encrypting XML element content. Thus, once decrypted, the plaintext of an element of type EncryptedContent is intended to semantically replace the EncryptedContent and thus become the content of said element's parent. In doing so, it must of course conform to the schema of the parent as a whole.

Core Principals

Principal

Within XrML2, instances of the type Principal (or a derivation thereof) represent the unique identification of an entity involved in the granting or exercising of rights. In a conceptual sense, they represent the "subject" that is permitted to carry out the action involved in exercising the Right.

The actual element principal is conceptually abstract. Also, the actual type Principal is conceptually abstract. That is, it does not indicate how a particular principal is actually identified and authenticated. Rather, this is carried out in types which are derivations of Principal. Such derived types may be defined in extensions to XrML2 in order, for example, to provide a means by which Principals who are authenticated using some proprietary logon mechanism may be granted certain Rights using the XrML2 License mechanism. That said, two such derivations are important enough and central enough to be defined within the XrML2 core itself.

The AllPrincipals Principal

Structurally, an AllPrincipals Principal is a simple container of zero or more other Principals. Semantically, an AllPrincipals a represents the logical conjunct of the Principals represented by all of its children. That is, a represents the set of its children acting together as one holistic identified entity. For example, if a is identified in some Grant as that Principal which must sign a certain bank loan application, then, conceptually, it is being required that each of the children of a act together as co-signers of the loan application.

A corollary of this definition is that an AllPrincipals Principal which contains zero children requires no particular Principal to act together as part of the entity that is identified, and thus the entire universe of entities is identified by such an empty AllPrincipals Principal. Where permitted by the schema in which it is used, such an empty AllPrincipals Principal is equivalent to said Principal in fact being absent.

Note that there is no requirement that a normalization of an AllPrincipals Principal be carried out. That is, it is perfectly legal for an AllPrincipals Principal to contain other AllPrincipals Principals.

The KeyHolder Principal

Instances of a KeyHolder Principal represent entities which are identified by their possession of a certain cryptographic key. For example, using a KeyHolder, a Principal which uses public-key cryptography may be conceptually identified as "that Principal which possesses the private key that corresponds to this-here public key." (Indeed, identification of Principals in such a manner is expected to be very common).

This specification of XrML2 does not itself specify the means by which the key relevant to a KeyHolder is identified. Rather, the info element (which is of type dsig:KeyInfo) within the type KeyHolder is defined by XrML2 as the mechanism by which such information is conveyed, and the XML-Signature Syntax and Processing specification then specifies the means by which such conveyance is carried out.

Core Rights

Right

Within XrML2, instances of the type Right (or a derivation thereof) represent a "verb" that a Principal may be authorized to carry out under the authority conveyed by some authorized Grant. Typically, a Right specifies an action (or activity) that a Principal may perform on or using some associated target Resource. The semantic specification of each different particular kind of Right SHOULD indicate which kinds of Resource (if any) may be legally used in authorized Grants containing that Right.

The actual element right is conceptually abstract. Also, the actual type Right is conceptually abstract. That is, the type Right itself does not indicate any actual action or activity that may be carried out. Rather, such actions or activities are to be defined in types which are derivations of Right. Such derived types will commonly be defined in extensions to XrML2, particularly those rights which are germane to a particular application domain. However, several Rights exist which are related to the domain of XrML2 itself, and so are defined within the XrML2 core.

The Issue Right

When an Issue element is used as the right in an authorized Grant g, it is required that g/resource against which the Right is applied in fact be a Grant or GrantGroup g'. The Grant g then conveys the authorization for the Principal g/principal to Issue g'; that is, it conveys the authorization, under the authority of the Issuer of the License l within which g is authorized, for g/principal to Issue other Licenses l' within which g' is authorized.

Use of the Issue Right is one of the basic mechanisms (along with delegation and trust of a License by some externally specified means) by which the XrML2 Authorization Algorithm chains its processing from one License to another.

Those familiar with the X.509 certificate infrastructure will recognize that, in analogy, the Principal g/principal found in an authorized Grant g containing the Issue Right can conceptually be considered a "Certificate Authority."

At the instant a License is issued, the Issue Right must be held by the Issuer of the License with respect to all the Grants and GrantGroups directly authorized therein.

The Revoke Right

The authorized act of exercising the Revoke Right by a Principal p effects a retraction of a dsig:Signature that was previously issued (either by p or by some other Principal from which p received appropriate authorization to Revoke) and thus accomplishes a withdrawal of any authorization conveyed by that dsig:Signature.

There is, of course, commonly a latency, possibly a significant one, between the discovery of an issued dsig:Signature by some party wishing to rely on the authorization so conveyed and the subsequent discovery by that party of a later retraction thereof. In the interim, the relying party can and will consider the dsig:Signature as valid and binding.

Every Issuer of a License, by the act of affixing its dsig:Signature thereto, is implicitly and automatically authorized in a freely delegable manner to subsequently Revoke that dsig:Signature, should it choose to do so. By explicit use of the Revoke Right, an Issuer may convey that authorization to other Principals of its choosing.

Although the XrML2 core requires that when the Revoke Right is used that the associated Resource explicitly identify the to-be-revoked dsig:Signature in question, the core itself does not define a concrete XML data type by which this can be accomplished, instead choosing to leave such definitions to extensions of the core. The XrML2 Standard Extension, though, does define the Resource Revocable which is useful in this role.

At the instant at which a dsig:Signature is formally revoked, the Revoke Right must be held by the revoking Principal with respect to the dsig:Signature being revoked.

The PossessProperty Right

The use of the PossessProperty Right within authorized Grants allows the Issuers thereof to straightforwardly express the fact that they authorize the association of property-like characteristics with certain Principals. Put another way, the PossessProperty Right represents the Right for the associated Principal to claim ownership of a particular characteristic, which is listed as the Resource associated with this Right.

The PossessProperty Right imposes only two restrictions on the Resource with which it may be used within an authorized Grant:

• That that Resource is a PropertyAbstract and
• That that PropertyAbstract MUST NOT be omitted.

The XrML2 core does not itself define any PropertyAbstracts which are particularly useful for use with the PossessProperty Right. However, several such PropertyAbstracts are defined within the XrML2 Standard Extension; in particular, it defines several PropertyAbstracts which are useful for modeling the authorized binding of names to Principals as is done in the X.509 certificate infrastructure.

Use of the PossessProperty Right is also very convenient in modeling notions of "group membership" found (among other places) in security systems of traditional operating systems. In this paradigm, in an XrML2 extension one invents a PropertyAbstract t whose associated semantic is "is member of group". Then, straightforwardly, one issues Licenses with authorized Grants that contain the Right possessProperty and the PropertyAbstract t in order to indicate that the associated Principal is in fact a member of the group.

The Obtain Right

When an Obtain element is used as the Right in an authorized Grant g, the Resource contained in g MUST be present and MUST either be a Grant or a GrantGroup. Let g' be that Grant or GrantGroup. Then the semantics conveyed by the authorization of g is that the Issuer thereof promises that the Principal g/principal can in fact obtain an issued version of g', subject only to the limitation that g/principal must first satisfy the (possibly absent) Condition g/condition.

The means and manner by which such obtaining of g' is actually carried out is outside the scope of this specification, though exerciseMechanism provides a convenient way to bound this process. Additionally, it is instructive to note that, in practice, Principals issuing and reading Obtain Grants will likely want to use a fulfiller condition to indicate and determine the Principal who will Issue the resulting Grant.

The use of the Obtain Right can be conceptualized as an "offer" or "advertisement" for the "sale" of the contained Grant.

Core Resources

Resource

Continuing our grammatical analogy, an instance of type Resource (or a derivation thereof) represents the "direct object" against which the "subject" Principal of a Grant has the Right to perform some "verb." It should be noted that not all XrML2 Rights make use of such target Resources, just as not all verbs require direct objects.

The actual element resource is conceptually abstract. Also, the actual type Resource is conceptually abstract. That is, the type Resource itself does not indicate any actual object against which a Right may be carried out. Rather, such target objects are to be defined in types which are derivations of Resource. Such derived types will commonly be defined in extensions to XrML2, particularly those Resources which are germane to a particular application domain. However, several Resources exist which related to the domain of XrML2 itself and so are defined within the XrML2 core

DigitalResource

Use of a DigitalResource Resource in a Grant provides a means by which an arbitrary sequence of digital bits can be identified as being the target object of relevance within the Grant. Specifically, and importantly, such bits are not required to be character strings which conform to the XML specification, but may be arbitrary binary data.

Conceptually, an instance d of DigitalResource defines an algorithm by which a sequence of bits b in question is to be located. The means by which this is accomplished breaks down into several cases:

1. The bits b are to be physically present within d. There are two sub-cases:
   1. If b is a character string which is a sequence of zero or more XML elements, then b MAY be represented using the xml element within d, which is a simple container of arbitrary XML elements.
   2. Otherwise, b SHOULD be encoded in base64 and located within d by use of the binary element. Note that there is no requirement that a b which may be legally represented using the xml element in fact be represented as such; base64 encoding may equally well be used, even for XML elements.
2. The bits are to be physically located at some external location outside of d. Perhaps, for example, they are located somewhere else within the XML document within which d is found, or perhaps at a location on a Web site. There are again two sub-cases:
   1. Though the bits may be external, d may still wish to indicate the exact actual sequence of bits being referred to. This is accomplished with use of the secureIndirect element.
   2. Otherwise, d wishes only to indicate the algorithm used to locate the bits, but is comfortable with the fact that differing actual executions of the algorithm may yield different sequences of bits. This is indicated by the use of the nonSecureIndirect element.
3. The means by which the bits are located is something else which is defined in an extension to XrML2. This is indicated within d by the use of an element which validates against the xsd:any particle therein.

The secureIndirect element straightforwardly makes use of the cryptographically-secure referencing mechanism designed as part of the XML Signature Syntax and Processing standard, specifically the type dsig:ReferenceType defined therein. The documentation of the semantics and processing associated with that type are not described in the present specification but rather are found in the specification of that standard.

The nonSecureIndirect element makes use of an XrML2-defined type NonSecureReference. The structure and attendant semantics of the NonSecureReference type are identical in every way to that of the aforementioned dsig:ReferenceType except that

1. NonSecureReference structurally lacks the dsig:DigestMethod and dsig:DigestValue elements found in dsig:ReferenceType, and
2. The processing semantics within dsig:ReferenceType that are associated with these two elements (in order to verify that the bits retrieved during the processing of the reference were exactly those expected) are omitted.

Authorization of Located Bits

Let g be any authorized Grant containing a Resource d which is a DigitalResource. Let b be the sequence of bits which is the result of any execution of the location algorithm of d. Then the Grant g' which is identical to g except that d is replaced by a DigitalResource which contains a child binary element which contains a base64 encoding of b is also authorized.

PropertyAbstract

An instance of type PropertyAbstract (or a derivation thereof) represents some sort of property that can be possessed by Principals via PossessProperty.

The actual element propertyAbstract is conceptually abstract. Also, the actual type PropertyAbstract is conceptually abstract. That is, the type PropertyAbstract itself does not indicate any actual property that can be possessed. Rather, such target properties are to be defined in types which are derivations of PropertyAbstract. Such derived types will commonly be defined in extensions to XrML2.

Core Conditions

Condition

Within XrML2, instances of the type Condition (or a derivation thereof) represent a grammatical "terms & conditions" clause that a Principal must satisfy before it may take advantage of an authorization conveyed to it in a Grant containing the Condition instance. The semantic specification of each different particular kind of Condition MUST indicate the details of the terms, conditions, and obligations that use of the Condition actually imposes. When these requirements are fulfilled, the Condition is said to be satisfied.

When a particular Condition is used within an authorized Grant, XrML2 processing systems that process the Grant MUST honor the request implied thereby that the terms, conditions, and obligations indicated in the semantic specification of the Condition be satisfied by the Principal indicated in the Grant before the Grant may be used as the basis of an authorization decision. A corollary of this requirement is the observation that should an XrML2 processing system in the course of honoring such a request encounter a Condition d