The Digital Property Rights Language

Manual and Tutorial - XML Edition

 

Version 2.00 — November 13, 1998

 

 

 

 

 

 

 

 

 

Copyright © 1998-1999 Xerox Corporation. All Rights Reserved.

 

LIMITED DISTRIBUTION - REVIEW PURPOSES ONLY

The material contained in this document is provided for review purposes only. Receipt of this document does not constitute a license, actual or implied, to any intellectual property contained herein. All material contained in this document is the intellectual property of the Xerox Corporation.

 

1. INTRODUCTION *

1.1 Enabling Commerce in Digital Property *

1.2 Scope of this Document *

1.3 Basics of Digital Property Rights *

1.4 Interfaces to Digital Property Rights Specifications *

1.4.1 Rights Editor Interfaces *

1.4.2 Trusted System Interfaces *

1.5 Design Goals for the Digital Property Rights Language *

2. LANGUAGE SPECIFICATIONS *

2.1 Specifying a Work *

2.2 Digital Property Rights *

2.2.1 Transport Rights *

2.2.2 Render Rights *

2.2.3 Derivative Work Rights *

2.2.4 File Management Rights *

2.2.5 Configuration Rights *

2.3 Specifying Times *

2.3.1 Specifying Moments in Time *

2.3.2 Specifying Units of Time *

2.3.3 Specifying When Rights Can Be Exercised *

2.4 Specifying Fees and Incentives *

2.4.1 Currencies and Accounts *

2.4.2 Digital Tickets *

2.4.3 Per Use and Metered Fees *

2.4.4 Best-Price Fees *

2.4.5 Markup Fees *

2.5. Specifying Access Controls *

2.5.1 Digital Licenses (Certificates) *

2.5.2 Security Classes *

2.6 Specifying Watermark Information *

2.6.1 Watermark Strings, Tokens, and Objects *

2.6.2 Examples of Watermark Specifications *

2.7 Bundle Secifications *

2.7.1 Specifying Time Limits Inside Bundles *

2.7.2 Specifying Fees Inside Bundles *

2.7.3 Specifying Access Inside Bundles *

2.7.4 Specifying Watermark Information Inside Bundles *

APPENDIX A. LEXICAL CONVENTIONS *

Keywords *

Constants *

Identifiers *

Currency Codes *

APPENDIX B. GRAMMAR FOR THE DIGITAL PROPERTY LANGUAGE *

APPENDIX C. QUESTIONS AND ANSWERS *

General Questions About Digital Property Rights *

Questions About Work Specifications *

Questions About Transport Rights *

Questions About Render Rights *

Questions About Derivative Work Rights *

Questions About File Management Rights *

Questions About Time Specifications *

Questions About Fee Specifications *

Questions About Security and Authorization *

INDEX *

 

1. INTRODUCTION

The Digital Property Rights Language Manual is a work in progress specifying a language for describing rights, conditions, and fees for using digital works. The Digital Property Rights Language (DPRL) is intended to support commerce in digital works, that is, publishing and selling electronic books, digital movies, digital music, interactive games, computer software and other creations distributed in digital form. It is also intended to support specification of access and use controls for secure digital documents in cases where financial exchange is not part of the terms of use.

This manual is being circulated for review among publishers, platform vendors, authors, librarians, and others interested in the issues involving rights and fees for digital works. Our purpose in circulating the manual is to solicit feedback and suggestions that can guide us in developing the language and establishing appropriate standards. The use of a standard language for usage rights on digital property ensures that trusted systems can exchange digital works and interoperate. The trusted systems are for authoring, playing, and selling digital works. They include personal systems, on-line storefront systems, library systems, and others.

The digital property rights language describes distinct categories of uses for digital works in terms of "rights," including rights to copy a digital work, or to print it out, or to loan it, or to use portions of it in derivative works. DPRL also describes conditions and fees (if any) relevant to such uses.

Before describing the language itself, this introduction first discusses the commercial context for DPRL. It discusses the intended audience for this manual and how usage rights would actually appear to creators, publishers, and consumers of digital works. Finally, it describes our design goals and assumptions for the language.

For variety in expression, we use the words digital property rights, digital rights, and usage rights synonymously. Similarly, we use the words digital property rights language, digital property language, digital rights language, and rights language synonymously. We also use the terms digital publications, digital documents, and digital works synonymously.

1.1 Enabling Commerce in Digital Property

Digital technology has shifted the balance of practice in the social contract between those who create and distribute works and those who use them. For many kinds of digital works, it is very easy to use and duplicate a work without having authorization or providing compensation. With electronic networks, it is easy to distribute unauthorized copies of a digital work to points around the world, without knowledge of the publisher or author.

For some publishers, the issue of unauthorized distribution represents too great a business risk and they do not publish in digital form. For others the revenue losses are affordable, but they lead to billing and distribution schemes that are cumbersome. For example, distributors of digital works typically bill all users the same amount regardless of the use to which the consumers will put the work. Some digital publishers rely on the honesty of users not to replicate a work or use it in unauthorized ways after an initial purchase. Ironically, some publishers figure that some "leakage" of works that need periodic upgrading (such as computer software) helps to increase their installed base. However, even for computer software, it is often reported that there are more unauthorized copies in use than authorized ones.

Consumers of digital works are also poorly served. It requires much more time, effort and money to be honest than to slip beyond the legal rights for use of a digital work. Consumers sometimes view the creators of a work as opponents, and try to "get away with" unpaid use because they have paid so much for other works. Given the lack of safeguards and reliable billing services, few publishers have been willing to distribute their works digitally over computer networks. Consequently, consumers miss out on the convenience of 24-hour software shopping and on-line delivery. Since there are no reliable and general means for determining how much software is used, users must usually pay the same for software regardless of how much use they make of it.

Various approaches have been proposed to create a commercially viable means of distribution. These approaches are based on concepts such as trusted systems, semi-trusted systems, digital envelopes, and secure containers. The most general approaches are based on two simple ideas: that digital works can be bought and sold among trusted systems and that works have attached usage rights that specify what can be done with them and what it costs to exercise the rights.

Different publishing and distribution systems require different kinds of subsystems and capabilities. The digital property language is primarily concerned with those systems that are directly involved in buying, selling, and using digital works. These systems would generally be implemented as trusted systems.

A trusted system is a system that can hold digital works and which can be trusted to honor the rights, conditions, and fees specified for a work. Trusted systems can take different forms, such as "trusted players" that play digital works, or "trusted readers" for reading digital works or "trusted servers" that may provide access to digital works on a network. Recognizing that different applications require different kinds of trusted systems and different levels of security, we use the terms trusted system and repository interchangeably to refer generically to systems relied on to keep documents secure and to honor usage rights.

Different implementations of trusted systems have different requirements for security and different approaches. In the most secure approaches, all of the hardware and software on the platform is certified to honor digital rights. Other approaches focus on the use of so-called secure envelopes or containers, emphasizing transmission and storage of information. All such approaches have some elements that are assumed to be trusted and which can be circumscribed by boundaries of trust. These boundaries may be the boundaries of program code assumed not to be altered, data files assumed not to be acessible, language interpreters (such as Java) assumed to follow certain rules, or physical hardware assumed not to be compromised. The security of a trusted system depends in large measure on its vulnerability across these boundaries. For the purposes of this document, we use the term "trusted system" in a generic sense to refer to all systems for security and commerce in digital works, regardless of the techniques used to create a basis for trust.

We use the term "semi-trusted system" to refer to a class of repositories that have two levels of storage - regular storage and trusted storage. Regular storage is file space accessible to untrusted programs. Generally, this is used to hold encrypted works. Trusted storage is special storage not readily accessible to untrusted programs. Trusted storage is for encryption keys, billing data, some non-transferable digital certificates, and digital tickets.

Beyond trusted systems are several other kinds of systems, made up of hardware, software, and communications elements. For example, trusted systems would confirm credit and exchange billing data with financial clearing houses. In contrast to "authoring systems," we use the term "digital publishing systems" to refer to systems that can import digital works in native formats, interact with a publisher or distributor to add usage right information, and export the digital works in encrypted forms or in digital containers. We use the term "network sales server" to refer to systems that offer documents for sale on-line, such as on the World Wide Web.

1.2 Scope of this Document

This document explains the basic concepts for managing digital works in trusted systems, describes the language syntax and semantics, and provides examples of typical specifications of usage rights. It does not provide specifications for security in trusted systems, propose specific applications, or describe the details of the accounting systems required.

One of the goals of our work in usage rights is to develop an approach and language that can be used throughout the publishing industries and in other industries as well. This paper does not address the agreements, coordination or institutional challenges involved in achieving that goal. See (Stefik, 1995) for a sketch of some of the institutional challenges.

1.3 Basics of Digital Property Rights

Digital property rights (or "usage rights" for short) are rights associated with digital works and their parts that describe how the works can be used. Here are some basic concepts:

• Rights are associated with parts of a digital work (and with folders).

• Every class of usage right has a corresponding transaction.

• The transaction defines what a repository does when the right is exercised.

• Rights are described in sentences of a machine-interpreted language having a grammar.

• The transactions for a given work are parameterized by the information in the usage rights sentences for the work.

• The rights on a work can be changed later, if the change is authorized by the rights owner.

 

1.4 Interfaces to Digital Property Rights Specifications

Specifications in the digital property language are established by creators of digital works and also by publishers and distributors. Specifications are used by consumers as they select and use digital works. However, creators, publishers, distributors, or consumers would seldom (if ever) look directly at specifications written in the language.

Thus, specifications in the usage rights language are intended to be readable by machines rather than directly readable by people. They are used by systems that store, play, transport, copy, and sell digital works. These repositories potentially include a range of devices with embedded computers, including personal computers, set top boxes, personal document readers, personal entertainment devices, on-line servers, and trusted printers.

In many cases, the rights associated changing rights with a digital work are established at the time that the work is published and remain the same over time. There are, however, several ways that rights may be changed over time, and these involve different interfaces.

Republishing with new rights. In the simplest case, the publisher or rights holder may simply republish a work with new rights. At the time of publishing, the terms and conditions on new copies of the work are changed to be different from those on older copies of the work. One way to accomplish this is simply to reinvoke a rights editor on a copy of the work and then to begin distributing only the revised version. An important job of a rights editor is to check the credentials of the person seeking to change the rights, since only the rights owner is authorized to change the rights on a work.

Embedding a work and adding new terms and fees. In this case, a work may be embedded in a larger work. Embedding is controlled by the Embed right discussed later in this document. Generally, embedding is done by a distributor, who adds value by repackaging the work. Embedding typically adds extra fees for exercising rights. Although this operation typically includes combining a work with additional content, it includes the case where the content itself is not changed.

Upgrading rights. Some trusted systems will support the operation of changing the rights on a work already distributed. This process would be carried out on a trusted system which checks the authorization for the change during a transaction that changes the rights. The details of the transaction are beyond the scope of this document except to say that the operation is automatic and the transaction to change the keys must be digitally signed by the rights owner.

Programmers developing trusted applications that use the rights language would typically not work with the syntax directly. Instead, they would use the application programmer’s interface (API) to an object-oriented representation of the statements in the rights language. The application interface is described in other documents.

1.4.1 Rights Editor Interfaces

To specify rights a publisher of a digital work uses a graphical user interface (a "rights editor" program) in a digital authoring or publishing system. Such interfaces can take different forms. For example, one convenient form of a right editor interface is similar to a spreadsheet.

The interface enables a publisher to fill in information indicating what rights, fees, or licenses apply to the digital work at hand. For example, a publisher may simply select individual rights or a set of standard rights from a menu, modifying them slightly to indicate particular fees or distribution requirements. The publishing program then outputs a specification written in the digital property language and attaches that specification to the digital work.

1.4.2 Trusted System Interfaces

Trusted systems, such as trusted workstations, trusted music players, trusted video players, and other trusted devices need user interfaces appropriate to the device.

For example, to play a work of digital music or a video, a consumer would just press the play button of a trusted player in much the same way that one uses a play button on a conventional compact disk or video tape player. In many systems, pushing a button would automatically invoke all of the appropriate checking, authorization, and payment transactions that are required for playing the digital work. In some systems, a consumer could use a small display similar to a calculator display to select among different rights or billing options. Different devices would have different user interfaces, but interoperable devices would share a common digital property language — a lingua franca for systems dealing in permissions and fees.

In some cases, a digital work may be offered with hundreds of variations on the rights. For example, a publisher may offer variations on rights at different prices for different users. There may be regular consumer rates, corporate rates, special rates for academic institutions or libraries, special rates for members of the book of the month club, special rates for frequent fliers, special rates for recent purchasers of other works by the same publisher, and so on. There can be different rates for a permanent use, use over a ten year period, or use over a special two-day introductory period.

In many cases, an unmediated interface to so many variations will be overly complex for normal use. An alternative is for the system to present the set of credentials, memberships, and special offers available to the user via an interface agent that matches held certificates and tickets with the rights offers available on the digital work. Given a selection policy established by the user, the agent can filter the choices down to a small set or automatically select the lowest cost right meeting the user’s needs. For example, on a trusted music player, pressing the play button may be all that is required to select the least expensive alternative and play the work.

1.5 Design Goals for the Digital Property Rights Language

The design goals for DPRL are:

• To describe rights, fees, and conditions appropriate for the commerce models that are important to publishers and consumers in digital publishing.

• To provide standard terms for usage rights specifications that have useful, concise and easily understandable meanings.

• To provide operational definitions of specifications for vendors of trusted systems that distribute or render digital works, so that the compliance of systems can be tested and evaluated.

• To provide a basis of extensibility to new language features in a manner that does not unduly compromise the other goals.

Digital commerce in documents requires a wide range of specification abilities to handle the variety of publishing niches and payment schemes that will be desired. A digital property rights language should be expressive enough to handle a wide range of situations for commerce in documents. The rights specifications must be practical to interpret and enforce by computer systems. Furthermore, the meaning of rights expressed in the language must be clearly defined so that different systems will interpret the rights in the same way.

Broadly construed, DPRL is about "terms and conditions" of use. Terms and conditions ultimately refer to facts about the world and permissioned actions on digital works. Examples of facts are: the current date and time, whether the user is a member of the book of the month club, and the security class of the trusted system. DPRL requires well-defined and certified ways of determining such facts, such as trusted clocks and accessible, signed digital certificates attesting to various facts. Restated, the kinds of facts DPRL uses to determine whether a right can be exercised are always determinable in a reliable way by accessing digital certificates and controlled internal parameters of trusted systems.

Actions sanctioned by terms and conditions are always well-defined transactions corresponding to exercising specific digital rights. Thus, there are transactions defined for such actions as printing, copying, or making an encrypted backup copy. All of these actions are performed by trusted systems. There are no rights in DPRL for actions performed by people, such as "play for educational purposes," although this might alternatively be approximated as "play for a user possessing a specific, valid educator or student certificate."

Although the digital property rights language has already benefited from comments from publishers and other interested parties, the language is not frozen. Further changes will be made as we discover situations that we have not yet considered. Feedback and suggestions are solicited.

2. LANGUAGE SPECIFICATIONS

Usage rights specifications are represented using the element/attribute markup model of eXtensible MarkUp Language(XML) . Collectively, the markup tags indicate what rights are in effect on a digital work. Different parts of a work may have different rights specified. The rights specification is written in a Document Type Definition (DTD) file.

Terms in italics represent elements. An element may contain other elements, together with character data. Elements can also contain meta-data in the form of attribute list. A basic XML element declaration looks like this:

<!ELEMENT list (item)+>

This means that the element list contains one or more item elements. "+" denotes one or more. "*" denotes zero or more. A "?" indicates that a specification is optional. Vertical bars "|" are used to indicate alternative expressions. For example, the rule

<!ELEMENT b (a, (x| c)?)>

<!ELEMENT x (list))

<!ELEMENT a EMPTY>

<!ATTLIST a d CDATA #REQUIRED>

<!ELEMENT c (#PCDATA)>

means that a element b is expanded into an "a" followed by an optional "x" or "c". The element x is expanded to another element "list". The element a does not contain any data between its start and end tags but has a mandatory character data attribute "d" that has to be specified. The element c contains Parsed Character Data (PCDATA) . The "#"words are XML keywords and should be used as is (case senstive).

If an element (as in "a") is specified to be EMPTY, it means that there will not be anything between its start and end tags. The usage of such tags within a XML document can be in either of the following two ways:

<a d="something"/> or <a d="something"></a>

An element can also be defined as ANY, in which case, between the start and end tags of that element any other tag or data can be specified in the XML document.

Just as elements represent the document’s logical structure, entites represent its physical structure. A reference to a declared entity can be done in the DTD. For example

<!ENTITY % inline "#PCDATA | emphasis | link" >

<!ELEMENT para (%inline;)

is equivalent to <!ELEMENT para (#PCDATA | emphasis | link)>

White space in the language follows the XML specification. White space, such as spaces, tabs and blank lines, is used to set apart the markup for greater readability. However, "significant" white space within character data is preserved. In XML, all markup tags are case sensitive and the XML documents using this DTD should use the tags as defined. Thus a "Work" tag is different from "work" tag or "wORk" tag. The rights specification DTD defines all the tags by capitalizing the first letter for better readability.

The comments in a XML document begins with "<!--" and ends with "-->" characters.

Design goals for the specification written in XML include

Simple parsing. The XML is compatible with SGML and is easy to write programs which process XML documents.

Extensive defaulting. Many parameters are optional. The mandatory parameters are specified and optional parameters have well-defined defaults.

Extensibility. In the rights specification DTD, it is easy to add new features unambiguously without substantially modifying the language or rewriting old specifications.

The rights specified in an XML document should meet all the well-formedness and validity constraints specified in the DTD. An example of well-formed, valid XML is

<b>

<a d="data">

<c>"This element is a PCDATA"</c>

</a>

</b>

The order in which the elements are specifed within another element is position-sensitve. (i.e within the element "b", element "c" cannot be specified before "a".

 

2.1 Specifying a Work

The highest level grouping in the digital property language is a work specification.

The language design goal for a work specification is to provide a place for the information relevant to a digital work. A composite work would have a separate work specification for each part of the overall work.

<!ELEMENT Work (RightsVersion,

WorkId?,

Description?,

Owner?,

Parts?,

Contents?,

Copies?,

Comment?,

(RightsGroup | ReferencedRightsGroup)+

)>

<!ELEMENT RightsVersion EMPTY>

<!ATTLIST RightsVersion version-id CDATA #REQUIRED>

<!ELEMENT WorkId EMPTY >

<!ATTLIST WorkId work-id CDATA #REQUIRED>

<!ELEMENT Description (#PCDATA)>

<!ELEMENT Owner (Certificate)>

<!ELEMENT Parts (WorkId+)>

<!ELEMENT Contents EMPTY>

<!ATTLIST Contents from CDATA #REQUIRED

to CDATA #REQUIRED>

<!ELEMENT Copies EMPTY>

<!ATTLIST Copies copy-count CDATA #IMPLIED>

<!ELEMENT Comment (#PCDATA)>

A work specification includes the RightsVersion which is the version of the rights language used for the specification. This is intended to facilitate backward compatibility to works whose rights were written in an old version of the language.

A work specification also includes optional work identification (WorkId). This identifies a digital certificate signed by a well known registration authority and assigning a unique identification number to the digital work. Assumptions and methods for identifying and rating works are discussed elsewhere in this document.

The work-id is an identification tag which can be used to identify this work. It includes information for detecting locally if the work has been changed or tampered with. It also includes address information for locating a reference copy of the work.

A work specification also includes an optional text description of the work, which is intended to hold ISBN numbers for books, ISSN numbers (for periodicals), author addresses, and a variety of other information for identifying a work, but whose format is not necessarily fixed. The format and scope of the information in the text description is not specified, so that different organizations can put different information here. In general, the information in the text description is intended for human use. It is not used in the automatic rights processing of a repository.

The ability to change the rights on a work is not the same issue as adding further fees or restrictions when a work is included in a composite work. Rather, it is the right to change the terms and conditions within the work specification. A work specification includes an optional owner specification, which indicates who is authorized to change any part of the work-specification, including adding or deleting rights, changing conditions, or raising or lowering fees. The owner specification indicates what digital license is required to make the changes. If no owner specification is specified, then anyone can make changes to the rights on a digital work. This is the first example of a specification of a digital certificate. Digital certificates and their representation are described in more detail later in this manual.

For composite works, the optional parts specification specifies a list of works which are included as parts of this work. The right specifications given in the higher level work specification are for the work as a whole. (They do not override the rights on individual included works. See the appendix on transaction semantics.)

The contents specification gives the starting and stopping addresses to which the rights in the work specification apply. If no contents specification is given, the work is interpreted as covering the entire attached digital work. When works are nested, the addresses are taken as relative to the beginning (origin) of the larger containing work. The form of an address depends on the medium on which the work is stored.

An optional copies specification gives the number of copies of the digital work. This field is referenced in the operation of various rights. If no copies specification is given, the number of copies of the digital work is taken to be one. If there are two or more copies, then it is possible to transfer or loan a copy of the work while exercising other rights on remaining copies.

A work specification includes an optional comment. Comments in DPRL are intended for documentation, typically used by people creating and updating rights specifications. Comments are not interpreted for meaning by trusted systems. However, persistence of comments is important in order for comments to serve their purpose. Comments have fixed and specific locations in the syntax ("structured comments"). There can be atmost one comment in a work specification. Comments can also be used in other places in a specification, such as in rights groups, as described later.

 

Finally, a work specification includes a list of named groups of rights.

<?XML version="1.0" encoding="UTF-8"?>

<!DOCTYPE Work SYSTEM "work.dtd">

<Work>

<RightsVersion version-id="2.00"></RightsVersion>

<WorkId work-id="ISDN-1-55860-166-X; AAP-2348957tut"></WorkId>

<Description>"Title: 'Zuke-Zack, the Moby Dog Story' Author:'John Beagle' Copyright 1994 Jones Publishing" </Description>

<Owner>

<Certificate>

<Authority authority-id="Library of Congress"></Authority>

<PropertyPair name="ID" value="Murphy Publishers"/>

</Certificate>

</Owner>

<Parts>

<WorkId work-id="Photon-Celebshots-Dogs-23487gfj"></WorkId>

<WorkId work-id="Dog-Breeds-Chart-AKC"></WorkId>

</Parts>

<Contents from="1" to="16636"/>

<Comment>"Rights edited by Pete Jones, June 1996."</Comment>

<RightsGroup group-name="Regular">

<Comment>"This set of rights is used for standard retail editions."</Comment>

<Bundle>

<Time><Until yyyy="1998" mm="01" dd="01" sec="1"/></Time>

<Access>

<Security name="Protocol" value="5"/><Security name="Physical" value="6"/>

</Access>

<BundleFee><BundleMonetary><Account>

<AccountTo account-id="123456789"/>

<House clearing-house-id="Visa"/>

</Account></BundleMonetary></BundleFee>

</Bundle>

<RightsList>

<Play>

<Fee><Monetary><MeteredFee>

<Rate value=".05"/><Per hours="1"/><By seconds="1"/>

</MeteredFee></Monetary></Fee>

</Play>

<Print>

<Printer>

<Certificate>

<Authority authority-id="DPT"></Authority>

<PropertyPair name="Type" value="TrustedPrinter-6"/>

</Certificate>

</Printer>

<Watermark>

<Watermark-Str string="Title: 'Zeke Zack the Moby Dog' Copyright 1994 by Zeck Jones. All Rights Reserved."/>

<Watermark-Tokens all-rights="false" render-rights="true"/>

<Watermark-Str string="Title: 'Zeke Zack the Moby Dog' Copyright 1994 by Zeck Jones. All Rights Reserved."/>

</Watermark>

<Fee><Monetary><PerUse value="10"/></Monetary></Fee>

</Print>

<Transfer></Transfer>

<Copy>

<Fee><Monetary><PerUse value="10"/></Monetary></Fee>

</Copy>

<Copy>

<Access>

<User>

<Certificate>

<Authority authority-id="Murphy Publishers"></Authority>

<PropertyPair name="Type" value="Distributor"/>

</Certificate>

</User>

</Access>

</Copy>

<Delete></Delete>

<Backup></Backup>

<Restore>

<Fee><Monetary><PerUse value="5"/></Monetary></Fee>

</Restore>

</RightsList>

</RightsGroup>

</Work>

This example of a work specification in the digital property language has one rights group. The work specification expresses conditions and fees for several rights: play, print, transfer, copy, delete, backup, and restore. The syntax, meaning and defaults of these various right specifications are explained later. The work includes two other parts, a photograph and a chart of breeds incorporated from other sources.

Usage rights specifications are organized in groups of rights. Various rights specify what usage rights are passed along when a work is copied, transferred, loaned, or used in derivative works. It is convenient to refer to groups of rights by name. Within a work specification, each rights group must have a unique name.

<!ELEMENT RightsGroup (Comment?, Bundle?, RightsList)>

<!ATTLIST RightsGroup group-name CDATA #REQUIRED>

<!ELEMENT ReferencedRightsGroup (Comment?, Bundle?, RightsList)>

<!ATTLIST ReferencedRightsGroup group-name CDATA #REQUIRED>

There are two kinds of rights groups: regular rights groups and reference rights groups. A regular rights group contains a group of rights applied to the current work. A reference rights group contains a group of rights that can be referred to by name in transport rights and applied to subsequent copies of the work.

A rights group can include an optional comment before the list of rights.

A rights group can include an optional bundle specification, which specifies time specifications, fee specifications, or access specifications that apply to all of the rights in the group. The precise meanings of time specifications, fee specifications, access specifications, and watermark specifications as they appear in bundle specifications are explained in later sections. A bundle specification can include an optional comment.

The rights for a digital work are explicitly listed. Any right not in the list is not granted. The name of the right identifies the kind of right. Kinds of rights fall into various classes as explained later.

There can be more than one instance of a particular kind of right for a given work. For example, there can be more than one instance of a Copy right, which grants permission to make new copies of a digital work. One instance of the Copy right may have a special rate for "book of the month club" members. Another instance of the Copy right may allow copies to made without charge if the consumer has an appropriate digital ticket.

<!ELEMENT RightsList ((Copy | Transfer | Loan |

Play | Print | Export |

Edit | Extract | Embed |

Backup | Restore | Verify | Folder | Directory | Delete |

Install | Uninstall)+)>

Each right, identified by its name, has an optional comment, an optional time specification, an optional access specification, and an optional fee specification.

All the rights being granted for the work is specified in the list. The various kinds of rights covered by the usage rights system are described in the rest of this section. The time specification states the period of time over which the right is granted. The access specification states conditions on the exercise of a right, such as a requirement for various authorizations. The fee specification states fees associated with the exercise of a right. These specifications are described individually in the following sections of this manual.

The specifications for a given right are a combination of (1) the specifications explicitly within the right statement itself, and (2) specifications from an optional bundle specification in the rights group to which it belongs. If there is no time specification, then there is no time limit on the use of this right. If there is no access specification, then there is no access test (including security level) required. If there is no fee specification, then there is no fee required for use. A right specification can include an optional comment.

 

2.2 Digital Property Rights

Rights belong to one of several categories. The rights in DPRL describe uses that:

• Relate meaningfully to distinctions of use described in copyright law.

• Respect distinctions of use relevant to common licensing arrangements in commercial purposes of digital works.

• Are enforceable by practical trusted systems.

• Are exercised by carrying out a particular transaction on a repository.

Logically, rights can be categorized into Transport, Render, Deravative work, File management and rights for Configuration. Transport rights govern the movement of a work from one repository to another. Render rights govern the printing and display of a work, or more generally, the transmission of a work through a transducer to an external medium. (This includes the Export right, which can be used to make copies in the clear.) Derivative work rights govern the reuse of a work in creating new works. File management rights govern such things as making and restoring backup copies. Finally, configuration rights refer to the installation of software in repositories.

The next five sections pf this manual, describe each of the rights that fall under each catergory.

 

2.2.1 Transport Rights

Transport rights govern the creation and movement of persistent copies of a work under the control of trusted repositories. There are three distinct kinds of transport rights: copy, transfer, and loan. The interpretation of these rights are similar to familiar operations on physical works: copying an audio tape, transferring (or giving someone) a book, or loaning a compact disc.

The design goals of the transport rights are to provide for the following:

• To distinguish between rights for moving works among repositories and rights that increase the total number of copies of a digital work.

• To describe controlled loaning of works, both personal loans and also institutional or library loans.

• To support a range of distribution models, including both licensed distributor models and consumer-based distribution (also known as super distribution).

• To enable publishers to specify how the rights change on new copies of works.

• To control what rights move to the loaner copy when a copy of a work is loaned out and also what rights stay behind.

<!ELEMENT Copy (NextCopyRights?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Transfer (NextCopyRights?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Loan (RemainingRights?, NextCopyRights?, Comment?, Time?, Access?, Fee?)>

A Copy right is the right to make a new digital copy of a work. (Print rights, described later, govern the making of hard copies.) The Copy right is invoked whenever a new digital copy is made. Like all rights, the right to copy can be parameterized by time, access, fee, and control specifications. An optional next-copy-rights specification can be used to establish rights for the new copy that are distinct from the rights on the original.

A Transfer right is the right to transfer the digital work from one repository to another. A Transfer right does not increase the number of copies of a work because the transfer transaction between two trusted systems removes the digital work from the sending repository when the copy has been created and verified on the receiving repository.

A Loan right is the right to loan a copy of the work for a period of time. A Loan right creates a "loaner" copy of a work on a receiving repository. Typically, during the time that a work is loaned, the original copy of the work cannot be rendered. However, if there is more than one copy of the work on the original repository, then the original repository can still exercise all rights on copies that are not loaned out. As discussed below, exactly what rights are usable by either the loaning repository or at the loanee repository can be specified explicitly using the next-copy-rights and the remaining-rights specification.

Throughout the loan period, both repositories must keep track of the fact that the copy has been loaned and take this information into account in all relevant transactions. At the end of the loan period, the copy of the work on the receiving repository deactivates and the copy on the loaning repository reactivates.

<!ELEMENT NextCopyRights (RightsToAdd | RightsToDelete)>

<!ELEMENT RemainingRights EMPTY>

<!ATTLIST RemainingRights group-name CDATA #REQUIRED>

When a digital work is copied, transferred, or loaned, certain rights become available on the receiving repository. Exactly which rights are available is determined by an optional NextCopyRights specification. By default, the rights on the new repository are the same as the rights on the original repository. However, the list of rights can be modified by specifically adding or deleting groups of rights. The groups named can be either regular rights groups or reference rights groups.

The rights specification for the next copy can be described as a set of differences from the original specification. These differences may be rights to add to those of the original and rights to delete from those of the original. The set of rights provided in the RightsToAdd specification is added to those of the original work. The set of rights provided in the RightsToDelete specification is deleted from those of the original.

<!ELEMENT RightsToAdd EMPTY>

<!ATTLIST RightsToAdd group-name CDATA #REQUIRED>

<!ELEMENT RightsToDelete EMPTY>

<!ATTLIST RightsToDelete group-name CDATA #REQUIRED>

The optional remaining rights specification describes what rights to keep behind in the original loaned work. If this specification is not given, then no rights are retained when the last copy is loaned out.

Here is a simple example of a Loan usage right that specifies what rights to keep and which ones to give on the loaned copy. In this case, the loaner copy gets all of the rights except the book club rights, which are retained, by the original repository.

<Loan>

<NextCopyRights><RightsToDelete group-name="Book-Club-Rights"/></NextCopyRights>

<RemainingRights group-name="Book-Club-Rights"/>

<Access><Security></Security></Access>

<Access>

<Security name="Physical" value="4"/><Security name="Kernal" value="5"/>

</Access>

</Loan>

 

Here is another example of a work specification. This work specification has two rights groups, one called "Distributor" and one called "Consumer."

<?XML version="1.0" encoding="UTF-8"?>

<!DOCTYPE Work SYSTEM "work.dtd">

<Work>

<RightsVersion version-id="2.00"></RightsVersion>

<Description>"Title: 'Zuke-Zack, the Moby Dog Story' Author:'John Beagle' Copyright 1994 Jones Publishing"</Description>

<Owner>

<Certificate>

<Authority authority-id="Library of Congress"></Authority>

<PropertyPair name="ID" value="Murphy Publishers"/>

</Certificate>

</Owner>

<RightsGroup group-name="Distributor">

<Comment>"These rights limited to our licensed distributors."</Comment>

<Bundle>

<Access><Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

<User><Certificate>

<Authority authority-id="Murphy Publishers"></Authority>

<PropertyPair name="Type" value="Distributor"/>

</Certificate></User>

</Access>

</Bundle>

<RightsList>

<Copy>

<Fee><Ticket>

<Authority authority-id="Murphy Publishers"/>

<Type ticket-id="Inventory-987"></Type>

</Ticket></Fee>

</Copy>

<Play></Play>

</RightsList>

</RightsGroup>

<RightsGroup group-name="Consumer">

<Comment>"These rights exercised by any owner of our works."</Comment>

<Bundle>

<Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access>

<BundleFee>

<BundleMonetary><Account>

<AccountTo account-id="123456789"/>

<House clearing-house-id="Visa"/>

</Account></BundleMonetary>

</BundleFee>

</Bundle>

<RightsList>

<Copy><NextCopyRights><RightsToDelete group-name="Distributor"/></NextCopyRights>

<Fee><Monetary><PerUse value="10"/><Account>

<AccountTo account-id="Account-ID-678-qwerqeruyt"/>

</Account></Monetary></Fee>

</Copy>

<Play>

<Fee><Monetary><MeteredFee><Rate value=".05"/><Per hours="1"/>

</MeteredFee></Monetary></Fee>

</Play>

<Delete><Comment>"This right is without restrictions."</Comment></Delete>

<Transfer></Transfer>

<Loan>

<RemainingRights group-name="Distributor"/>

<NextCopyRights><RightsToDelete group-name="Distributor"/></NextCopyRights>

</Loan>

</RightsList>

</RightsGroup>

</Work>

The distributor rights include the right to copy a work without fee except that a particular digital ticket must be punched. The distributor rights also include a right to play the work without fee. Each of the rights in the "Distributor" rights group requires a Murphy’s distributor digital license to exercise.

There is also a "Consumer" rights group. This group includes rights to copy, play, delete, transfer, and loan. The copy right has a set fee to make a copy and the play right has a metered charge of five cents per hour. A loaner copy does not carry the distributor rights.

2.2.2 Render Rights

Render rights govern the creation of representations of a digital work outside of the control of trusted systems.

According to the dictionary, to render something is to represent it in a verbal form or in a drawing or a painting. In the context of usage rights, we use the word "render" to refer to processes that transform a digital copy of a work into a form where it can be seen or used outside of the repository. For example, a digital book or digital photograph may be displayed on a screen, a piece of music may be played through a loud speaker, a movie may be shown on a screen, or a page of a book may be printed on a printer.

When a digital work is rendered, information moves outside of the control of a trusted system. This presentation of the work as image or sound makes it possible for someone to see or hear the work. Necessarily, it also makes the work accessible for analog copying. Anything you can see you can photograph; anything you can hear you can record. Rendering does not imply permission to make other recordings of the work, such as with a film camera, video camera, or tape recorder, even though such copies will typically have lower quality than the digital original. The right to make such copies is governed by copyright law. Many techniques for rendering from digital originals also allow the inclusion of information in watermarks and fingerprints, making it possible to identify the work and also the person who played it. Although recordings of rendered works cannot be prevented, such non-digital copying of a work is governed by applicable copyright laws.

The design goals of the render rights are:

• To distinguish between rights for making ephemeral copies such as display images and rights for making long-lasting copies such as printouts.

• To provide a means of distinguishing different kinds of players and printers for digital works such as ones that add distinguishing codes. For example, a publisher may want to limit printing of a digital work to certain kinds of printers that are capable of embedding specific kinds of watermarks.

• To provide a controlled means for creating unencumbered digital copies outside of a trusted system.

• To provide a means for specifying information to be embedded in watermarks for works displayed or printed. Watermark data can be pre-specified by a publisher or distributor. It includes data that is not known until the time that a work is printed or displayed.

<!ELEMENT Play (Player?, Watermark?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Print (Printer?, Watermark?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Export (Repository?, Comment?, Time?, Access?, Fee?)>

There are three kinds of render rights: play, print, and export.

Play rights refer to ways of making a transient or ephemeral copy of a work available for use. For example, a page of a book may be displayed on a screen or music may be played out a speaker. The image on the screen or the sound coming out of the speaker is a transient copy. The Play right is also used to refer to invocation of a computer program, such as when someone plays a video game. The renderings produced when a Play right is exercised are ephemeral. Another way to understand a "Play" right is that playing requires active participation by a trusted player to render the work during the entire time that the work is perceivable.

Print rights refer to making more permanent rendered copies of a work outside of the control of a repository. In contrast to the Play right, once a work is printed, the printed copy can be viewed without requiring that the "printer" be used the entire time. The typical case is printing something on paper at a printer. The Print right also refers to making rendered copies on other external media, such as bitmap images on removable disks or audio on magnetic tapes. For example, a repository may provide rights to "print" encrypted backup copies of a digital work. Unauthorized use of such copies is inhibited because such copies of the work are generally encrypted.

An Export right makes a digital source copy outside of trusted system control. Typically, this would be a file in a format suitable for unencumbered viewing, printing, or editing. Thus, this right can be used to make a digital copy that is not encrypted or otherwise protected. An Export right might be exercised, for example, to release an older work after it has passed out of copyright.

Render rights can optionally specify the use of particular kinds of hardware for playing and printing. These specifications are intended to qualify the use of a work. Players and printers are parts of repositories, and are sometimes called trusted players and trusted printers. They are identified by non-transferable digital certificates. A given repository, such as a trusted printer, may have several different digital certificates corresponding to different output devices or kinds of printing services. For example, a digital movie player may specify a kind of player suitable for home use rather than theater use. The certificate for a particular player may be used to differentiate between high and low resolution renderings with appropriately different fees.

A printer specification may indicate a printer which marks the pages with a particular kind of identifying watermark. Specifications for embedding data in watermarks on trusted printers and trusted players are discussed in a later section.

Here is an example of a work specification. This specification is for a digital home movie. The work has two groups of rights called "theater" and "home-viewer". The theater rights allow playing the movie on a kind of public viewer by authorized distributors for a fee of $100. The home-viewer rights allow playing the movie on a home player for a rate of $5 per hour.

<?XML version="1.0" encoding="UTF-8"?>

<!DOCTYPE Work SYSTEM "work.dtd">

<Work>

<RightsVersion version-id="2.00"></RightsVersion>

<WorkId work-id="Classic-Movie-Registry-lkjdf98734"></WorkId>

<Description>"Title: 'Zuke-Zack, the Moby Dog - The Movie' Script:'John Beagle'

Director: 'Peter Hound Jones' Producer: 'Martha Jones'

No Cruelty to Animals in this flick.

Copyright 1994 Jones Home Movies"

</Description>

<Owner>

<Certificate>

<Authority authority-id="American Association of Publishers"></Authority>

<PropertyPair name="ID" value="Jones Publishing"/>

</Certificate>

</Owner>

<RightsGroup group-name="Theater">

<RightsList>

<Play>

<Player><Certificate>

<Authority authority-id="Motion Picture Association"></Authority>

<PropertyPair name="Type" value="Theater Projector"/>

</Certificate></Player>

<Access><User><Certificate>

<Authority authority-id="Jones Publishing"></Authority>

<PropertyPair name="Type" value="Distributor"/>

</Certificate></User></Access>

<Fee>

<Monetary><PerUse value="100"/><Account>

<AccountTo account-id="Account-ID-678-qwerqeruyt"/>

</Account></Monetary></Fee>

</Play>

</RightsList>

</RightsGroup>

<RightsGroup group-name="Home-Viewer">

<RightsList>

<Play>

<Player><Certificate>

<Authority authority-id="Motion Picture Association"></Authority>

<PropertyPair name="Type" value="Home-Veiwer"/>

</Certificate></Player>

<Fee>

<Monetary><MeteredFee><Rate value="5.00"/><Per hours="1"/></MeteredFee>

<Account><AccountTo account-id="Account-ID-678-qwerqeruyt"/></Account>

</Monetary>

</Fee>

</Play>

</RightsList>

</RightsGroup>

</Work>

 

The following example is of a digital book. The exemplar digital book has no fee for playing, but does have a five dollar fee for making a digital copy. It also has two Print rights, both requiring a trusted printer. The first Print right can be exercised if the user has a particular prepaid ticket. The second print right has a flat fee of ten dollars. The example assumes that the digital book can transmitted to a user’s computer by exercising the Copy right, and that the user can play or print the work at his or her convenience using the Play and Print rights. Fees are logged from the user’s workstation whenever a right is exercised.

<?XML version="1.0" encoding="UTF-8"?>

<!DOCTYPE Work SYSTEM "work.dtd">

<Work>

<RightsVersion version-id="2.00"></RightsVersion>

<WorkId work-id="Vanity-Press-Registry- lkjdf98734"></WorkId>

<Description>"Title: 'The Moby Dog Story' Copyright 1994 Zeke Jones"</Description>

<Owner><Certificate>

<Authority authority-id="American Association of Publishers"></Authority>

<PropertyPair name="ID" value="Jones Publishing"/>

</Certificate></Owner>

<RightsGroup group-name="Regular">

<Bundle>

<Access><Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access>

<BundleFee><BundleMonetary>

<Account><AccountTo account-id=" Account-Jones-Pub248afdoiu4398"/></Account>

</BundleMonetary></BundleFee>

</Bundle>

<RightsList>

<Copy><Fee><Monetary><PerUse value="5"/></Monetary></Fee></Copy>

<Transfer></Transfer>

<Delete></Delete>

<Play></Play>

<Print>

<Printer><Certificate>

<Authority authority-id="Digital Property Trust"></Authority>

<PropertyPair name="Class" value="Trusted Printer-6"/>

</Certificate></Printer>

<Fee><Ticket>

<Authority authority-id="Jones Publishers"></Authority>

<Type ticket-id="Prepaid-Print"></Type>

</Ticket></Fee>

</Print>

<Print>

<Printer><Certificate>

<Authority authority-id="Digital Property Trust"></Authority>

<PropertyPair name="Class" value="Trusted Printer-6"/>

</Certificate></Printer>

<Fee><Monetary><PerUse value="10"/></Monetary></Fee>

</Print>

</RightsList>

</RightsGroup>

</Work>

Here is a different version of rights for the "Moby Dog Story" digital book. In this version, the publisher does not want digital delivery to be made directly to a consumer workstation. A practical consideration supporting this choice may be that the publisher wants to minimize the risk of unauthorized copying and requires a higher level of security than is provided by trusted systems on available workstations. Instead, the publisher wants the book to be sent directly from an on-line bookstore to a trusted printer. Printing must be prepaid via digital tickets. To enable digital distribution to authorized distributors but not directly to consumers, the publisher requires that both parties in a Copy right be have an authorizing digital license. In this example, a consumer can not play the work at a workstation. Instead, the consumer must print the work.

<?XML version="1.0" encoding="UTF-8"?>

<!DOCTYPE Work SYSTEM "work.dtd">

<Work>

<RightsVersion version-id="2.00"></RightsVersion>

<WorkId work-id="Vanity-Press-Registry- lkjdf98734"></WorkId>

<Description>"Title: 'The Moby Dog Story' Copyright 1994 Zeke Jones"</Description>

<Owner><Certificate>

<Authority authority-id="European Publishers Association"></Authority>

<PropertyPair name="ID" value="Jones Publishing"/>

</Certificate></Owner>

<RightsGroup group-name="Distributor">

<Bundle>

<Access><Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access>

<BundleFee><BundleMonetary>

<Account><AccountTo account-id=" Account-Jones-Pub248afdoiu4398"/></Account>

</BundleMonetary></BundleFee>

</Bundle>

<RightsList>

<Copy>

<Access>

<Source><Certificate>

<Authority authority-id="Jones Publishers"></Authority>

<PropertyPair name="Type" value="Distributor"/>

</Certificate></Source>

<Destination><Certificate>

<Authority authority-id="Jones Publishers"></Authority>

<PropertyPair name="Type" value="Distributor"/>

</Certificate></Destination>

</Access>

<Fee><Monetary><PerUse value="5"/></Monetary></Fee>

</Copy>

<Delete></Delete>

<Print>

<Printer><Certificate>

<Authority authority-id="Digital Property Trust"></Authority>

<PropertyPair name="Class" value="Trusted Printer-6"/>

</Certificate></Printer>

<Fee><Ticket>

<Authority authority-id"Jones Publishers"></Authority>

<Type ticket-id="Prepaid-Print"></Type>

</Ticket></Fee>

</Print>

</RightsList>

</RightsGroup>

</Work>

2.2.3 Derivative Work Rights

Derivative work rights govern the reuse of a digital work, in whole or part, to create a new composite work. The design goal for derivative work rights is not to cover all possible forms of reuse. Many kinds of reuse involve substantial negotiation about issues that are outside the scope of what a practical trusted system can mediate or check. Rather, the derivative use rights are intended to automate the simple case where the rights owner can pre-determine fees and repository-testable conditions on a work prior to distributing it digitally.

The design goals for the derivative work rights are:

• To make it possible for the rights owner to pre-arrange fees and conditions governing subsequent use of the material in derivative works.

• To make it possible for the rights owner to pre-determine whether communication for notification or authorization is required before a derivative work right can be exercised.

• To ensure that all information about authorship, identity, contents, and rights is controlled or preserved in the derivative work.

• To arrange that the collection of fees for use of derivative works is automatic and can depend on the number of copies of the derivative work that are actually made.

• To enable a rights owner to determine whether derivative works can incorporate selected portions of a work, or whether the original work must be incorporated in total.

• To provide a framework that can eventually enable a rights owner to determine what kinds of changes are permitted in the derivative work, if any.

<!ELEMENT Edit (Editor?, NextCopyRights?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Extract (Editor?, NextCopyRights?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Embed (Editor?, NextCopyRights?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Editor (Certificate+)>

There are three kinds of derivative work rights: extract, edit, and embed.

The Extract right allows removing a portion of a digital work, creating a new work. A rights owner can divide a total digital work up into different sub-works, each with its own work specification. In this way, the rights owner can decide whether a work can be reused as a whole or in parts, and also can associate different rights and conditions with different parts of a digital work. Extract differs from Edit in that it does not grant the right to modify a work, except by removing parts of it.

The editor specification is intended to be used to test whether different editing systems qualify. From the perspective of DPRL, an editor is expected to be a trusted system with signed certificates attesting to its properties. A publisher can name the properties that an editing system must have before it can be used to edit the work. If the optional editor specification is not given, then any editor program can be used for the extraction process. Otherwise, an editing system with the specified certificates can be used.

Edit grants the right to modify a work. Edit is like Extract in that it creates a new work. It differs from Extract in that it is used to make changes to a work. A rights owner can control what kinds of changes can be made to a digital work by specifying a kind of editor. For example, a particular digital audio music editor may allow someone to change the pitch or key of a piece of music, but not add notes. If the optional editor specification is not given, then any editing program can be used. Otherwise, only the specified editing system can be used.

Embed grants the right to include a work as part of a composite work. Embed puts a copy of a digital work inside a composite work. If the optional editor specification is not given, then any editing system can be used. Otherwise, only the specified editor can be used.

By default, if the optional next copy rights are not specified, the fees and conditions for a work when it is reused are the same as the fees and conditions for the original work. A publisher can override this default by adding or deleting rights in an optional next-copy-rights specification.

<?XML version="1.0" encoding="UTF-8"?>

<!DOCTYPE Work SYSTEM "work.dtd">

<Work>

<RightsVersion version-id="2.00"></RightsVersion>

<Description>"Title: 'Moby Dog' Author: 'John Beagle' Copyright 1994 Jones Publishing"</Description>

<Owner><Certificate>

<Authority authority-id="United Publishers"></Authority>

<PropertyPair name="ID" value="Murphy Publishiers"/>

</Certificate></Owner>

<RightsGroup group-name="Derivative Rights">

<Comment>"These rights apply to deravative works."</Comment>

<RightsList>

<Copy>

<Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access>

<Fee><Monetary>

<PerUse value="5"/>

<Account>

<AccountTo account-id="123456789"/>

<House clearing-house-id="Visa"/>

</Account>

</Monetary></Fee>

</Copy>

</RightsList>

</RightsGroup>

<RightsGroup group-name="Consumer">

<Bundle><Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access></Bundle>

<RightsList>

<Copy>

<Fee><Monetary>

<PerUse value="10.0"/>

<Account>

<AccountTo account-id="123456789"/>

<House clearing-house-id="Visa"/>

</Account>

</Monetary></Fee>

</Copy>

<Extract>

<Editor>

<Certificate>

<Authority authority-id="DPT"></Authority>

<PropertyPair name="Type" value="Class 3"/>

</Certificate>

</Editor>

</Extract>

<Embed>

<Editor>

<Certificate>

<Authority authority-id="Adobe"></Authority>

<PropertyPair name="Type" value="Standard Embed"/>

</Certificate>

</Editor>

<NextCopyRights>

<RightsToAdd group-name="Deravative Rights"/>

</NextCopyRights>

</Embed>

<Play>

<Fee>

<Monetary>

<MeteredFee><Rate value=".05"></Rate><Per minutes="1"/></MeteredFee>

<Account>

<AccountTo account-id="123456789"/>

<House clearing-house-id="Visa"/>

</Account>

</Monetary>

</Fee>

</Play>

<Delete></Delete>

<Transfer></Transfer>

</RightsList>

</RightsGroup>

</Work>

Here is an example of how a work can be specified to provide for derivative use. In this example, the publisher has granted Extract and Embed rights requiring that a particular "editing" program be used. No changes can be made to the work. In addition to the original rights on the work, the embedded work has an additional copy right with a lower per use fee paid to a different account.

For some applications, it will be useful to have fairly elaborate controls on the changes that can be made to a derivative work. For example, a written work may require that certain sections always be extracted together. A musical work may allow changing the key and pitch but not the notes. The variety of possible kinds of controls is rich, not developed, and depends on the media and application. The digital property language is designed to allow application-specific kinds of restrictions as described in the following.

Each kind of editor can have its own terminology for kinds of change. For example, a digital music editor might have editing operations for pitch, key, instrumentation, and other things. Digital representations for works can be augmented to include annotations that point to regions of a work and specify in an application-specific way the kinds of changes that can be made. Such annotations would have no effect when a work is played, but would control editing operations when a derived work is edited.

In this way the rights specifications are divided between domain-independent considerations in the digital property language and the application-specific considerations in specific editors. The usage rights language allows a rights owner to specify general usage rights in the usual way, including the required use of a chosen editor (or family of editors) for editing the work. The rights owner then uses the specified editor to annotate the work to specify the kinds of changes that are allowed in domain specific terms. Later when a user wants to make a derived work by editing the work, he must use a compatible trusted editor which follows the domain-specific change annotations.

2.2.4 File Management Rights

File management rights govern access to directory and file information when two repositories are connected. File management rights control how directory information of one repository can be accessed from another. They also control the making and restoring of backup copies.

Some usage rights, such as Print or Copy, typically involve more than one repository. Other usage rights, such as Transfer and Loan, inherently involve more than one repository. To exercise rights that involve more than one repository, a user at one repository must be able to access digital works located on another.

The design goals for the file management rights are as follows:

• To provide a simple and consistent means to specify and control access to digital works across different repositories and different kinds of repositories.

• To provide a lightweight and convenient means for organizing collections of digital works on a repository.

• To integrate specifications for controlling how collections of works can be used with specifications about how individual works can be used.

• To provide facilities that manage the risk of system or media failure or distribution of rogue works.

<!ELEMENT Backup (BackupCopyRights, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Restore (Comment?, Time?, Access?, Fee?)>

<!ELEMENT Verify (Verifier, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Folder (Comment?, Time?, Access?, Fee?)>

<!ELEMENT Directory (Comment?, Time?, Access?, Fee?)>

<!ELEMENT Delete (Comment?, Time?, Access?, Fee?)>

<!ELEMENT BackupCopyRights EMPTY>

<!ATTLIST BackupCopyRights group-name CDATA #REQUIRED>

<!ELEMENT Verifier(Certificate+)>

There are six kinds of file management rights: Folder, Directory, Delete, Verify, Backup, and Restore.

When a repository has many digital works, it is often convenient to organize them into named hierarchical sets called folders. This approach is basic to many popular file systems, such as Windows™, MacOS™, and UNIX™. In repositories built on conventional computer file systems, these hierarchical sets generally correspond to file system folders and directories. For consistency across brands of repositories, the same digital property language that applies to digital works is also used for folders.

Folder rights govern the creation and naming of subfolders, and the right to reconfigure the folders by moving files and folders among folders. These rights are exercised by commands at a repository user interface. The right to exercise all of these operations is governed by the single "folder" right. (Restated, there are no separate rights for moving or renaming files and folders. All of these repository actions are governed under folder rights.) Directory rights govern the delivery of information about what works are contained within folders.

Here is an example of a rights group for a personal folder on a repository. The rights on a folder augment the rights of the works in a folder. For example, if a work is moved into a folder on which there are no print rights, no work in the folder can be printed. In this example, the rights group named "PersonalFolder" simply adds the requirement that a particular authorizing license ("Stefik’s license") be in force before any of a set of rights can be exercised. Moving a work into this "personal" folder would prevent anyone, who is logged into the repository but who does not have the license, from accessing or using any work in the folder.

<RightsGroup group-name="PersonalFolder">

<Bundle>

<Access><User><Certificate>

<Authority authority-id="Xerox"></Authority>

<PropertyPair name="ID" value="Mark Stefik"/>

</Certificate></User></Access>

</Bundle>

<RightsList>

<Play></Play>

<Copy></Copy>

<Loan></Loan>

<Delete></Delete>

<Folder></Folder>

<Directory></Directory>

<Transfer></Transfer>

</RightsList>

</RightsGroup>

A directory listing may be requested of any folder in a repository, allowing either the local or a remote repository to get information about the works, their parts, and other folders contained in it. The ability to get information about a folder, a work, or its parts may be withheld in such directory listings by simply requiring a license to exercise the right.

Delete rights govern the operation of deleting a copy of a digital work. The generally expected practice is to grant any copy owner the right to delete the work. The right to delete needs to be controlled in applications where many people can log into a repository and where deleting a file could be done accidentally or in malicious mischief. To prevent the unwanted and unauthorized deletion of digital works that are accessed remotely, it is typical for a Delete right to include various conditions, such as the requirement of a digital license to exercise the right.

An opposite problem from unauthorized deletion is the creation of "Trojan Horse" works which are copied for free but which require fees to delete them. To defend against such tricks, many repositories will generate warning and confirmation messages before accepting copies of works that lack delete rights or which assess charges or conditions to exercise this right.

Verify rights are used to authorize checking of the authenticity of a work. There are several different kinds of checking that can be performed. The simplest checks verify that the work is properly encrypted. Other checks involve the use of 1-way hash functions and other keys that can detect tampering with a work. Other checks can consider hot-lists of rogue works maintained by the trusted system. Reference copies of a work may be available on the network. Local copies can be carefully compared with reference copies to verify their authenticity.

 

Since a verifying system has access to the contents of a digital work, publishers can require that the system be certified. To protect against "rogue verifiers" that copy works under the guise of checking them or that damage works, publishers may specify that particular kinds of verifiers be used, such as certified verifiers on well known on-line servers.

<Verify><Verifier><Certificate>

<Authority authority-id="DPT"></Authority>

<PropertyPair name="Type" value="Class-2"/>

</Certificate></Verifier></Verify>

Backup grants the right to make copies of a work for the purpose of guarding against the loss of the original due to accident or catastrophic media or equipment failure. The backup operation creates an encrypted copy of a digital work, which is in a form where it cannot be rendered without first exercising a restore operation. The optional BackupCopyRights is used to specify the rights on the encrypted backup copy. Typically, Transfer and Restore rights would be given on a backup copy. If no backup copy rights are given, the default right is to restore the copy. Backup copy rights are not the same as the rights that will be available when the backup copy is restored. The rights on the restored copy are the same as the rights on the original before the backup was made.

A restore operation converts an encrypted backup copy into a usable copy in a controlled manner. Restore rights typically elaborate various fees and conditions that balance the interests of the copy owner with the interests of the publisher.

<ReferencedRightsGroup group-name="SafetyNet">

<RightsList>

<Transfer><Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access></Transfer>

<Restore>

<Access><Security name="Security-Class" value="3"/></Access>

<Fee><Ticket>

<Authority authority-id="Jones-Publisher"></Authority>

<Type ticket-id="Restore"></Type>

</Ticket></Fee>

</Restore>

<Restore>

<Access><Security name="Security-Class" value="3"/></Access>

<Fee><Monetary>

<PerUse value="15"/>

<Account><AccountTo account-id="Account-ID-678-qwerqeruyt"/></Account>

</Monetary></Fee>

</Restore>

<Restore>

<Access><Security name="Security-Class" value="3"/>

<User><Certificate>

<Authority authority-id="Murphy Publishers"></Authority>

<PropertyPair name="Type" value="Distributor"/>

</Certificate></User>

</Access>

</Restore>

</RightsList>

</ReferencedRightsGroup>

<RightsGroup group-name="Regular">

<RightsList>

<Play><Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access></Play>

<Delete></Delete>

<Transfer><Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access></Transfer>

<Backup><BackupCopyRights group-name="Safety-Net"/></Backup>

</RightsList>

</RightsGroup>

Here is an example of Backup and Restore rights. The reference rights group named "Safety-Net" includes a transfer right and three restore rights with different fees and conditions. All of the restore rights require that the repository have security class 3. One of the restore rights requires no monetary fee but uses a particular digital ticket. This approach could be used by a publisher who grants a limited number of free restorations controlled by a set of digital tickets. The second restore right costs a flat fee of $15. The third restore right is free, but requires a particular distributor’s license.

The second rights group called "regular" elaborates rights for normal use, including play, delete, transfer, and backup. The backup copy rights are those in the "SafetyNet" rights group. The next example expresses the same rights groups somewhat more simply by using Bundle specifications.

<ReferencedRightsGroup group-name="SafetyNet">

<Bundle>

<Access><Security name="Security-Class" value="3"/></Access>

</Bundle>

<RightsList>

<Transfer><Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access></Transfer>

<Restore>

<Fee><Ticket>

<Authority authority-id="Jones-Publisher"></Authority>

<Type ticket-id="Restore"></Type>

</Ticket></Fee>

</Restore>

<Restore>

<Fee><Monetary>

<PerUse value="15"/>

<Account><AccountTo account-id="Account-ID-678-qwerqeruyt"/></Account>

</Monetary></Fee>

</Restore>

<Restore>

<Access><User><Certificate>

<Authority authority-id="Murphy Publishers"></Authority>

<PropertyPair name="Type" value="Distributor"/>

</Certificate></User></Access>

</Restore>

</RightsList>

</ReferencedRightsGroup>

<RightsGroup group-name="Regular">

<Bundle><Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access></Bundle>

<RightsList>

<Play></Play>

<Delete></Delete>

<Transfer></Transfer>

<Backup><BackupCopyRights group-name="Safety-Net"/></Backup>

</RightsList>

</RightsGroup>

 

2.2.5 Configuration Rights

Configuration rights govern the adding and removing of system software from highly secure repositories. These rights are not relevant on platforms where the loading of software is not controllable.

The design goals for configuration rights are as follows:

• To provide a means to load software that insures that it is certified, has not been tampered with, and is compatible with the repository.

• To arrange that a user installing and uninstalling repository software in the field has security on the same order as when software is installed in a secure facility.

Because general purpose computers have other means for loading and deleting software, configuration rights are most relevant to dedicated, high security repositories. Typically, the control offered by configuration rights on secure repositories is most useful when adding software for a new player or editor.

<!ELEMENT Install (Comment?, Time?, Access?, Fee?)>

<!ELEMENT Uninstall (Comment?, Time?, Access?, Fee?)>

There are two kinds of configuration rights: Install and Uninstall. As with all other rights, these rights also have an optional comment, time, access, fee specification. An Install operation makes software runnable on a repository. Just copying a program to a repository does not make it runnable. The installation operation checks that software is certified, that it has not been tampered with, and that it is compatible with the repository. If these conditions are satisfied, the install operation links the software into the secure software procedures of the repository.

The Uninstall operation removes software from the running system. Uninstall does not delete the file corresponding to the program. It merely disables it from running, restoring it to the state before it was installed.

 

2.3 Specifying Times

Usage rights are usually granted for a specified period of time. The time period over which a right is granted is indicated by a time specification. To honor time specifications, a trusted system must have accurate and tamper-proof clocks.

The language design goals of the time specifications are:

• To express time limits that govern when rights become available and when they cease to be available.

• To express the categories of time blocks that are useful for governing commercial use of digital works.

• To describe contiguous periods of time, periods of time that do not start until a work is first used, and accumulative amounts of time that need not be contiguous.

• To provide unambiguous specifications suitable for international commerce and commerce across time zones.

Time specifications use representations of moments in time and units of time. The next two sections describe representations for moments and time units. We then discuss time specifications for usage rights that use these representations to indicate when the rights are valid.

2.3.1 Specifying Moments in Time

Moment specifications indicate a particular moment in time. All specifications of a particular moment in time must specify the date and optionally the time. Any of the paramters are not filled then 00 is implied.

<!ENTITY % moment "yyyy CDATA #IMPLIED

mm CDATA #IMPLIED

dd CDATA #IMPLIED

hrs CDATA #IMPLIED

min CDATA #IMPLIED

sec CDATA #IMPLIED">

Time constants (hrs, min, sec) represent specific times-of-day on the 24-hour clock in Universal Time, or UT (equivalent to Greenwich Mean Time, or GMT). The "hrs" represents the hour and therefore must be between 0 and 23, inclusive. The "min" represents the minute and must be between 0 and 59, and the "sec" represents the second, and therefore must be between 0 and 59, inclusive. The time "24:00:00", in some contexts defined to be equivalent to the time "00:00:00", is not allowed.

Time of Day Meaning

hrs=17 min=30 sec=01 Five-thirty p.m. and one second. (GMT)

hrs=00 min=00 sec=00 Twelve o’clock Am. (GMT)

(midnight, the first second of the day)

hrs=12 min=00 sec=00 Twelve o’clock p.m. (noon, GMT)

Date constants (yyyy, mm, dd) represent a specific day on the calendar. "yyyy" represents the year and must be between 0 and 9999, inclusive. Note that one-, two-, and three-digit integers represent years through 999 AD. Specifically, two-digit integers do not, as in common usage, represent years in the current centennial. "mm" represents the month and therefore must be between 1 and 12, inclusive. "dd" represents the day and therefore must be between 1 and either 28, 29, 30, or 31, inclusive, according to the calendar. Here are some examples of date constants.

Date Constant Meaning

yyyy=1996 mm=5 dd=15 May 15, 1996

yyyy=0999 mm=12 dd=31 December 31, 999

yyyy=2000 mm=01 dd=03 January 3, 2000

Since repositories need to have synchronized clocks for their transactions, which may take place across time zones, it is convenient to use Universal Time as a standard. Conversion to local date and time is performed by the user interface of the trusted system.

 

2.3.2 Specifying Units of Time

Time specifications indicate a period of time by specifying a number of calendar units, a number of time units, or both. Calendar units are specified in calendar years, months, and days. Time units are specified in hours, minutes, and seconds.

Calendar units are idiosyncratic as units of measure because they do not have uniform sizes. Thus, years have different numbers of days in them depending on leap years. Similarly, different months have different numbers of days in the Julian calendar. Nonetheless, these "units" are convenient in specifications because so many people use calendars.

<!ENTITY % interval "years CDATA #IMPLIED

months CDATA #IMPLIED

days CDATA #IMPLIED

hours CDATA #IMPLIED

minutes CDATA #IMPLIED

seconds CDATA #IMPLIED">

Calendar units(years, months, days) have the same syntactic structure as date constants. The number of years can be between 0 and 9999, referring to a number of calendar years. The number of months can be between 0 and 9999, refering to a number of calendar months. The number of days can be between 0 and 9999. Here are some examples of calendar units.

Calendar Units Meaning

months=3 days=4 Three months and four days.

days=40 Fourty days.

days=7 Seven days

years=1 One calendar year.

In particular, a specification 00/03/00 for three months is not the same as 00/00/90 for ninety days, although they are close. The actual number of days in three calendar months depends on the months when the specification applies.

Time units(hours, minutes, seconds) have the same syntactic structure as time constants. The number of seconds can be an integer between 0 and 9999. The number of minutes can be an integer between 0 and 9999. The number of hours can be an integer between 0 and 9999.

Time Units Meaning

hours=2 minutes=30 Two hours and thirty minutes.

minutes=67 Sixty seven minutes.

minutes=5 seconds=30 Five and a half minutes.

 

2.3.3 Specifying When Rights Can Be Exercised

We are now ready to consider time specifications for rights. All time specifications refer to a time interval over which the rights are enabled. In addition, there is an optional expiration date, after which the right cannot be exercised even if the interval is not exhausted. If no time specification is given, the right is assumed to be always valid.

<!ELEMENT Time ((From | Interval | Metered)?, Until)>

<!ELEMENT From EMPTY>

<!ATTLIST From %moment;>

<!ELEMENT Interval EMPTY>

<!ATTLIST Interval %interval;>

<!ELEMENT Metered EMPTY>

<!ATTLIST Metered %interval;>

<!ELEMENT Until EMPTY>

<!ATTLIST Until %moment;>

There are three kinds of intervals in time specifications: fixed intervals, sliding intervals, and metered intervals.

In their most complete form, fixed intervals start at a fixed time and ends at a fixed time. In variations, a fixed interval specification can specify only a starting time or only an ending time. Here are some examples of fixed interval specifications.

• <Time><Until yyyy="1995"/></Time>

• <Time><Until yyyy="1994" mm="12" dd="31" hrs="23" min="59" sec="59"/></Time>

Can be used until midnight New Year’s Eve in 1994.

• <Time>

<From yyyy="1997" mm="02" dd="14"/>

<Until yyyy="1997" mm="02" dd="15"/>

</Time>

Can be used only on Valentine’s Day in 1997.

Sliding intervals specify a consecutive period of time. The period starts when the right is first exercised. To accurately account for sliding intervals, a trusted system must keep track of the time that use started. Here are some examples of sliding interval specifications.

• <Time><Interval hours="12"/><Until yyyy="1996"/></Time>

Can be used for any twelve consecutive hours any time up to January 1, 1996.

• <Time><Interval hours="2"/><Until yyyy="1996" mm="05" dd="01" hrs="8"/></Time>

Can be used for two consecutive hours any time up to 8:00 am May 1, 1996.

Metered intervals represent accumulative periods of time. A user can start and stop using exercising a right as often as he wants. The metering clock runs whenever the right is being exercised, and stops when the user stops using it. The right can be exercised as long as the total time has not been used. To accurately account for metered time, a repository must keep an incremental log of the amount of time used so far.

• <Time>

<Metered hours="2"/><Until yyyy="1996" mm="05" dd="01" hrs="8"/>

</Time>

Can be used for two hours of metered time spread out in any way up to 8:00 am on May 1, 1996. The work cannot be used after May 1, 1996 even if the metered time has not yet exhausted the two hours.

• <Time>

<Metered months="2"/><Until yyyy="1998" mm="09" dd="01" hrs="8"/>

</Time>

Can be used for two months spread out in any way until September 1, 1998.

Note that a metered time interval specification is not the same thing as a metered fee specification. A metered time interval indicates the time that a right is valid. It can be used even on rights for which there is no fee. A metered fee specification is a way of indicating how to charge to exercise a right in using a work. Metered fee specifications could be used even on works where the right to use the work does not expire at all.

2.4 Specifying Fees and Incentives

Usage rights can have associated fees which are paid to specific accounts. To honor these fees, trusted systems need to communicate regularly with financial clearing houses. They also need to have reliable and tamper-proof means of recording and reporting billing data. Different repositories have different approaches, depending on the application and the required levels of security and accountability. Some systems accumulate billing logs locally and report them to financial clearing houses on a scheduled basis. Less secure systems must connect with an on-line financial clearinghouse each time that a transaction is made, and before a transaction can be completed.

The language design goals for fee specifications are:

• To express the kinds of charges to exercise a right that are commercially useful for all kinds of digital works.

• To express variations on per-use fees and metered-use fees, including payments per time unit, minimum and maximum fees over a period, and fixed fees for unlimited use in a fixed time period.

• To accommodate approaches based on both credit accounts and debit accounts.

• To support transactions on trusted systems where the consumer is not on-line.

• To express fees in most national currencies and also in publisher-supplied non-currency units (digital tickets).

• To express payments from a consumer to a publisher as well as incentives from a publisher to a consumer.

• To express predetermined and scheduled changes in price.

• To express bundled prices for using combinations of rights.

A fee specification describes the financial transaction required to exercise a right. It can include a ticket specification or a monetary specification. If a ticket specification is given, then the transaction requires that a particular kind of digital ticket be processed ("punched") by a digital ticket agent accessible to the repository. The simplest digital tickets are used just once and are punched by a standard digital ticket agent when they are used. More complex tickets have more internal structure, representing expiration dates, numbers of times that they can be punched, and may require a specialized ticket agent. If a monetary specification is given, then the user will be billed.

<!ELEMENT Fee (Ticket | Monetary)>

<!ELEMENT Ticket (Authority, Type)>

Each right of a digital work can have different fee specifications. In the following example, the "Play Options" rights group gives three different fee schemes for playing the work. One has a ticket, one charges a dollar per play, and one is fifty cents an hour. Some usage rights in the "Regular" rights group, such as transfer, delete, and backup require no fees at all.

<?XML version="1.0" encoding="UTF-8"?>

<!DOCTYPE Work SYSTEM "work.dtd">

<Work>

<RightsVersion version-id="2.00"></RightsVersion>

<Description>

"Title: 'The Moby Dog Story' Author:'John Beagle'

Copyright 1994 Jones Publishing"

</Description>

<Owner>

<Certificate>

<Authority authority-id="United Publishers"></Authority>

<PropertyPair name="ID" value="Jones Publishers"/>

</Certificate>

</Owner>

<Contents from="1" to="16636"/>

<RightsGroup group-name="Play Options">

<RightsList>

<Play><Fee><Ticket>

<Authority authority-id="Jones Publishing"></Authority>

<Type ticket-id="Demo"></Type>

</Ticket></Fee></Play>

<Play>

<Time>

<From yyyy="1997" mm="02" dd="14"/><Until yyyy="1998" mm="02" dd="15"/>

</Time>

<Fee><Monetary>

<PerUse value="1.0"></PerUse>

<Account><AccountTo account-id="Account-ID-677-qp3498"/></Account>

</Monetary></Fee>

</Play>

<Play>

<Time><Until yyyy="2000"/></Time>

<Fee><Monetary>

<MeteredFee><Rate value=".50"></Rate></MeteredFee>

<Account><AccountTo account-id="Account-ID-678-qwerqeruyt"/></Account>

</Monetary></Fee>

</Play>

</RightsList>

</RightsGroup>

<RightsGroup group-name="Regular">

<RightsList>

<Transfer>

<Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access>

</Transfer>

<Copy>

<Access><Security name="Security-Class" value="3"/></Access>

<Fee><Monetary>

<PerUse value="1.0"></PerUse>

<Account><AccountTo account-id="Account-ID-678-qwerqeruyt"/></Account>

</Monetary></Fee>

</Copy>

<Delete></Delete>

<Backup></Backup>

<Restore>

<Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access>

<Fee><Monetary>

<PerUse value="5.0"/>

<Account><AccountTo account-id="Account-ID-678-qwerqeruyt"/></Account>

</Monetary></Fee>

</Restore>

</RightsList>

</RightsGroup>

</Work>

More details on ways to specify different kinds of fees are described in the following sections.

2.4.1 Currencies and Accounts

Charges may be expressed in any currency known to the repository. As with paper currency, digital bills are subject to the principles and dynamics of currency exchange when accounts are reconciled with financial clearing houses. Restated, the transactions are recorded in a particular currency. Subsequent fluctuations in the value of the currency may occur. If the currency is not explicitly specified, then "US dollar" is assumed. A table of ISO currency codes is given in Appendix A.

<!ELEMENT Currency EMPTY>

<!ATTLIST Currency iso-currency-code CDATA #REQUIRED>

<!ELEMENT Account ((AccountTo, House?) | (AccountFrom, House?))>

<!ELEMENT AccountTo EMPTY>

<!ATTLIST AccountTo account-id CDATA #REQUIRED>

<!ELEMENT AccountFrom EMPTY>

<!ATTLIST AccountFrom account-id CDATA #REQUIRED>

<!ELEMENT House EMPTY>

<!ATTLIST House clearing-house-id CDATA #REQUIRED>

Usage rights fees and incentives may be handled by a wide variety of financial systems and institutions including banks, credit institutions, and electronic commerce organizations.

The account specification typically indicates the account to be paid. Fees are paid by the user/copy-owner to the revenue-owner and indicated by the element AccountTo in the account specification. Incentives are paid by the revenue-owner to user/copy-owner and are indicated by the element AccountFrom in the account specification.

An account-id is an account number together with an institution code that identifies a specific account at a specific bank or other financial institution from which fees will be collected, or to which incentives will be paid.

The account specification takes an optional clearinghouse specification that names a financial clearing house. In closed systems where the financial clearing house is known by default, the specification is unnecessary. In open systems where multiple clearinghouses are possible and account numbers are not unique, the specification names the clearinghouse to be used.

 

In the following examples, exercising the first right causes the user to be billed fifty cents. Exercising the second one causes the user to be credited fifty cents. The right itself includes information known to the publisher. It does not, for example, name the user’s account. The user’s account information must be held elsewhere in the system.

<Play>

<Fee><Monetary>

<PerUse value=".50"></PerUse>

<Account><AccountTo account-id= "245lkj5987"/></Account>

</Monetary></Fee>

</Play>

<Play>

<Fee><Monetary>

<PerUse value=".50"></PerUse>

<Account><AccountFrom account-id= "245lkj5987"/></Account>

</Monetary></Fee>

</Play>

<Play>

<Fee><Monetary>

<PerUse value=".50"></PerUse>

<Account>

<AccountTo account-id= "245lkj5987"/>

<House clearing-house-id="Visa"/>

</Account>

</Monetary></Fee>

</Play>

2.4.2 Digital Tickets

Digital tickets are used for pre-paid uses. Loosely speaking, they are a kind of private currency. They are not legal tender, but they can often be purchased for money. They can be exchanged for particular services. Like movie tickets, digital tickets are punched when they are used. On a trusted system, a digital ticket is punched by a local digital ticket agent. A ticket is a digital certificate that is altered ("punched") after use making it unusable for any future transactions.

The design goals for digital tickets are:

• Digital tickets are special digital works issued by publishers.

• A ticket publisher can predetermine the conditions under which tickets can be created, transferred across repositories, or used in rights.

• Independent of the time specifications on rights that use them, tickets can expire even if they have not been used.

• Both unused and punched tickets are secure against forgery and tampering.

• Tickets are processed by a generic ticket agent that is part of a repository.

• Tickets can specify additional required processing by local or remote ticket agents.

• Metered tickets can be used to prepay usage over a period of time.

• Metered tickets can be shared across multiple rights, so that the rights share a single clock.

Digital tickets are implemented as encrypted computer files kept in trusted storage. Repositories treat digital tickets much like digital works, in that digital tickets have rights attached to them and these rights are used to govern copying, transferring, and other uses. A digital ticket is punched when a digital ticket agent "plays" the ticket. In the typical and simplest case, playing a digital ticket involves recording its use in the billing data and marking it as punched.

More sophisticated kind of digital tickets are possible. For example, some digital tickets can be "metered tickets" which keep track of the amount of time over which they are used. In this case, each time that the ticket is used, the digital ticket agent records on the ticket the time that passes when a right is being exercised. The ticket is exhausted when the time runs out. More than one right can be associated with a given metered ticket. In this case, the multiple rights share a clock. Metered tickets are also useful when the time that rights will be used is paid ahead of time, instead of being logged while the right is exercised. The internal state of tickets, including metering information, is part of the ticket creation process and not part of the language for describing rights that use such tickets. See the section on tickets and digital certificates.

If a ticket has Copy and Transfer rights, copies can be made (possibly for a fee) for another user. If a ticket has been used before it is copied, it must be refreshed before it is copied.

Digital tickets are accessible only to the certified accounting routines of the trusted system. Because they are tokens for payment, tickets must be kept in trusted storage on trusted and semi-trusted systems. For certain low-security repositories, tickets can be accessed from remote repositories of adequate security. Software-only trusted systems can still use digital tickets, but their security is necessarily less.

<Play>

<Time><Until yyyy="2050"/></Time>

<Fee><Ticket>

<Authority authority-id="Jones Publishers"></Authority>

<Type ticket-id="Introductory Offer"></Type>

</Ticket></Fee>

</Play>

<Play>

<Time><Until yyyy="2010"/></Time>

<Fee><Monetary>

<MeteredFee>

<Rate value="1.0"></Rate>

<Per hours="1"/>
</MeteredFee>

<Account>

<AccountTo account-id="Jones-Pub-poierlkj45"/>

<House clearing-house-id="CitiBank"/>

</Account>

</Monetary></Fee>

</Play>

In this example, there are two play rights. The first one just requires a ticket. The second example requires no ticket, but costs a dollar per hour.

 

2.4.3 Per Use and Metered Fees

Regular fee specifications are the basic forms of monetary arrangements. For each fee, specifications can include a fee type, optional minimum and maximum price specifications over the life of this copy of the work, and the account to be charged (or credited to the user as an incentive).

<!ELEMENT Monetary ((PerUse | MeteredFee | BestPriceUnder | CallForPrice | Markup),

Min?,

Max?,

Account)>

<!ELEMENT PerUse (Currency?)>

<!ATTLIST PerUse value CDATA #REQUIRED>

<!ELEMENT MeteredFee (Rate, Per, By?)>

<!ELEMENT Rate (Currency?)>

<!ATTLIST Rate value CDATA #REQUIRED>

<!ELEMENT Per EMPTY>

<!ATTLIST Per %interval;>

<!ELEMENT By EMPTY>

<!ATTLIST By %interval;>

<!ELEMENT BestPriceUnder (Currency?)>

<!ATTLIST BestPriceUnder value CDATA #REQUIRED>

<!ELEMENT CallForPrice EMPTY>

<!ATTLIST CallForPrice dealer-id CDATA #REQUIRED>

<!ELEMENT Min (Rate, Per)>

<!ELEMENT Max (Rate, Per)>

The optional minimum price specification indicates the minimum price to be paid per time unit if the right is exercised at all. The optional maximum price specification refers to the maximum price to be paid per time unit if the right is exercised at all. When both a maximum and minimum price specification are given, the maximum price specification dominates.

A Per-Use fee is a simple fee charged every time that a right is exercised. Here are some examples of per-use fees.

<Play>

<Fee><Monetary>

<PerUse value=".50"></PerUse>

<Account>

<AccountTo account-id= "Account Jones-Pub-245lkj5987"/>

<House clearing-house-id=" American Express"/>

</Account>

</Monetary></Fee>

</Play>

<Play>

<Fee><Monetary>

<PerUse value="15"></PerUse>

<Max><Rate value="15.00">"USD"</Rate><Per ></Per></Max>

<Account>

<AccountTo account-id= "Account-Jones-Pub248afdoiu4398"/>

<House clearing-house-id=" MasterCard"/>

</Account>

</Monetary></Fee>

</Play>

In this example, the user has three different per use options for playing the digital work. To exercise the first right, the cost is simply fifty cents per use. To exercise the second right, the user pays $15 the first time he plays the work and all subsequent plays are free. This is arranged in the language by specifying a $15.00 per use fee together with a lifetime maximum fee of $15. This kind of billing arrangement can be used with consumer-based distribution schemes based on pay-for-play rather than pay-for-copy.

MeteredFee specify a fee charged by the hour, or more generally, a fee charged per given units of time in use. Metered fees only make sense for uses whose value depends on time. Thus, the MeteredFee specification is only valid in conjunction with the Play right.

The Per portion of the specification indicates the units of time over which the rate is charged. The optional By field indicates the resolution at which billing is computed, that is, whether it is computed to the nearest day, minute, or second. If the By element is not given, it is assumed to be the same as the Per field.

For example, a per year charge is figured over a calendar year, starting at the time the work is used. For example, suppose that a user is using a work charged at $365 per year. He starts on December 31, 1996 and ends on January 1, 1997. Assume that the duration of use is approximately one day and that the By field is one day or less. With these assumptions, the fee for use would be about one dollar. If the By: field is set to a year, then the fee would be about $365, although the user would not be charged more for exercising the right further during 1997.

<Play>

<Time><Until yyyy="2050"/></Time>

<Fee><Monetary>

<MeteredFee><Rate value=".50"></Rate><Per hours="1"/></MeteredFee>

<Account><AccountTo account-id= "Account Jones-Pub-245lkj5987"/> </Account>

</Monetary></Fee>

</Play>

<Play>

<Time><Until yyyy="2050"/></Time>

<Fee><Monetary>

<MeteredFee>

<Rate value=".50"></Rate><Per hours="1"/><By seconds="1"/>

</MeteredFee>

<Account><AccountTo account-id= "Account Jones-Pub-245lkj5987"/> </Account>

</Monetary></Fee>

</Play>

Here are two examples of metering both with a rate of fifty cents per hour. Suppose that someone plays a work for 70 minutes. In the first example, the user is charged $1. The metering counts how many of the intervals ("two 1-hour ticks") are started. As soon as the user plays the work past the first hour, he is charged for two hours. In the second example, the By field is specified to be one second. In this case, the user is only charged for the portion of the second hour that he uses computed to the nearest second. Rounding up to the nearest second, he would be charged about $.59 for using the work for 70 minutes.

The following example combines a metered rate with a minimum fee. To exercise the right, the user is charged a dollar per hour with a minimum fee of $2 per day but a maximum of $15 per year.

<Play>

<Time><Until yyyy="2050"/></Time>

<Fee><Monetary>

<MeteredFee><Rate value="1.00"></Rate><Per minutes="1"/></MeteredFee>

<Min><Rate value="2.00"></Rate><Per minutes="1"/></Min>

<Max><Rate value="15.00"></Rate><Per hours="1"/></Max>

<Account>

<AccountTo account-id= "345678"/>

<House clearing-house-id="Great Western"/>

</Account>

</Monetary></Fee>

</Play>

Another useful billing variation is to have a fixed fee for unlimited use of a work over a fixed period of time. Restated, the user should be able to exercise the right as many times as desired during a fixed period for an overall fixed fee. This arrangement can be specified by a combination of time specifications and fee specifications. The example shows two ways to grant the right to play a work as often as desired during any contiguous month any time up to 2010. The Interval time specification says that the month starts when the work is first played. The MeteredFee specification and PerUse specifications establish the rate. In both examples, the Max specification assures that the user will not be charged more than $10 during the month for exercising the right.

<Play>

<Time><Interval months="1"/><Until yyyy="2010"/></Time>

<Fee><Monetary>

<MeteredFee><Rate value="10"></Rate><Per months="1"/></MeteredFee>

<Max><Rate value="10"></Rate><Per months="1"/></Max>

<Account><AccountTo account-id= "Account Jones-Pub-245lkj5987"/></Account>

</Monetary></Fee>

</Play>

<Play>

<Time><Interval months="1"/><Until yyyy="2010"/></Time>

<Fee><Monetary>

<PerUse value="10"></PerUse>

<Max><Rate value="10"></Rate><Per months="1"/></Max>

<Account><AccountTo account-id= "Account Jones-Pub-245lkj5987"/></Account>

</Monetary></Fee>

</Play>

2.4.4 Best-Price Fees

Best-Price is a fee that can be dynamic and is determined when the account is settled. It is used to accommodate special deals, rebates, and pricing that depends on information that is not available to the trusted repository at the time the usage right is exercised, but without communicating with a dealer before the purchase is authorized. A Best-Price specification limits the risk to the user by naming a maximum amount that the exercising of the right will cost. This is the amount that is tentatively charged to the account. However, when the transaction is ultimately reconciled, any excess amount charged will be returned to the user/copy-owner in a separate transaction. In the example, the is charged $5 to play the work, but will get a rebate if the price has gone down.

<Play>

<Time><Until yyyy="2050"/></Time>

<Fee><Monetary>

<BestPriceUnder value="5"/>

<Account><AccountTo account-id="Account Jones-Pub-245lkj5987"/></Account>

</Monetary></Fee>

</Play>

Call-For-Price is similar to Best-Price in that it is intended to accommodate cases where prices are dynamic. However, unlike Best-Price, communication with a dealer to determine the price is required before the purchase is authorized; the transaction cannot be completed if the trusted repository is unable to communicate with the dealer.

<Play>

<Fee><Monetary>

<CallForPrice dealer-id=" Jones-Network-Sales-lkjqerk8743h"/>

<Account><AccountTo account-id="Account Jones-Pub-245lkj5987"/></Account>

</Monetary></Fee>

</Play>

2.4.5 Markup Fees

Markup fees are fees that are computed as a percentage of other fees. For example, a distributor may want to add a flat ten percent overhead for selling copies of a digital work, or a government may want to tax sales of a digital works.

<!ELEMENT Markup EMPTY>

<!ATTLIST Markup percentage CDATA #REQUIRED>

Markup fees are specified in conjunction with composite works. In the following example, the Royal Tax Collector of Oz has created a work specification, which can be added to the specifications of all digital works sold in Oz. This specification adds a one percent tax every time a copy right is exercised in the embedded digital work. It does not tax the exercising of any other right.

<Work>

<RightsVersion version-id="2.00"></RightsVersion>

<Description>"Oz Export Control"</Description>

<Owner><Certificate>

<Authority authority-id=" United Nations"></Authority>

<PropertyPair name="ID" value=" The Royal Tax Collector of Oz "/>

</Certificate></Owner>

<RightsGroup group-name="Oz Taxes ">

<RightsList>

<Copy>

<Fee>

<Monetary><Markup percentage=".01"/></Monetary>

<Min><Rate value=".05"/><Per seconds="1"/></Min>

<Account>

<AccountTo account-id=" Royal-Treasury-of-Oz-193487fi43987"/>

</Account>

</Fee>

</Copy>

<Transfer></Transfer>

<Loan></Loan>

<Play></Play>

<Print></Print>

<Delete></Delete>

<Directory ></Directory>

<Folder></Folder>

<Backup></Backup>

<Restore></Restore>

</RightsList>

</RightsGroup>

</Work>

The minimum fee specification within the Markup specification assures that a minimum tax of five cents will be collected to make copies even if the work has no publisher-set fee for copying.

 

2.5. Specifying Access Controls

Although one of the main advantages of digital works is the potential for broad and inexpensive distribution, it is sometimes important to limit the distribution of particular digital works. For example, a company using digital documents to coordinate distributed work teams may want to limit distribution to certain employees in order to protect corporate or trade secrets. A publisher of an electronic journal may want to assure that copies of a work are only available to subscribers or subscribing institutions. A public school may want to limit access by students to documents that are age appropriate or which reflect certain community values. In these examples, limiting distribution is different from making sure that people have paid for works that they use. Access specifications for authorization enable non-monetary criteria to govern the exercise of usage rights.

In addition to the requirement to authorize distribution of works to particular sets of people, there is a requirement to limit distribution of works to particular repositories. Repositories will be created by different vendors for different purposes and will have different kinds of security arrangements. Creators of digital works need to be able to specify the required levels of security. When two repositories establish a communications link, part of the process is to mutually determine levels of security.

The approach for both authorization and security is the controlled distribution of digital certificates or digital licenses. A digital license is analogous to a driver’s license in that the right to drive a car is supposed to be governed by whether a person is qualified. The operational test that a person has passed a driver’s test is possession of a license. The operational test that a repository or owner is qualified is roughly possession of a license, where the license is held in secure storage. A preferred variation on simple "possession of the license" is to have a challenge/response protocol in which the user’s system proves that it is the bonafide holder of the license, based on the use of their private key. (The particulars of the protocol are outside the scope of this document.) Digital licenses are themselves digital works, have provisions for detecting tampering, and may be held in trusted storage on repositories.

The digital property language addresses security concerns by recognizing that different digital platforms can have different levels of security. When two repositories communicate, the first step of their registration process includes a challenge/response protocol during which they determine each other’s level of security. The level of security of a repository is established by a certification process, which assigns a repository a non-transferable digital certificate indicating its security level.

The design goals for authorization specifications in the digital property language are:

• It should be possible to specify different authorization requirements for different rights on a work.

• Digital licenses should be issuable potentially by any registered organization. It should be possible to determine the issuer from the license itself.

• Digital licenses for repository operators should be issuable to persons and should become visible to transactions when the authorized person logs onto the repository.

• Digital licenses for repositories should be issuable to repositories by certifying organizations. These licenses are accessible when anyone uses the repository.

• Digital licenses should have expiration dates.

• Distribution of digital licenses should be reliably controllable. A license issuer can predetermine the conditions under which licenses can be created or transferred across repositories.

• For transactions involving two repositories, it should be possible to specify different authorization requirements for each repository.

• It should be possible to specify authorizations which require communication or computation in order to complete a transaction.

In the digital property language, requirements for authorization are indicated by Access: specifications. The particular design goals for security class specifications are given later.

<!ELEMENT Access (Security*, User?, Source?, Destination?)>

<!ELEMENT User (Any | Certificate+)>

<!ELEMENT Any (Certificate+)>

<!ELEMENT Source (Any | Certificate+)>

<!ELEMENT Destination (Any | Certificate+)>

<!ELEMENT Certificate (Authority, PropertyPair*)>

<!ELEMENT PropertyPair EMPTY>

<!ATTLIST PropertyPair name CDATA #REQUIRED

value CDATA #REQUIRED>

Access specifications include security class specifications, user authorization specifications, source authorization specifications, and destination authorization specifications.

 

2.5.1 Digital Licenses (Certificates)

We use the terms authorizations, certificates, and digital licenses interchangably to refer to digital objects, signed by a known digital authority, that attest that certain persons or repositories have certain properties. For example, an identity certificate issued to a person might contain certain identifying address, employment, age, club membership, or citizenship information, as well as a public key issued to the person. A certificate issued to a repository might contain information about its serial number, its country of registration, it security classification, its registered owner.

User authorization specifications refer to authorizations associated with a person requesting a transaction on a repository. A repository must be able access separate sets of authorizations associated with each person who uses it. In some systems, this separation of authorizations would be accomplished by having the authorizations kept on a repository card that a user plugs into the file repository in order to use it. In other implementations, the certificates for different people may be kept on the repository but require that the user be logged in before they be activated. In general, authorizations become available when the associated person logs in and satisfies a proof of identity protocol, presuming that they have not expired.

Source specifications list certificates that must be on the same repository as the digital work. These certificates become accessible whenever anyone logs onto the repository. Destination specifications list certificates on the other repository in a transaction, such as the repository intended to receive a digital work.

When a digital license is used, it is "played" by the generic digital license server which is part of the software of a repository. The digital license server is a certified program, whose validity can be assured by various means. A license itself may specify that a special purpose license server may be needed, either on the repository or accessed remotely.

<Play>

<Fee><Monetary>

<PerUse value="15.00"/>

<Account><AccountTo account-id="Account-Jones-Pub248afdoiu4398"/></Account>

</Monetary></Fee>

</Play>

<Play>

<Access><User><Certificate>

<Authority authority-id="Jones Publishers"></Authority>

<PropertyPair name="Type" value="Movie Distributor"/>

</Certificate></User></Access>

</Play>

<Play>

<Access><Source><Certificate>

<Authority authority-id="Jones Publishers"></Authority>

<PropertyPair name="Type" value="Site License"/>

</Certificate></Source></Access>

</Play>

In the example, the digital work has three Play rights. To exercise the first Play right requires no particular authorization, but has a per use fee of fifteen dollars. To exercise the second Play right requires no fee, but requires the user to have a license issued by Jones Publishers as a movie distributor. To exercise the third right requires no fee but requires a site license on the repository.

The next three examples show source and destination specifications. Destination specifications are relevant in transaction involving two repositories, such as a Transfer transaction that moves a digital work from a source repository to a destination repository. A destination specification describes certificates that must be displayed by the destination repository. A source specification describes certificates that must be displayed by the source repository.

<Print>

<Access><Destination><Certificate>

<Authority authority-id="Digital Property Trust"></Authority>

<PropertyPair name="Protocol" value="Workgroup-33"/>

<PropertyPair name="Resolution" value="Low"/>

</Certificate></Destination></Access>

</Print>

<Copy>

<Access>

<Source><Certificate>

<Authority authority-id="Jones Publishers"></Authority>

<PropertyPair name="Type" value="Distributor"/>

</Certificate></Source>

<Destination><Certificate>

<Authority authority-id="Jones Publishers"></Authority>

<PropertyPair name="Type" value="Customer-Class-1"/>

</Certificate></Destination>

</Access>

</Copy>

An authorization specification can include more than one certificate. The Copy right in this example can be exercised by a user that has either a distributor license or a customer-class-1 license issued by Jones publishers.

<Copy>

<Access><User><Any>

<Certificate>

<Authority authority-id="Jones Publishers"></Authority>

<PropertyPair name="Type" value="Distributor"/>

</Certificate>

<Certificate>

<Authority authority-id="Jones Publishers"></Authority>

<PropertyPair name="Type" value="Customer-Class-1"/>

</Certificate>

</Any></User></Access>

</Copy>

2.5.2 Security Classes

By using certificates to indicate specific system properties, it is possible to be arbitrarily precise in characterizing requirements on a transaction for a trusted system. Any particular fact to be tested can be represented in terms of a valid digital certificate that must be presented by a system.

A disadvantage of specifications that can only test for the presence or absence of particular digital certificates is that there is no easy way to specify that a publisher wants a system that is "at least this secure". From a practical perspective, there may be many ways to make a system secure enough for a publisher, and the number of ways to achieve security changes over time. New kinds of systems suitable for holding a work can appear after a digital work is published. This creates a need for a way to specify security such that given two specifications, A and B, it is possible to ask and answer the question "Does specification A describe a requirement that is at least as secure as specification B?" Facilitating such statements and comparisons is the purpose of the security classes part of the digital property rights language.

The design goals for security class specifications in the digital property language are:

• It should be possible to specify different security class requirements for different rights.

• Given two security class specifications, it should be possible to determine their ranking in a partial ordering. Restated, it should be possible to determine whether specificaton A is at least as secure as specification B.

• The criteria for describing security provisions should admit the use of multiple dimensions, such as phycal security, communications security, defenses against viruses, method for identity testing, and so on.

• It should be possible to add new dimensions for security over time, that is, the language of dimensions should be extensible.

• Claims that a system has particular features used in determining security should be backed by digital certificates.

The basic idea of security class specifications is a kiwiet diagram. In this diagram, there is a central point and multiple axes, each of which is a numeric scale representing some dimension. A security specification is esssentially a vector, giving a numeric value for a subset of the axes. Preferably, it gives a numeric value for all of the axes, but in the case that some axis is not mentioned, a value of zero for that axis is assumed. The higher the number on an axis, the greater the security claimed. The accompanying diagram gives an example with four different specifications overlayed on the figure, each portrayed in a different color. One specification A, is strictly greater than another B, if the position specified on each axis for A is greater than the specification on the corresponding axis for B. Graphically, one specification exceeds or meets another if it entirely encloses it in the diagram, that is, specification A exceeds specification B if the polygon for A creates an outer boundary that completely contains the polygon for B.

In the accompanying figure, the three polygons A, B, and C correspond to three specifications. Specification A is greater than specification B because it exceeds it on all axes. Specification A is not greater than specification C, because C is greater than A on the biometrics axis. Similarly, C is not greater than A, because A is greater than C on the physical security axis.

<!ELEMENT Security EMPTY>

<!ATTLIST Security name CDATA #REQUIRED

value CDATA #REQUIRED>

Here is an example of a security class specification. It gives the required levels for four security dimensions. Values required for other dimensions default to zero.

<Play><Access>

<Security name="TrustedStorage" value="4"/>

<Security name="VirusChecker" value="5"/>

<Security name="KernelSoftware" value="5"/>

<Security name="ProtocolLevel" value="6"/>

</Access></Play>

 

2.6 Specifying Watermark Information

The term watermark historically refers to a translucent design impressed on paper during manufacture which is visible when the paper is held to the light. Because watermarks are impressed using combinations of water, heat, and pressure, they are not easy to add or alter outside of the paper factory. Watermarks are used in making letterheads and are intended to show that a document is official.

The term watermark is now used to cover a wide range of technologies for marking rendered works, including text, digital pictures, and digital audio. Some watermarks are noticeable to people and some are hidden. In some kinds of watermarks, the embedded information is human readable, but in other kinds the information can only be read by computers.

The term fingerprint is sometimes used in contrast with watermarks, to refer to marks that carry information about the end user or rendering event rather than the document or publisher. These marks are called "fingerprints" because they can be used to trace the source of a copy back to a person or computer that rendered the original. In contrast, the term watermark is often used to refer to marks that carry information to identify the work or publisher.

The same technologies and kinds of marks, e.g. glyph boxes, can be used to carry both kinds of information. In practice, it is not only possible but often desirable and convenient to combine both kinds of information — for watermarks and fingerprints — in a single mark. For simplicity in this document, we use the term watermark generally to refer to any marking technique for embedding information, whether it is about the digital work itself or the rendering event.

Different kinds of watermarks have different capacities for embedding data. For example, glyph boxes can be added to a printout of a document. They are capable of robustly encoding about 300 bytes per square inch on 300 dpi laser printers. With data compression, more information can be encoded in the same space.

Different kinds of watermarks are suitable for different kinds of works and media. For example, different techniques are used for watermarking music, movies, books, and high resolution photographs. For example, watermarks for music can embed data in the digital signal that are inaudible to the human ear when the music is played. The digital representations for different kinds of work -- e.g. for music, video, and text -- are varied and constantly evolving.

The following are design goals for watermark capabilities in DPRL:

• Publishers can specify that watermarks embed information known when a work is published (e.g. title and author) as well as information known only when a work is rendered (e.g. user name or printer name).

• The specification of what information is to be embedded in a watermark is specified in DPRL statements.

• Media-dependent specifications of a watermark, such as the shape and location of a glyph box or the parameters of an acoustic watermark, are not expressed in DPRL. These are expressed within the digital contents of a work or are implied by the type of rendering device. (This separation of responsibility for representation is intended to allow digital content representations and DPRL to evolve independently.)

• The specification of what information is to be embedded in a watermark is separate from the specification of the type of watermark.

• The type of watermark used is implied by the type of the printer or player.

Using DPRL, a publisher requests what information is to be expressed in a watermark. Since watermarks may have a limited capacity to embed information, it is possible for a publisher to request more information to be included in a watermark than can fit. The standard policy for rendering devices is to truncate the information expressed in the watermark when the capacity limit is reached. This means that the publisher can choose to express the most important information first. To the extent possible, one function of a Rights Editor is to inform a publisher of cases where information will be truncated.

In the case where more than one watermark appears in a work (or on a page in the case of trusted printing), then the information expressed in each watermark begins at the beginning. In a multimedia work the same information may be encoded by completely different techniques in pictures, music, and linked text as the work is played or printed. In this example, DPRL expresses the information to be encoded and the players and printers embed it in different digital representations and renderings.

2.6.1 Watermark Strings, Tokens, and Objects

The following table gives the syntax for watermark specification in DPRL.

<!ELEMENT Watermark ((Watermark-Str |Watermark-Tokens | Watermark-Object)*)>

<!ELEMENT Watermark-Str EMPTY>

<!ATTLIST Watermark-Str string CDATA #REQUIRED>

<!ELEMENT Watermark-Tokens EMPTY>

<!ATTLIST Watermark-Tokens all-rights (true|false) "false"

render-rights (true|false) "false"

user-name (true|false) "false"

user-id (true|false) "false"

user-location (true|false) "false"

institution-name (true|false) "false"

institution-id (true|false) "false"

institution-location (true|false) "false"

render-name (true|false) "false"

render-id (true|false) "false"

render-location (true|false) "false"

render-time (true|false) "false"

copy-number (true|false) "false">

<!ELEMENT Watermark-Object (WorkId)>

Thus, a watermark specification is a list of sources of information. The elements of the list can be strings of text known at the time the work is published (Watermark-Str), they can be lists of tokens signifying "fingerprint" informtion known at the time a work is rendered (Watermark-Token), or they can be digital objects whose bits are to be encoded (Watermark-Object). The objects are assumed to present in the contents of the digital work being rendered, specified by WorkIds in the DPRL specification.

 

The watermark tokens when specified will take a value "true". The meanings for the various watermark tokens ("fingerprint information")are given in the following:

all-rights Listing of all rights associated with the work, expressed in DPRL.

render-rights Listing of all render rights associated with the work, expressed in DPRL.

user-name The user’s name.

user-id The user’s id, associated with his identity certificate.

user-location The user’s location, associated with his identity certificate.

institution-name The institution’s name that owns the rendering service or rendering device.

institution-id The institutions’s id, associated with its identity certificate.

institution-location The institution’s location, associated with its identity certificate.

render-name The name of the rendering device (e.g. the printer name) that rendered the copy.

render-id The rendering device’s id, associated with its identity certificate.

render-location The rendering device’s location, associated with its identity certificate.

render-time The time and date that the work was rendered.

copy-number The number of copies of the work.

 

2.6.2 Examples of Watermark Specifications

In the first example, there are two rendering rights on the work, a Play right and a Print right. Only the Print right specifies watermarking. The print right specifies a particular kind of trusted printer, so the type of watermarking is determined by the type of trusted printer.

The information to be saved in the watermark includes an initial string in which the title, author, and a copyright notice are given. The next part of the information for the watermark includes the user’s id, the location of his institution, the name and location of the printer, and the time that the work was printed.

<Work>

<RightsVersion version-id="2.00"></RightsVersion>

<Description>"Title: 'Zeke Zack - The Moby Dog Story' Copyright 1994 Zeke Jones"</Description>

<WorkId work-id="Vanity-Press-Registry-lkjdf98734"></WorkId>

<Owner><Certificate>

<Authority authority-id="United Publishers"></Authority>

<PropertyPair name="ID" value="Jones Publishers"/>

</Certificate></Owner>

<RightsGroup group-name="Regular">

<Bundle>

<BundleFee>

<Account>

<AccountTo account-id="123456789"/><House clearing-house-id="Visa"/>

</Account>

</BundleFee>

<Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access>

</Bundle>

<RightsList>

<Copy><Fee><Monetary><PerUse value="5"/></Monetary></Fee></Copy>

<Transfer></Transfer>

<Delete></Delete>

<Play></Play>

<Print>

<Printer><Certificate>

<Authority authority-id="DTP"></Authority>

<PropertyPair name="Type" value="TrustedPrinter-6"/>

</Certificate></Printer>

<Watermark>

<Watermark-Str string="Title: 'Zeke Zack - The Moby Dog Story'

Copyright 1994 Zeke Jones All Rights Reserved"/>

<Watermark-Tokens user-id="true" institution-location="true"

render-name="true" render-location="true"

render-time="true"/>

</Watermark>

<Fee><Monetary><PerUse value="10"/></Monetary></Fee>

</Print>

</RightsList>

</RightsGroup>

</Work>

 

The following is a second example of a watermark specification. For simplicity, it shows only the Print right. In this example, there are two strings and one set of tokens containing watermark information.

<Print>

<Printer><Certificate>

<Authority authority-id="DTP"></Authority>

<PropertyPair name="Type" value="TrustedPrinter-6"/>

</Certificate></Printer>

<Watermark>

<Watermark-Str string="Title: 'Zeke Zack - The Moby Dog Story'

Copyright 1994 Zeke Jones All Rights Reserved"/>

<Watermark-Tokens user-id="true" institution-location="true"

render-name="true" render-location="true"

render-time="true"/>

<Watermark-Str string="Support Independent Authors!

Do not Photocopy this document!"/>

</Watermark>

<Fee><Monetary><PerUse value="10"/></Monetary></Fee>

</Print>

The next example is for a Play right. In this case, an acoustic watermark is used. This example differs from the previous one in that the watermark tokens include the DPRL text for the render rights. Furthermore, a watermark-object is included which means that the bits of that object representation are sent to the watermarking system. One possible effect of this on an acoustic watermark, depending on the technology, is to make the "Moby Dog Jingle" play at a very low volume at some point in the music.

<Play>

<Player><Certificate>

<Authority authority-id="ASCAP"></Authority>

<PropertyPair name="Type" value="TrustedPrinter-14"/>

</Certificate></Player>

<Watermark>

<Watermark-Str string="Title: Moby Dog Howling Song

Copyright 1994 Zeke Jones All Rights Reserved"/>

<Watermark-Tokens user-id="true" institution-location="true" render-rights="true"/>

<Watermark-Object>

<WorkId work-id="Moby-Dog-Jingle-09834jvb9874"/>

</Watermark-Object>

</Watermark>

<Fee><Monetary><PerUse value="10"/></Monetary></Fee>

</Play>

 

 

2.7 Bundle Secifications

In DPRL, each right can fully and separately specify the time limits, fees, access conditions, and watermark information particular for that right. This provides flexibility, but it also can lead to redundancy in the specification for those cases where many rights share the same sub-specifications. To simplify the expression of rights for those cases where rights share common terms and conditions, DPRL provides bundle specifications. There can be at most one bundle specification in a rights group. For clarity, it is preferred that bundle specifications precede individual right specifications in a rights group. Programs that generate DPRL should follow this convention. The syntax for a bundle specification is as follows:

<!ELEMENT Bundle (Comment?, Time?, Access?, BundleFee?, Watermark?)>

<!ELEMENT BundleFee (Ticket | BundleMonetary)>

<!ELEMENT BundleMonetary ((PerUse | MeteredFee | BestPriceUnder | CallForPrice | Markup)?,

Min?,

Max?,

Account)>

2.7.1 Specifying Time Limits Inside Bundles

DPRL makes it possible to give separate and distinct time specifications for every right associated with a work. However, in many cases, the time specifications are the same for all of the rights in a rights group. To avoid repeating the specification for every right, a time specification can be expressed once within a bundle specification. In this case, the meaning of the time specification is the same as it were repeated for every right in the right group.

The following example is perhaps typical of the way that time limits can be expressed within bundle specifications. It enables the bearer to exercise any of the rights for two hours any time up to May 1, 1998, assuming that the trusted system has a high enough security class.

<RightsGroup group-name="Demo Rights">

<Comment> "Trial rights. Anyone can use the work for two hours"</Comment>

<Bundle>

<Time>

<Interval hours="2"/><Until yyyy="1998" mm="05" dd="01" hrs="8"/>

</Time>

<Access>

<Security name="Physical" value="4"/><Security name="Kernel" value="5"/>

</Access>

</Bundle>

<RightsList>

<Loan></Loan>

<Transfer></Transfer>

<Play></Play>

</RightsList>

</RightsGroup>

 

When a time specification is given in a bundle and a further time specification is given for some right in the rights group, the specification given for the individual right dominates. In that case, the time-specification given in the bundle is specialized by the time-specification in the right.

The next example shows how a time specification can be given in a bundle, and specialized in a right. In this case, an expiration period is given in the bundle causing all rights to expire in 1998. Furthermore, the Play right specializes this specification by indicating that the work can be played for up to two hours in this period.

<RightsGroup group-name="Demo Rights">

<Comment>" Expires 1998."</Comment>

<Bundle>

<Time><Interval hours="2"/> <Until yyyy="1998" mm="05" dd="01" hrs="8"/></Time>

<Access>

<Security name="Physical" value="4"/>

<Security name="Kernal" value="5"/>

</Access>

</Bundle>

<RightsList>

<Loan></Loan>

<Transfer> </Transfer>

<Play>

<Time><Metered days="2"/><Until yyyy="2050"/></Time>

</Play>

</RightsList>

</RightsGroup>

2.7.2 Specifying Fees Inside Bundles

DPRL makes it possible to specify a separate fee for each individual right associated with a digital work. Sometimes it is convenient to express fee information for an entire set of rights bundle specification. In the most typical usage, fee specifications inside bundles are used to indicate parts of a fee specification that are common to all of the rights in the rights group. In the following example, the account number for all payments is given in the bundle-spec.

<RightsGroup group-name="Print & Play">

<Comment>"All Royalties go to Jones"</Comment>

<Bundle><BundleFee><BundleMonetary>

<Account>

<AccountTo account-id="123456789"/><House clearing-house-id="Visa"/>

</Account>

</BundleMonetary></BundleFee></Bundle>

<RightsList>

<Print><Fee><Monetary>

<PerUse value="5"/>

</Monetary></Fee></Print>

<Play><Fee><Monetary>

<PerUse value="1"/>

</Monetary></Fee></Play>

</RightsList>

</RightsGroup>

 

In the next example, a metered ticket is used to give a two hour maximum usage across all kinds of players.

<RightsGroup group-name="Demo 1999">

<Bundle>

<Time><Until yyyy="2000"/></Time>

<BundleFee><Ticket>

<Authority authority-id="Jones Publishers"></Authority>

<Type ticket-id="Two-Hour-Prepaid"></Type>

</Ticket></BundleFee>

</Bundle>

<RightsList>

<Play><Player><Certificate>

<Authority authority-id="Consumer Products Associationn"></Authority>

<PropertyPair name="Type" value="Big Screen 91"/>

</Certificate></Player></Play>

<Play><Player><Certificate>

<Authority authority-id="Consumer Products Associationn"></Authority>

<PropertyPair name="Type" value="Small Screen 44"/>

</Certificate></Player></Play>

</RightsList>

</RightsGroup>

Tickets can be used across different kinds of rights. Suppose for example that a publisher has an every day price with separate fees to print or to view a document. In every day prices, it costs four dollars to print a document and ten cents an hour to view it. However, they want to offer a special rate for prepaid customers where the four dollars gives the right to print it once and also the right to view it for several hours for free.

This combination is accomplished by having two rights groups. The first rights group ("Every Day Prices") establishes the pay as you go regular rates, and the second rights group ("PrintNView Deal") ties printing and playing to the use of a prepaid digital ticket delivered with the digital work which costs four dollars and which authorizes printing once and unlimited viewing.

<RightsGroup group-name="Every Day Prices">

<Bundle>

<Time><Until yyyy="2000"/></Time>

<Access>

<Security name="Physical" value="4"/><Security name="Kernal" value="5"/>

</Access>

<BundleFee><BundleMonetary><Account>

<AccountTo account-id="Account-Jones-23475"/>

</Account></BundleMonetary></BundleFee>

</Bundle>

<RightsList>

<Play>

<Fee><Monetary><MeteredFee>

<Rate value=".10"></Rate><Per minutes="1"/>

</MeteredFee></Monetary></Fee>

</Play>

<Print>

<Printer><Certificate>

<Authority authority-id="DPT"></Authority>

<PropertyPair name="Type" value="TrustedPrinter-5"/>

</Certificate></Printer>

<Fee><Monetary><PerUse value="4"/></Monetary></Fee>

</Print>

</RightsList>

</RightsGroup>

<RightsGroup group-name="PrintNView Deal">

<Bundle>

<Time><Until yyyy="2000"/></Time>

<Access>

<Security name="Physical" value="4"/><Security name="Kernal" value="5"/>

</Access>

<BundleFee><Ticket>

<Authority authority-id="Jones Publishers"></Authority>

<Type ticket-id="PrintNView"></Type>

</Ticket></BundleFee>

</Bundle>

<RightsList>

<Play></Play>

<Print><Printer><Certificate>

<Authority authority-id="DPT"></Authority>

<PropertyPair name="Type" value="TrustedPrinter-5"/>

</Certificate></Printer></Print>

</RightsList>

</RightsGroup>

2.7.3 Specifying Access Inside Bundles

DPRL makes it possible to give separate and distinct access specifications for every right associated with a work. In many cases, the access specifications are the same for all rights in a rights group, or they may have many elements in common. To simplify specifications for these common cases, an access specification can be included within a bundle specification. In this case, the meaning is the same as if the same time specification were repeated for every right in the right group.

When an access specification is given in a bundle specification and also another access specification is given for some right in the rights group, the specification given for the individual right dominates.

In that case, the time-specification given in the bundle is ignored for that right in the interpretation process. In the following example, all of the rights require security class 3 or greater.

<RightsGroup group-name="Standard Set">

<Bundle><Access>

<Security name="Physical" value="4"/><Security name="Kernal" value="5"/>

</Access></Bundle>

<RightsList>

<Loan></Loan>

<Transfer></Transfer>

<Play></Play>

</RightsList>

</RightsGroup>

2.7.4 Specifying Watermark Information Inside Bundles

DPRL makes it possible to give separate and distinct specifications for watermark information for every Print or Play right in a digital work. In many cases, the watermark information is the same for all Print and Play rights in a group. To simplify specifications for these common cases, a watermark specification can be included within a bundle specification. In this case, the meaning is the same as if the same watermark specification were repeated for every Print and Play right in the right group.

<Work>

<RightsVersion version-id="2.00"></RightsVersion>

<WorkId work-id="Vanity-Press-Registry-lkjdf98734"></WorkId>

<Description>"Title: 'The Moby Dog Story' Copyright 1994 Zeke Jones"</Description>

<Owner><Certificate>

<Authority authority-id="AAP"></Authority>

<PropertyPair name="ID" value="Jones Publishing"/>

</Certificate></Owner>

<RightsGroup group-name="Regular">

<Bundle>

<Access>

<Security name="Physical" value="4"/><Security name="Kernal" value="5"/>

</Access>

<BundleFee><BundleMonetary><Account>

<AccountTo account-id="123456789"/>

<House clearing-house-id="MasterCard"/>

</Account></BundleMonetary></BundleFee>

<Watermark>

<Watermark-Str string="Title: 'Moby Dog' Copyright 1994 by Zeck Jones.

All Rights Reserved."/>

<Watermark-Tokens user-id="true" institution-location="true"

render-name="true" render-location="true"

render-time="true"/>

</Watermark>

</Bundle>

<RightsList>

<Copy>

<Fee><Monetary><PerUse value="5"/></Monetary></Fee>

</Copy>

<Transfer></Transfer>

<Delete></Delete>

<Play></Play>

<Print>

<Printer><Certificate>

<Authority authority-id="DPT"></Authority>

<PropertyPair name="Type" value="TrustedPrinter-6"/>

</Certificate></Printer>

<Fee><Ticket>

<Authority authority-id="Jones Publishers"></Authority>

<Type ticket-id="Prepaid-Print"></Type>>

</Ticket></Fee>

</Print>

<Print>

<Printer><Certificate>

<Authority authority-id="DPT"></Authority>

<PropertyPair name="Type" value="TrustedPrinter-6"/>

</Certificate></Printer>

<Fee><Monetary><PerUse value = "10"/></Monetary></Fee>

</Print>

</RightsList>

</RightsGroup>

</Work>

In this example, the rights group contains a bundle with fee, access, and watermark specifications. Watermark specifications apply to all render right statements in the rights group. In the example, they apply to the Play right and to both Print rights.

When a watermark specification is given for a printer or player that does not support watermarks, it is ignored. In this example, if the player does not embed watermarks, the specification will be effective only for the two rights involving trusted printers.

 

APPENDIX A. LEXICAL CONVENTIONS

This section explains conventions for describing elements of the digital property language.

Blanks, horizontal and vertical tabs, new lines, form feeds, and comments are referred to as "white space" and serve to separate tokens. White space or punctuation is required to separate adjacent identifiers, keywords and constants. The following characters are used as punctuation:

< > " "

No distinction is made between left and right double quotes. There are three kinds of tokens: keywords, constants and identifiers.

Keywords

The following are keywords in the digital property language. This list does not include the names of foreign currencies or watermark tokens, which are listed separately. It also does not include property names that may become standardized for certain classes of digital certificates. The XML keywords are also not mentioned in this

Access

Account

AccountFrom

AccountTo

Any

Authority

Backup

BackupCopyRights

BestPriceUnder

Bundle

BundleFee

BundleMonetary

By

CallForPrice

Certificate

Comment

Contents

Copies

Copy

Currency

Delete

Description

Destination

Directory

Edit

Editor

Embed

Export

Extract

Fee

Folder

From

House

Install

Interval

Loan

Markup

Max

Metered

MeteredFee

Min

Monetary

NextCopyRights

Owner

Parts

Per

PerUse

Play

Player

Print

Printer

PropertyPair

Rate

ReferencedRightsGroup

RemainingRights

Repository

Restore

RightsGroup

RightsList

RightsToAdd

RightsToDelete

RightsVersion

Security

Source

Ticket

Time

Transfer

Type

Uninstall

Until

User

Verifier

Verify

Watermark

Watermark-Object

Watermark-Str

Watermark-Tokens

Work

WorkId

Constants

In XML literal, string, integer, floating constants are all considered to be character data(CDATA). It is upto the parser to check for the validity of the data.

Character data is any string of characters which does not contain the start delimiter "<" enclosed within double quotes("). A character is an atomic unit of text as specified by ISO/IEC10646. Legal characters are tab, carriage return, line feed, and the leagal graphic characters of Unicode and ISO/IEC 10646.

Identifiers

Identifiers are the attributes values in elements. All characters are significant, and upper- and lower-case characters are distinct. The following are the name of identifiers in the digital property language.

account-id

all-rights

authority-id

clearing-house-id

copy-count

copy-number

days

dd

dealer-id

from

group-name

hours

hrs

institution-id

institution-location

institution-name

interval

iso-currency-code

min

minutes

mm

moment

months

name

percentage

render-id

render-location

render-name

render-rights

render-time

sec

seconds

string

ticket-id

to

user-id

user-location

user-name

value

work-id

years

yyyy

Explained below is the meaning of some of the key identifiers of DPRL.

An account-id is an identifier for a specific account at a specific bank or other financial institution from which fees will be collected, or to which incentives will be paid.

An authority-id is an identifier for an organization that issues digital certificates.

A clearing-house-id is an identifier for a financial clearing house, such as a bank or credit card consortium.

A ticket-id is an identifier of a digital certificate that is used to grant permission for a one-time transaction on a particular work.

A work-id is an identifier of a digital work.

These identifiers are always contained in digital certificates, signed by an issuer. Conventions and procedures for establishing meaning for these id’s is beyond the scope of this manual.

 

Currency Codes

For compatibility with other standards, DPRL uses the ISO 4217 three-character currency code. In most cases, the ISO 4217 currency code is composed of the country’s two-character ISO 3166 country code plus a one-character currency designator. More details are given on the ISO On-line home page.

ADP Andorran Peseta KRW (South) Korean Won

AED United Arab Emirates Dirham KWD Kuwaiti Dinar

AFA Afghanistan Afghani KYD Cayman Islands Dollar

ALL Albanian Lek LAK Lao Kip

ANG Netherlands Antillian Guilder LBP Lebanese Pound

AOK Angolan Kwanza LKR Sri Lanka Rupee

ARA Argentinian Austral LRD Liberian Dollar

ATS Austrian Schilling LSL Lesotho Loti

AUD Australian Dollar LUF Luxembourg Franc

AWG Aruban Florin LYD Libyan Dinar

BBD Barbados Dollar MAD Moroccan Dirham

BDT Bangladeshi Taka MGF Malagasy Franc

BEF Belgian Franc MNT Mongolian Tugrik

BGL Bulgarian Lev MOP Macau Pataca

BHD Bahraini Dinar MRO Mauritanian Ouguiya

BIF Burundi Franc MTL Maltese Lira

BMD Bermudian Dollar MUR Mauritius Rupee

BND Brunei Dollar MVR Maldive Rufiyaa

BOB Bolivian Boliviano MWK Malawi Kwacha

BRC Brazilian Cruzeiro MXP Mexican Peso

BSD Bahamian Dollar MYR Malaysian Ringgit

BTN Bhutan Ngultrum MZM Mozambique Metical

BUK Burma Kyat NGN Nigerian Naira

BWP Botswanian Pula NIC Nicaraguan Cordoba

BZD Belize Dollar NLG Dutch Guilder

CAD Canadian Dollar NOK Norwegian Kroner

CHF Swiss Franc NPR Nepalese Rupee

CLF Chilean Unidades de Fomento NZD New Zealand Dollar

CLP Chilean Peso OMR Omani Rial

CNY Yuan (Chinese) Renminbi PAB Panamanian Balboa

COP Colombian Peso PEI Peruvian Inti

CRC Costa Rican Colon PGK Papua New Guinea Kina

CSK Czech Koruna PHP Philippine Peso

CUP Cuban Peso PKR Pakistan Rupee

CVE Cape Verde Escudo PLZ Polish Zloty

CYP Cyprus Pound PTE Portuguese Escudo

DDM East German Mark (DDR) PYG Paraguay Guarani

DEM Deutsche Mark QAR Qatari Rial

DJF Djibouti Franc ROL Romanian Leu

DKK Danish Krone RWF Rwanda Franc

DOP Dominican Peso SAR Saudi Arabian Riyal

Algerian Dinar SBD Solomon Islands Dollar

ECS Ecuador Sucre SCR Seychelles Rupee

EGP Egyptian Pound SDP Sudanese Pound

ESP Spanish Peseta SEK Swedish Krona

ETB Ethiopian Birr SGD Singapore Dollar

FIM Finnish Markka SHP St. Helena Pound

FJD Fiji Dollar SLL Sierra Leone Leone

FKP Falkland Islands Pound SOS Somali Schilling

FRF French Franc SRG Suriname Guilder

GBP British Pound STD Sao Tome and Principe Dobra

GHC Ghanaian Cedi SUR USSR Rouble

GIP Gibraltar Pound SVC El Salvador Colon

GMD Gambian Dalasi SYP Syrian Potmd

GNF Guinea Franc SZL Swaziland Lilangeni

GRD Greek Drachma THB Thai Bhat

GTQ Guatemalan Quetzal TND Tunisian Dinar

GWP Guinea-Bissau Peso TOP Tongan Pa'anga

GYD Guyanan Dollar TPE East Timor Escudo

HKD Hong Kong Dollar TRL Turkish Lira

HNL Honduran Lempira TTD Trinidad and Tobago Dollar

HTG Haitian Gourde TWD Taiwan Dollar

HUF Hungarian Forint TZS Tanzanian Schilling

IDR Indonesian Rupiah UGS Uganda Shilling

IEP Irish Punt USD US Dollar

ILS Israeli Shekel UYP Uruguayan Peso

INR Indian Rupee VEB Venezualan Bolivar

IQD Iraqi Dinar VND Vietnamese Dong

IRR Iranian Rial VUV Vanuatu Vatu

ISK Iceland Krona WST Samoan Tala

ITL Italian Lira YDD Democratic Yemeni Dinar

JMD Jamaican Dollar YER Yemeni Rial

JOD Jordanian Dinar YUD New Yugoslavia Dinar

JPY Japanese Yen ZAR South African Rand

KES Kenyan Schilling ZMK Zambian Kwacha

KHR Kampuchean (Cambodian) Riel ZRZ Zaire Zaire

KMF Comoros Franc ZWD Zimbabwe Dollar

KPW North Korean Won

 

 

APPENDIX B. GRAMMAR FOR THE DIGITAL PROPERTY LANGUAGE

This section collects together the complete DTD for the digital property language.

<!-- The work specification DTD -->

<?XML version="1.0" encoding="UTF-8"?>

<!ELEMENT Work (RightsVersion,

WorkId?,

Description?,

Owner?,

Parts?,

Contents?,

Copies?,

Comment?,

(RightsGroup | ReferencedRightsGroup)+

)>

<!ELEMENT RightsVersion EMPTY>

<!ATTLIST RightsVersion version-id CDATA #REQUIRED>

<!ELEMENT WorkId EMPTY>

<!ATTLIST WorkId work-id CDATA #REQUIRED>

<!ELEMENT Description (#PCDATA)>

<!ELEMENT Owner (Certificate)>

<!ELEMENT Parts (WorkId+)>

<!ELEMENT Contents EMPTY>

<!ATTLIST Contents from CDATA #REQUIRED

to CDATA #REQUIRED>

<!-- If copy count is not specified, then "unlimited" is assumed. -->

<!ELEMENT Copies EMPTY>

<!ATTLIST Copies copy-count CDATA #IMPLIED>

<!ELEMENT Comment (#PCDATA)>

<!-- ********* Rights Group List Started ************* -->

<!ELEMENT RightsGroup (Comment?, Bundle?, RightsList)>

<!ATTLIST RightsGroup group-name CDATA #REQUIRED>

<!ELEMENT ReferencedRightsGroup (Comment?, Bundle?, RightsList)>

<!ATTLIST ReferencedRightsGroup group-name CDATA #REQUIRED>

<!ELEMENT Bundle (Comment?, Time?, Access?, BundleFee?, Watermark?)>

<!-- ********* Rights List Started ************* -->

<!ELEMENT RightsList ( (Copy | Transfer | Loan |

Play | Print | Export |

Edit | Extract | Embed |

Backup | Restore | Verify | Folder | Directory | Delete |

Install | Uninstall)+

)>

<!ELEMENT Copy (NextCopyRights?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Transfer (NextCopyRights?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Loan (RemainingRights?, NextCopyRights?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Play (Player?, Watermark?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Print (Printer?, Watermark?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Export (Repository?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Edit (Editor?, NextCopyRights?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Extract (Editor?, NextCopyRights?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Embed (Editor?, NextCopyRights?, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Backup (BackupCopyRights, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Restore (Comment?, Time?, Access?, Fee?)>

<!ELEMENT Verify (Verifier, Comment?, Time?, Access?, Fee?)>

<!ELEMENT Folder (Comment?, Time?, Access?, Fee?)>

<!ELEMENT Directory (Comment?, Time?, Access?, Fee?)>

<!ELEMENT Delete (Comment?, Time?, Access?, Fee?)>

<!ELEMENT Install (Comment?, Time?, Access?, Fee?)>

<!ELEMENT Uninstall (Comment?, Time?, Access?, Fee?)>

<!ELEMENT NextCopyRights (RightsToAdd | RightsToDelete)>

<!ELEMENT RemainingRights EMPTY>

<!ATTLIST RemainingRights group-name CDATA #REQUIRED>

<!ELEMENT RightsToAdd EMPTY>

<!ATTLIST RightsToAdd group-name CDATA #REQUIRED>

<!ELEMENT RightsToDelete EMPTY>

<!ATTLIST RightsToDelete group-name CDATA #REQUIRED>

<!ELEMENT BackupCopyRights EMPTY>

<!ATTLIST BackupCopyRights group-name CDATA #REQUIRED>

<!ELEMENT Player (Certificate+)>

<!ELEMENT Printer (Certificate+)>

<!ELEMENT Repository (Certificate+)>

<!ELEMENT Editor(Certificate+)>

<!ELEMENT Verifier(Certificate+)>

<!-- ********* Rights List Ended ************* -->

<!-- ********* Rights Group List Ended ************* -->

<!-- ********* Time Started ************* -->

<!ENTITY % moment "yyyy CDATA #IMPLIED

mm CDATA #IMPLIED

dd CDATA #IMPLIED

hrs CDATA #IMPLIED

min CDATA #IMPLIED

sec CDATA #IMPLIED">

<!ENTITY % interval "years CDATA #IMPLIED

months CDATA #IMPLIED

days CDATA #IMPLIED

hours CDATA #IMPLIED

minutes CDATA #IMPLIED

seconds CDATA #IMPLIED">

<!ELEMENT Time ((From | Interval | Metered)?, Until)>

<!ELEMENT From EMPTY>

<!ATTLIST From %moment;>

<!ELEMENT Interval EMPTY>

<!ATTLIST Interval %interval;>

<!ELEMENT Metered EMPTY>

<!ATTLIST Metered %interval;>

<!ELEMENT Until EMPTY>

<!ATTLIST Until %moment;>

<!-- ********* Time Ended ************* -->

<!-- ********* Fee Started ************* -->

<!ELEMENT Fee (Ticket | Monetary)>

<!ELEMENT Monetary ((PerUse | MeteredFee | BestPriceUnder | CallForPrice | Markup),

Min?,

Max?,

Account

)>

<!ELEMENT Ticket (Authority, Type)>

<!-- The only difference from Fee is that Monetary type is also optional here-->

<!ELEMENT BundleFee (Ticket | BundleMonetary)>

<!ELEMENT BundleMonetary ((PerUse | MeteredFee | BestPriceUnder | CallForPrice | Markup)?,

Min?,

Max?,

Account

)>

<!ELEMENT Authority EMPTY>

<!ATTLIST Authority authority-id CDATA #REQUIRED>

<!ELEMENT Type EMPTY>

<!ATTLIST Type ticket-id CDATA #REQUIRED>

<!ELEMENT PerUse (Currency?)>

<!ATTLIST PerUse value CDATA #REQUIRED>

<!ELEMENT Currency EMPTY>

<!ATTLIST Currency iso-currency-code CDATA #REQUIRED>

<!ELEMENT MeteredFee (Rate, Per, By?)>

<!ELEMENT Rate (Currency?)>

<!ATTLIST Rate value CDATA #REQUIRED>

<!ELEMENT Per EMPTY>

<!ATTLIST Per %interval;>

<!ELEMENT By EMPTY>

<!ATTLIST By %interval;>

<!ELEMENT BestPriceUnder (Currency?)>

<!ATTLIST BestPriceUnder value CDATA #REQUIRED>

<!ELEMENT CallForPrice EMPTY>

<!ATTLIST CallForPrice dealer-id CDATA #REQUIRED>

<!ELEMENT Markup EMPTY>

<!ATTLIST Markup percentage CDATA #REQUIRED>

<!ELEMENT Min (Rate, Per)>

<!ELEMENT Max (Rate, Per)>

<!ELEMENT Account ((AccountTo, House?) | (AccountFrom, House?))>

<!ELEMENT AccountTo EMPTY>

<!ATTLIST AccountTo account-id CDATA #REQUIRED>

<!ELEMENT AccountFrom EMPTY>

<!ATTLIST AccountFrom account-id CDATA #REQUIRED>

<!ELEMENT House EMPTY>

<!ATTLIST House clearing-house-id CDATA #REQUIRED>

<!-- ********* Fee Ended ************* -->

<!-- ********* Access Started ************* -->

<!ELEMENT Access (Security*, User?, Source?, Destination?)>

<!ELEMENT Security EMPTY>

<!ATTLIST Security name CDATA #REQUIRED

value CDATA #REQUIRED>

<!ELEMENT User (Any | Certificate+)>

<!ELEMENT Any (Certificate+)>

<!ELEMENT Source (Any | Certificate+)>

<!ELEMENT Destination (Any | Certificate+)>

<!ELEMENT Certificate (Authority, PropertyPair*)>

<!ELEMENT PropertyPair EMPTY>

<!ATTLIST PropertyPair name CDATA #REQUIRED

value CDATA #REQUIRED>

<!-- ********* Access Ended ************* -->

<!-- ********* Watermark Started ************* -->

<!ELEMENT Watermark ((Watermark-Str |Watermark-Tokens | Watermark-Object)*)>

<!ELEMENT Watermark-Str EMPTY>

<!ATTLIST Watermark-Str string CDATA #REQUIRED>

<!ELEMENT Watermark-Tokens EMPTY>

<!ATTLIST Watermark-Tokens all-rights (true|false) "false"

render-rights (true|false) "false"

user-name (true|false) "false"

user-id (true|false) "false"

user-location (true|false) "false"

institution-name (true|false) "false"

institution-id (true|false) "false"

institution-location (true|false) "false"

render-name (true|false) "false"

render-id (true|false) "false"

render-location (true|false) "false"

render-time (true|false) "false"

copy-number (true|false) "false"

>

<!ELEMENT Watermark-Object (WorkId)>

<!-- ********* Watermark Ended ************* -->

<!-- ********* Work Ended ************* -->

 

 

 

APPENDIX C. QUESTIONS AND ANSWERS

This section answers basic questions about usage rights specifications.

General Questions About Digital Property Rights

What kinds of computers can use digital works with digital property rights?

In principle, any computer can be made into a trusted system suitable to manage usage rights, at least for minimal levels of security. Different vendors will sell trusted systems with different levels of security. Most personal computers will be able to be trusted systems; other specialized devices (such as set-top boxes, personal audio equipment, and personal document readers) will eventually also be available as trusted systems.

Do publishers need to learn the digital property language in order sell or distribute digital works?

No. Publishers need not learn the digital property language any more than they need to learn Postscript. Publishers do need to know the different kinds of rights, conditions, and billing approaches that are appropriate for their The usage rights language is chiefly intended to be machine readable. Publishers would use "publishing systems" to import digital works into a trusted system and to assign rights using a graphical user interface. Typically, the interface would provide standard digital "boiler-plate" or defaults reflecting their typical sales approaches.

What’s to keep somebody from just copying a digital file once they get it?

On a trusted system with a high security class, any attempt to copy a file without authorization will be prevented by the system software. Even on systems with low levels of security, where some protection mechanisms can be circumvented by non-trusted software, there are barriers to use of files (such as their encryption) that make them hard to use outside the control of a trusted system.

What’s to keep people from just deleting the accounting information from their computers?

Accounting information is never kept in non-secure storage. On systems with low-level security, all transactions must be done when the computer is on-line - and all transactions are recorded at secure financial clearing house. Some trusted systems have secure storage, possibly in the form of removable security cards.

Even if computers have secure storage, what ensures that people will pay their bills?

Different people have different credit ratings and people do not like to damage their credit ratings. Some people will have repositories that work like credit cards, and others will have repositories that are prepaid debit cards. As with conventional credit cards, people who don’t pay their bills will have trouble obtaining further credit.

Won’t there be a lot of resistance by consumers to controlling use of digital works? (Look what happened to earlier "copy protection" schemes for software.)

Copy protection schemes have had two major flaws from a consumer point of view: (1) They do not offer any advantages to the consumer and (2) They get in the way of unconventional but fair uses of the material. The goal of copy protection schemes is mainly to thwart unauthorized copying of digital works, without offering any advantages to consumers. The goal of usage rights is to promote a lively commerce in digital works. There are many possible advantages to consumers for digital publication. One advantage is the convenience of being able to order and accept immediate delivery of works any time of the day by phone, network, or even from a friend using consumer-based distribution. Another advantage is that it will often be possible and easy to arrange for inexpensive trial use of works for limited time periods. Finally, the cost of individual works to the consumer may often be lower if they choose to pay by the hour for works.

Will digital property rights create obstacles for consumers to use the works?

The goal in designing hardware and software for using digital works is to keep it simple. For example, on a trusted personal player, playing a digital work should be pretty much the way that playing is now -- you push the play button. When a user plays something the first time, he may need to insert his personal ID card or interact with an interface to choose whether his paying for the copy, paying by the use, or paying by the hour. For users of personal computers, the extra interactions with user interfaces will be minimal and use familiar styles.

 

What happens if somebody has an accident and loses a digital work. (For example, the repository may break or be lost? )

Different publishers may have different policies for handling these situations., depending on the price of the work and whether the work’s ownership is known to the publisher. The usage rights approach has built-in provisions for governing such loss through the Backup and Restore rights.

What happens if a repository is compromised? (Who is responsible for the publisher’s losses if a rogue copy gains wide circulation?)

Repository software and policies will be designed to manage the risks in the relationships among multiple platform vendors, financial clearing houses, publishers, and consumers. One approach is to have a certain low-level surcharge per transaction be used to cover insurance. The amount of risk can be reduced by a variety of other measures, including hot lists of compromised repositories and rogue works, digital certificates that expire, and access to relevant accounting data by law enforcement agencies.

What will it cost to update my Compaq 486 laptop computer to a good security level repository in September 1998?

Some questions are beyond the scope of this manual. Certainly the goal of this effort is to develop a market for affordable and secure enough solutions.

What happens when there is a conflict between usage rights specifications on a digital work and copyright law? For example, suppose that copyrights are supposed to expire after some period of time, but a digital work on a repository still insists on fees and conditions to use the work after that date?

This issue goes beyond the scope of this document. A casual analysis suggests that the precedence of copyright law and contract law (implied by usage rights) may be argued. The issue here is social and legal, not technological.

 

Questions About Work Specifications

Do all digital works have Work specifications?

Yes. A work specification is the top level specification for any digital work with usage rights.

How do I decide how to divide a work up into sections with separate work specifications?

Any part of a work that has distinct rights needs a separate work specification. Any part of a work that needs distinct permissions or distinct accounting of usage fees needs a separate work specification. When derivative works are made as a composition of separately created works, it is typical to have a separate work specification from each. If the works are made using the Extract and Embed rights, the work specifications would be made automatically.

Who assigns a work-id to a work?

The publisher assigns a work an identification using a publishing system. This is part of the process of importing a digital work into a repository. For the ID to be useful, the publisher would also want to make a reference copy available in a standard place, such as a public repository that they keep on-line or with an institution like the Library of Congress. The institutional arrangements for establishing reference copies have not been determined yet.

Who is the owner in a work specification?

The owner is the rights owner. Typically, this would be either the author or the publisher. The copy owner is the purchaser of a particular copy of a work.

How does a publisher get an authorization id?

An authorization id is something that comes with a digital certificate identifying the publisher. The usage rights approach assumes that there will be a small number of well-known authorities that issue certificates of identity. The public keys of the well known authorities would be known to essentially all trusted systems. We will refer to one such institution as the "Digital Property Trust" without being exact yet about its institutional nature.

Can someone publish a digital work without obtaining an ISBN or ISSN?

Yes.

What kinds of records do trusted systems keep about billing and usage?

Trusted systems keep track of all of the billable transactions on a work so as to carry out their accounting function.

Who would have access to usage data on trusted systems?

A basic principle is that these records should only be available to appropriate authorized institutions, and that institutions that access the information have certain obligations to protect privacy. Furthermore, authorized institutions need to have established and published policies about how they use the data.

 

Questions About Transport Rights

What is the difference between the Copy right and the Transfer right?

The Copy right and the Transfer right are both transport rights, in that they govern the flow of digital content between repositories. When the Copy right is exercised, a new copy is created on a second repository. After a Copy right has been exercised, the number of digital copies has been increased. Exercising a transfer right moves a copy from one repository to another. At the end of a transfer transaction, the original copy on the sending repository is deleted.

If someone has a work with a Copy right, does that mean that they can make digital copies and also print a document?

No. Before someone can exercise a Copy right, they must satisfy the fees and conditions associated with the right, which may include having particular authorization certificates (licenses) and paying certain fees. For example, the right might require that the receiving party have a certificate that they belong to a licensed organization or even that they old enough. Furthermore, the Copy right does not govern printing. It only governs the making of digital copies. The Print right governs the making of copies on external media, such as on printers or magnetic storage devices.

If I want to loan a digital work to a friend, can’t I just exercise a Transfer right?

You could use a Transfer right, but you probably don’t want to. Exercising a Transfer right removes the copy of the work from your repository. If your friend does not return the digital work, then the situation is much the same as when you loan somebody a paper book and never get it back. In contrast, the Loan right allows you to specify a loan period at the time of the loan. At the end of that period, the copy on your friend’s repository deactivates and the copy on your repository reactivates, effecting an "automatic return."

If I borrow a copy of a digital work from a friend, can I make a copy of it?

This depends on the rights that are active on the loaner copy. A publisher uses the next-copy-rights specification to indicate what rights are active. It is often in the publisher’s interest to put Copy rights on loaner copies, because that enables more consumer-based sales. The right to make a copy of a loaned work is governed by the rights on the loaner copy. If there is a Copy right, then you can exercise that right. The Copy right specifies the fees and conditions that apply for making the copy.

If I loan a copy to a friend, can I still use it when it is loaned out?

Generally not. The usual arrangement is that only one person at a time can use a copy of a digital work. There are exceptions to this. For example, a user may have more than one copy of a work and can still use it as long as some copies are not yet loaned out. Also, a publisher can specify what rights remain behind during the period when a work is loaned out.

If no rights can be exercised when a digital work is loaned out, does that mean that the copy owner cannot even pay to get another copy?

Not necessarily. A publisher can use the remaining-rights specification to indicate that certain rights can still be exercised when a work is loaned out. In particular, it is generally in the publisher’s interest to have Copy rights remain on the work.

 

Questions About Render Rights

I can’t find a Display right. What right would I use to read a copy of a work?

The Play right. The Play right is used generically to refer to ways for a user to experience a work. This includes displaying a work on a screen, playing a work over a speaker, playing a video game, and running a computer program.

I can play a digital movie on a screen, or digital music out a speaker. What is to keep someone from using a video camera or tape recorder to make a copy on magnetic tape?

Anything you can see or hear can probably be copied at some level of resolution on a video camera. Although unfair copying is generally prohibited by copyright law, usage rights and trusted systems can not block such copying. However, there are some deterrents. One deterrent is that generally the transition to and from analog signals introduces noise and degrades the quality of the copy. Also, it is possible to embed digital watermarks (or hidden signatures) in the work so as to make the copy traceable to the source. These could show up as almost unnoticeable marks on a page, sounds in music, or image alterations in video that could be used later for tracing the source.

If you can print out a work, what’s to keep somebody from just making photocopies?

Copyright law governs the making of copies, but there is nothing in the technology for current generation copiers that stops a person from making photocopies of a paper document. Publishers can address this risk in several ways. First, they can limit who has the right to print a document. For example, they may limit this to people who are certified subscribers to the Copyright Clearance Center. Furthermore, they may require that printing take place on trusted printers that use watermarks. Watermarks make it possible to trace the user and repository from which the paper copy was printed.

 

 

Questions About Derivative Work Rights

How does a publisher know that fees and conditions will be honored when a published digital work is incorporated in somebody else’s derivative work?

Derivative works are constructed by trusted systems whose function includes keeping the specifications for fees and conditions attached to the digital work. When derivative works are constructed in this way, the collection of fees and honoring of conditions is automatic and enforced by all of the repositories that are involved.

Would I need to obtain written permission to reuse a portion of a published digital work a new derivative work?

The reuse of a portion of a digital work is governed by the derivative work rights - Edit, Extract, and Embed. If a publisher has anticipated such uses and specified the rights and conditions, and you are agreeable to the rights and conditions, then you can just go ahead and reuse the work. The trusted systems will take care of billing and use restrictions automatically. This feature is intended to encourage the commercial reuse of works, providing a low overhead way for publishers to get compensation for such uses.

How could I say that a portion of a work can only be used for "professional" purposes. For example, I may not want certain digital pictures in a particular work to be used for entertainment publications,

Usage rights can only specify conditions that can be understood and enforced by trusted systems. One way to do this would be to require possession of a "professional" license from someone to exercise the Embed right. Another measure would be to require a "professional" license for someone to exercise a "Play" right.

 

Questions About File Management Rights

What’s to keep me from making a backup copy, selling the original, and then exercising a Restore right?

Restore rights can have various conditions. For example, they may require tickets, fees, or communicating with the publisher’s system. It is up to the publisher to choose conditions that adequately meet their security needs.

If I make a backup copy, where do I actually store it?

Backup copies of a file are actually encrypted files, with usage rights typically for restoring them, printing them, and transferring them. You could transfer the backup copy to another repository. You could also "print" them to external storage, such as an external disk for safe keeping. You also need to keep the file with the key for decrypting the backup file in secure storage on some trusted system.

Suppose that my friends and I commonly exchange digital works. How do I keep my friends from accessing my private files when we connect our repositories?

One way to do this is to organize your repositories into folders with different usage rights on different folders. Most repositories will come with a "private rights group" that requires your personal identity before rights can be exercised. By putting this rights group on your private folders, you can exclude others from using or even seeing what’s in those folders.

If I have a digital work that I suspect is damaged or not genuine, how can I check it out?

Illegitimate copies of digital works will sometimes be circulated. These works might be created when someone manages to compromise a repository. They may also be created entirely from scratch, where someone copies a digital work manually and then offers it up for sale. Verifiers are systems that check the authenticity of a work. Some verifiers will be available on most repositories. These low-level verifiers can check encryption codes, hot-lists of rogue works, and so on. Other verifiers may compare a work to a reference copy. Such verifiers may be available on the network, where they have local access to the reference copy.

Do all works have Verify rights?

No, although almost all legitimate works will probably come with Verify rights with no associated fees or conditions.

Can I verify a work even if it does not have Verify rights?

Yes. In effect, an explicit Verify right makes it possible to transmit a copy of a work to a "verification server" without paying the required fees often associated with exercising a Copy right, and without losing a local copy of a work as in exercising a Transfer right. However, a work can always be transferred and subsequently returned. Some "players" and other programs can also perform verification functions.

If I delete a digital work, do I get my money back?

Probably not. Although it is possible for a publisher to give a credit when you delete a work, the more likely case is that deleting a work is like throwing away a book when you are done with it..

Questions About Time Specifications

Do all starting and expiration times on digital works need to be given in Greenwich Mean Time?

Yes and no. The times written in the language are always in terms of GMT. However, times are translated to and from the user’s own time zone automatically by the user interface of the trusted system, so the user never actually sees the GMT times.

Do rights on works need to have expiration dates?

No. Expiration dates are optional. If no expiration date is given, then rights never expire.

What’s the difference between a fixed interval and a sliding interval?

In a fixed interval, a right is valid from a fixed starting time to a fixed stopping time. In a sliding interval, the duration of the interval is fixed, but the interval starts the first time that the right is exercised.

What happens when there is a conflict between a metered interval and an expiration date? For example, suppose I have the right to use a work for a month, but the expiration date expires tomorrow.

In this example, the right expires tomorrow, even though there is potentially time left on the meter. If the publisher wanted to offer a month of use independent of an expiration date, he could specify that the rights never expire.

How will expiration dates effect libraries? Shouldn’t libraries, or indeed anyone, be able to buy works without the rights expiring?

This is a good issue and reflects the social role of archiving of works. Authors and publishers that want to encourage archiving of their works should specify that the rights never expire.

Suppose that the right to use a digital work has not expired, but that the ticket a user has to exercise the work has expired. What should the user do?

Get a new ticket. Expiration dates on rights, certificates, and tickets are independent of each other. Everything that a user uses in a transaction must be valid at the time of the transaction.

On a personal computer, a user can sometimes fool the system by setting any time he wants. Why can’t he do this on a repository?

Except for repositories of the lowest security classes, one of the requirements is that the clock be tamperproof. Furthermore, repositories check and compare their clocks at predetermined times in their protocols. For example, when repositories exchange works or register with financial clearing houses, clocks are compared.

Suppose that the batteries run down on a repository. How do you reset the clock?

Part of the function of a repository is to detect that a clock has stopped. Before any time-sensitive transactions can be carried out, the repository must obtain the time from another certified repository of adequate security level. Part of the communications protocol is to check and reset the clock under these conditions.

Suppose I buy a copy of a repository and then discover that all of the rights have expired?

Creating a work whose Copy rights expire long after other rights is a questionable publishing practice. Repository software can be made to check for such situations before money is exchanged to copy a work.

Questions About Fee Specifications

How do I get an account?

From an on-line bank. This could be a credit account or a debit account. The goal of this approach is to work within the initiatives already being developed for electronic commerce.

How does a publisher make digital tickets, and refer to them in rights?

Publishing systems have basic commands for making tickets and for including them in rights specifications. In this process, the publisher assigns expiration dates, usage rights on the tickets, identifiers, and so on. Digital tickets are digital works are distributed like other digital works and their use and transport is governed by usage rights.

Suppose that I pay to use a work by the hour, and then later decide to buy unlimited use of the work. Can I apply my metered fees towards the purchase?

The answer to this depends on the publisher. A repository treats these as two separate transactions. In principle, publishers can offer all sorts of rebates, specials, loyalty programs, and other incentives In some cases, a publisher would aggregate transactions according to the offer and then send credits to your billing account or grant you digital tickets that can be used with the publisher’s products.

What is a "per-use" payment, that is, how do you define a single use of a work? What happens if a user starts using a work, is interrupted, and then starts again. Is that two uses? Alternatively, if a user plays a piece of music for two days, is that a single use?

In general, a per-use fee is charged every time that a right is exercised. For example, a per-use fee for a piece of music might be assessed every time the Play button is pressed. In the example given, where a user is interrupted and restarts the music, two uses would be counted. Similarly, if the music is played continuously for 2 days (using pause and reset or something), that would be a single play.

However, both of these examples can be modified by including a min-price-spec and a max-price-spec in the fee language. For example, the following right assesses a fee of fifty cents per use, but also caps the fee at fifty cents per day and requires a minimum fee of fifty cents per day. With this specification, the user can exercise the Play right as often as desired in a single day without paying more than fifty cents. Furthermore, if the user extends the Play for more than one day, he will pay an additional fifty cents.

<Play><Fee><Monetary>

<PerUse value=".50"/>

<Max><Rate value=".50"></Rate><Per days="1"/>

<Min><Rate value="50"></Rate><Per days="1"/>

<Account>

<AccountTo="Account-Jones-Pub248afdoiu4398"/>

</Account>

</Monetary></Fee></Play>

In a Metered fee specification, is there a difference between a fee of sixty cents per hour and a fee of a penny per minute?

These rates can be the same or different, depending on other parts of the fee specification. The key issue is how the user is charged for partial use of a time period.

<Play><Fee><Monetary>

<Metered><Rate value=".60"> </Rate><Per hours="1"/><By minutes="1"/>

<Account><AccountTo="Account Jones-Pub-245lkj5987"/> </Account>

</Monetary></Fee></Play>

<Play><Fee><Monetary>

<Metered><Rate value=".60"> </Rate><Per minutes="1"/>

<Account><AccountTo="Account Jones-Pub-245lkj5987"/> </Account>

</Monetary></Fee></Play>

In the two play examples given here, both fees are computed the same way —to the nearest minute. The first example specifies the rate by the hour, but the "By" specification says that it is computed proportionately to the nearest minute of use. The second example gives the rate by the minute. Since it does not have a By specification, it is computed to the nearest minute by default. In this way the digital property language gives a publisher the flexibility to specify a rate in the most understandable terms.

In a Metered fee specification, is there a way to limit the maximum amount that a user needs to pay to exercise a right in a day?

Yes. This is another application of the maximum price specification. For example, the following specification charges sixty cents per hour accounted to the nearest minute but sets a maximum fee of two dollars per day.

<Play><Fee><Monetary>

<Metered><Rate value=".60"> </Rate><Per hours="1"/><By minutes="1"/>

<Max><Rate value="2.00"></Rate><Per days="1"/>

<Account><AccountTo="Account Jones-Pub-245lkj5987"/> </Account>

</Monetary></Fee></Play>

What are digital tickets good for?

Digital tickets can be thought of as publisher-specific coupons. Publishers can distribute them to favored customers, or even bundle them with digital works. In general, they are used in loyalty programs to encourage consumers to go to a given publisher.

 

How can a publisher use digital tickets to give discounts on exercising a right?

Here are two examples of how digital tickets can be used in flexible pricing. In the first example, exercising the Play right costs a flat dollar per use.

<Play>

<Fee><Monetary>

<PerUse value="1.00"/>

</Monetary></Fee>

</Play>

<Play>

<Fee><Ticket>

<Authority authority-id="Jones Publishers"/>

<Type ticket-id=" Introductory Offer"/>

</Ticket></Fee>

</Play>

In the second example, the Play right can be exercised at no fee by presenting a ticket. The ticket could be purchased ahead of time by the consumer. Its pricing and distribution is separate from the work and pricing may vary with time. The ticket could also be free, distributed as part of a sales promotion.

 

How does a best price specification work, since an off-line repository cannot know the best price at the time of the transaction?

A best-price specification indicates a maximum fee to be paid. This is the amount that is charged to the user at the time of the transaction. Later, after transactions are cleared at a financial clearing house, the publisher can give a rebate if a better price was in effect, crediting the user’s account with the rebate amount. If a repository is on-line with the publisher at the time of the transaction, the actual price can be known and used in the transaction.

What happens if the publisher’s price has gone up, above the best price maximum set in the usage right?

In this case, the user gets the lower price, since the publisher has already agreed to that rate. If a publisher expects a price to go up or has uncertainty about this, then the offer can be limited to a period of time by the time specification for the right.

 

How can a user exercise a call-for-price option if he is off-line?

He can’t. The call-for-price specification requires a communication between the user and the rights owner at the time of the transaction.

What is a markup fee used for?

Markup fees are used to tack an additional percentage-based fee s for using a work. This could be used by distributors as a way of recovering costs. It could also be used as an automatic way to collect sales taxes.

Suppose that one publisher sells a digital work to a second publisher. Who gets the income stream from the usage of copies made and distributed by the first publisher?

When a digital work is sold, the contracts between the publishers could specify any way of dividing funds that makes sense. In this example, the works in the field would already have accounting information associated with the work. The accounting for dividing the continuing funds would need to be done by an accounting service trusted by both parties. For example, a financial clearing house could disburse the funds according to transactions. One way to anticipate this scenario would be for a publisher to obtain a unique account number for each digital work that it publishes. Funds accruing to such accounts could then be routed as desired.

 

 

Questions About Security and Authorization

What is the difference between a source authorization, a destination authorization, and a user authorization? .

All authorizations are digital certificates. A source authorization is an authorization kept on the same machine as the digital work. It is usable in transactions by anyone accessing the work. A user authorization is associated with a particular individual. It is accessible to that individual when he is logged on to the repository. A destination authorization is an authorization that must be on a machine other than the one where the work resides.

Of what use is a destination authorization? .

Destination authorizations are authorizations that must be on a repository other than the repository with the digital work during a transaction. They would appear in a right like the following:

<Transfer><Access>

<Destination><Certificate>

<Authority authority-id="Jones Publishers"></Authority>

<PropertyPair name="License" value=" ABC-Site-poiuqer98743"/>

</Certificate></Destination>

</Access></Transfer>

In this example, a digital work cannot be transferred to another repository unless that repository has a particular license on it., no matter who is requesting the transfer.

How does a site license work in this approach?

A site license is a license for all people in a given organization to use a work. There are important variations on site licenses. What the approaches have in common is that a work has a right requiring a license to exercise it.

<Play><Access>

<User><Certificate>

<Authority authority-id="Jones Publishers"></Authority>

<PropertyPair name="Type" value="Site-License"/>

</Certificate></User>

</Access></Play>

<Play><Access>

<Source><Certificate>

<Authority authority-id="Jones Publishers"></Authority>

<PropertyPair name="Type" value="Site-License"/>

</Certificate></Source>

</Access></Play>

Here are two examples of how the authorization might be specified in a right. In the first example, the authorization is a user authorization. Such authorizations would typically be carried on a personal card. When a person uses a computer, he inserts the card and the system can access the license there. In the second example, the authorization is a "source" authorization, meaning that the license is on the computer itself. Anyone using the computer could exercise the right. The first version controls who the person is, and the second version controls which machine has the license.

Sometimes the license itself would require a separate and remote license server. For example, a site license may limit the number of simultaneous users of a work. In this case, the license on each machine would ask its local license server to contact a centralized license server which counts the number of simultaneous users and admits new uses as long as the total count is less than some authorized number.

How would membership to a digitally-distributed journal work using this approach?

There are many different ways that on-line journals can be organized, so there is no single answer to this question.

A publisher could bundle printed distribution with on-line distribution, or could offer these as separately-priced options. A subscriber would get a subscription license, and potentially a number of subscription tickets useful for various things. For example, there could be on-line search services or print rights associated with digital tickets. Publishers could offer on-line bulletin boards and e-mail forums, open to subscribers. Some institutions could have site licenses.

How can a publisher prevent a digital work from being moved to a repository with low security?

A publisher can control the transport of a work by specifying security classes and other conditions on all transport rights. The security level of a platform is known to any platform that engages in a transaction with it. By specifying a high enough security class on all Copy, Loan, and Transfer rights, a publisher can preclude transport of the work to low security platforms. Furthermore, requirements for other digital licenses associated either with the person or physically secured repositories can also be specified.

What precludes authorizations from being forged or copied?

Authorizations are all digital certificates. To create an authorization requires knowing the private key of the authorizing agency. This makes them difficult to forge. The testing process checks one-way hash functions on the content. This makes it possible to detect tampering with the content. The transport of the certificates, like all digital works, is controlled by usage rights. Thus, these certificates are always kept in storage having high enough security. Even on semi-trusted systems, the certificates are kept in trusted storage. This makes certificates difficult to steal.

 

INDEX