1. A Formal Foundation for ODRL What’s ODRL?  An XML-based language for writing software licenses. Language specification includes:  syntax  English interpretation of the syntax  Language is freely available. (No copyright or patent restrictions!)  Language has been endorsed by nearly 20 organizations including:  Nokia, a multi-industry conglomerate focused on mobile communications;  DAFNE, a research project funded by the Italian government to develop a prototype of the national infrastructure for electronic publishing; and  RoMEO, a research project investigating the rights management of ‘self- archived’ research in UK academic community. Bottom Line: ODRL has a significant widespread impact on rights management. Problem: No formal semantics = Language is ambiguous ODRL is ambiguous.  In ODRL, we can write `if Alice is not permitted to download file A, then she may download file B’. Suppose Alice is neither explicitly permitted nor explicitly forbidden from downloading file A, may she download file B?  In ODRL, we can write `Alice may download file A, if she does actions a 1 and a 2 in order and does actions a 3 and a 4 in any order. Suppose Alice does the action sequence a 2, a 1, a 3, a 4, a 2. May Alice download file A?  In ODRL, we can write that Alice may download file C, if neither of the above policies hold. What does this mean?  The ODRL document says that the language supports revocation, but doesn’t say who may revoke what. Bottom Line: ODRL is under specified. As a result, implementations won’t all agree and the benefits of having a standard are lost. Our Approach: Translate ODRL licenses into formulas in a logic (that has formal semantics). Using First-order Logic to Reason about Policies Background: Policies say what is and what is not permitted. Sample policies include: `All information on this site may be copied.’ `The tickets may not be refunded.’ Goals: To create a logic that 1. can easily capture the policies that many people want to discuss 2. can efficiently determine what is allowed and what is forbidden 3. is accessible to non-logicians Why bother?: We want to promote the dissemination of ideas, while still respecting intellectual property rights. To do this, we must be able to state what should be shared (i.e. what’s permitted) and what constitutes a violation of a person’s rights (i.e. what’s not permitted). Our Approach: A policy says what is (or what is not) permitted. A policy has the form:  x 1,…,  x m (f  (  ) Permitted(t ag, t ac )) where  f is a conjunction of literals;  t ag is an agent, t ac is an action, both are terms;  Permitted(t ag, t ac ) means t ag may do t ac Encoding Policies The environment (env) gives basic facts about the world.  An environment is a conjunction of  ground literals e.g. Student(Alice)  universal formulas; e.g.  x (Man(x)  Woman(x)) Encoding the Environment Assume an environment E and a policy set P = {p 1,…, p n }, is c 1 allowed/forbidden to do c 2 ? Is E  p 1  …  p n  (  ) Permitted(c 1, c 2 ) a valid formula? Encoding Queries 1 2  2 literals l and l ’ are unifiable if . l  = l ’ .  A literal l is bipolar in a formula f (in CNF) if l is in f and there is a literal l ’ in f such that l and  l ’ are unifiable, (assume no shared variables). Key Idea: BipolarityComplexity If  the env. E has only ground literals,  for the policy set P = {p 1,…, p n } there are no bipolars in p 1  …  p n,  no variable is only on a policy’s lhs, Then our queries take |P||E| time to ans.  If the variable restriction isn’t met, then problems are NP in the number of variables in any one policy.  Under reasonable assumptions, answering queries takes quadratic time, even if the env. has universal formulas. Relaxing Restrictions From Spring 2003… Since then: Paper appears in the Proceedings of the 16 th IEEE Computer Security Foundations Workshop, 2003. Research by: Riccardo Pucella and Vicky Weissman, work presented at WITS ’04. Which Logic?  ODRL statements are of the form `if , then  ’   is a conjunction of constraints (facts that are outside the user’s influence), conditions (constraints that must not hold), and requirements (facts that the user controls).  E.g., `If Alice is over 21 years old, she has paid the cover charge, and the policy `Alice may not enter the bar’ does not hold, then Alice may enter the bar’.  These statements are readily captured in first-order logic. Bottom Line: We translate ODRL licenses to formulas in first-order logic. Benefits of using first-order logic  Can compare ODRL with license languages in the formal methods community (which are often fragments of first-order logic).  Can compare ODRL with XrML, since we have translated both to fol.  Complexity is an open problem, but we are hopeful that applying well- known results for first-order logic will yield (at least) an upper bound.  We intend to apply our results from last spring to extend ODRL and, if needed, find tractable fragments.