1. Flexible and Extensible Digital Object and Repository Architecture (FEDORA) Sandra Payette Cornell University payette@cs.cornell.edu CS 502 Computing Methods for Digital Libraries April 18, 2001

2. Repository Services Component-Ware Digital Libraries Collection Services Index Services Handles Name Service Digital Objects User Gateway Service

3. FEDORA: Goals Distribution - of digital content and services Interface Stability - for digital objects Interoperability - for digital objects and repositories Extensibility - naturally evolving type system Flexibility - community-driven type development Security - rights management and access control Preservation - longevity of digital objects

4. FEDORA Digital Object  container for aggregating any digital material  disseminations of complex types  global extensibility mechanisms Repository  Service layer for “contained” DigitalObjects  Object lifecycle management  Secure environment for running mobile code

5. FEDORA History Digital Object vision (Kahn/Wilensky) Warwick Framework (container model) Distributed Active Relationships (Lagoze) Cornell FEDORA (Payette, Lagoze) CNRI Repository (Arms, Blanchi, Overly) CNRI/FEDORA Interoperability Project UVA/FEDORA (Staples, Weyland) - Complex disseminators, XML/XSL, web integration Project Prism (DLI2) – Security, preservation Lecture Browser (Mukhopadhyay, Newman)

6. Fedora DigitalObjects can be... Simple, familiar entities Complex, compound, dynamic objects

7. Fedora Digital Object Model Disseminations Generic interface Data Stream Data Stream Data Stream Extensible Mechanism Encapsulated service request Primitive Disseminator Typed Disseminator Internal stream

8. Disseminator Type A set of behaviors that formally describes the functionality of any global or community-specific notion of content.

9. Extensible Behaviors - “Lecture” Content Disseminations Lecture Mechanism Dublin Core GetVideo(quality) GetSlide(seqNum) GetSyncData GetDCRecord GetDCField(name) Lecture Data Archive Video-H Applet slide-2 (gif) slide-1 (gif) metadata (xml)

10. Digital Object Methods Content Disseminations Lecture Dublin Core Video-H Applet (java) slide-2 (gif) slide-1 (gif) metadata (xml) Lecture, DublinCore GetDissemination (Lecture.GetSlide(1)) GetSlide(n), GetVideo(res),GetApplet() GetMethods(Lecture) The Slide GetDissemTypes()

11. DigitalObject Extensibility: Adding New Types MechanismStructure Interface Book The same underlying data... can be operated on in novel ways… Photo Collection to create new disseminations not originally conceived of for the particular digital object. Book Photo Album PDF page metadata (xml) page

12. Registration and Proliferation of Disseminator Types Disseminator Types registered in the Handle System  visible when URN of a Signature is registered  usable when URN of a Servlet is registered Other DigitalObjects can use Disseminator Types by referencing these URNs. Handle System Fedora Repository

13. Big Picture: Cooperation among non-cooperating sources Lesson 1 module GetDissemination( GetLesson(1)) Library Catalog Museum Image Database Video Archive Course page

14. Repository Big Picture: Interoperable Repositories Handles Name Service Cornell CS Lectures Client NCSTRL Repository Library Collections

15. University of Virginia (UVA) Implementation Relational schema for Fedora Fedora as mediation technology Integration and normalization of many “born-digital” resources Multiple disseminations of same content to meet different scholarly needs 500,000+ digital objects High performance

16. UVA – Digital Objects

17. UVA Salisbury Cathedral

18. UVA Fedora Utility Interface

19. FEDORA: Security Distribution - of digital content and services Interface Stability - for digital objects Interoperability - for digital objects and repositories Extensibility - naturally evolving type system Flexibility - community-driven type development Security - rights management and access control Preservation - longevity of digital objects

20. Limitations of traditional access control mechanisms Limited expressiveness for policies Fixed set of abstractions  objects are files, directories, etc.  actions are read, write, execute, etc. Not easily extended for complex or fine- grained policies

21. Digital Libraries: context-specific policies Distance Education (“Lecture object”):  “guests may view course syllabus and slides 1-10 of Lecture 1, but may not view the Lecture 1 video or other slides.”  “students may not view Lecture 2 video unless they submit assignment for Lecture 1.” Library digitization (“Book object”):  “before copyright expiration on 1/1/2002 CU students can access chapters 1-6 and CU alumni can access pages 1-20 of chapter 2; after expiration, all users can access all pages of all chapters.” Business Strategy (“Technology portfolio object”):  “managers may view product specification only after product safety report has been certified by head of R&D.”  “only the executive team may run the market share simulation”

22. Building on existing work Fedora - digital object and repository architecture (Payette and Lagoze, 1998, 2000) Security Automata (Schneider, 1999) PoET - Policy Enforcement Toolkit (Erlingsson and Schneider, 1999, 2000)

23. Extensible Behaviors - “Lecture” Content Disseminations Lecture Mechanism Dublin Core GetVideo(quality) GetSlide(seqNum) GetSyncData GetDCRecord GetDCField(name) Lecture Data Archive Video-H Policy-L (PSlang) Video-L Policy-D (PSlang) slide-2 (gif) slide-1 (gif) metadata (xml)

24. Security Automata Theoretical basis for specifying policies that are enforceable, flexible, and fine-grained Policies are modeled as state transitions Execution Monitoring (EM)  Class of enforcement mechanisms that enforce policies by simulating a security automaton  Monitors executions upon a target (system, application, object) and prevents executions that violate policy  “Reference Monitors” are EM Source: Schneider, 1999

25. In-Line Reference Monitoring (IRM) Security automata simulations are merged into program object code (checks inserted before each execution) The application program, itself, becomes the reference monitor, ensuring that policy is not violated when it runs. Source: Erlingsson and Schneider, 1999, 2000 Traditional (kernel as Reference Monitor) kernel program executable OS RM Language-based security (IRM) In-lined program

26. Policy Enforcement Toolkit (PoET) Trusted program rewriter - modifies Java bytecode Secure class loader Event-oriented policy language (PSLang) Source: Erlingsson and Schneider, 1999, 2000 Policy in PSlang Policy in PSlang Program rewriter Secure Class loader Modified Bytecode (target with policy embedded) JVM Java Bytecode (class file) Program runs (obeys policy) PoET

27. FEDORA and PoET IRM Policy Enforcement Content Disseminations Video-H Lecture Mechanism Video-L Dublin Core Java bytecode in-lined with policies at runtime slide-2 (gif) slide-1 (gif) metadata (xml) access request Policy-L (PSlang) Policy-D (PSlang)

28. Object structure view via client Digital Object Policy

29. End-User View … policies enforced transparently

30. Future Work Policy enforcement of more complex policies, more object types. Dynamic policy binding based on object characteristics. UVA Production Fedora Open Archives Initiative compliance Preservation: dissemination of metadata to facilitate preservation Mobile computing - trust schemes to support policy enforcement as objects move

31. References: Fedora Payette, Sandra and Carl Lagoze, “Flexible and Extensible Digital Object and Repository Architecture,” ECDL98, Heraklion, Crete, September 21-23, 1998, Springer, 1998, (Lecture notes in computer science; Vol. 1513). http://www.cs.cornell.edu/payette/papers/ecdl98/fedora.html Payette, Sandra, Christophe Blanchi, Carl Lagoze, and Edward Overly, “Interoperability for Digital Objects and Repositories: The Cornell/CNRI Experiments,” D-Lib Magazine, May 1999. http://www.dlib.org/dlib/may99/payette/05payette.html Payette, Sandra and Carl Lagoze, Policy-Carrying, Policy-Enforcing Digital Objects, accepted by Fourth European Conference on Research andAdvanced Technology for Digital Libraries, Portugal, Springer, 2000, (Lecture notes in computer science), draft available at http://www.cs.cornell.edu/payette/papers/ecdl2000/pcpe-draft.ps Payette, Sandra and Carl Lagoze, Value Added Surrogates for Distributed Content: Establishing a Virtual Control Zone, D-Lib Magazine, June 2000, http://www.dlib.org/dlib/june00/payette/06payette.html

32. Contributors: Staples, Thornton, and Ross Wayland, "Virginia Dons Fedora: A prototype for a digital object repository," D-LIb Magazine, July 2000, http://www.dlib.org/dlib/july00/staples/07staples.html Schneider, Fred B., “Enforceable Security Policies,” Computer Science Technical Report #TR98-1664, Department of Computer Science, Cornell University, July 24, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR98-1664 Erlingsson, Ulfar and Fred B. Schneider, “SASI Enforcement of Security Policies: A Retrospective,” Computer Science Technical Report #TR99-1758, Department of Computer Science, Cornell University, July 19, 1999, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR99-1758 Erlingsson, Ulfar and Fred B. Schneider, “IRM Enforcement of Java Stack Inspection,” Computer Science Technical Report #TR2000-1786, Department of Computer Science, Cornell University, February 19, 2000, http://cs-tr.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.cornell/TR2000-1786