HomeSecurity Page 7 - Trust, Access Control, and Rights for Web Services, Part 2
eXtensible Rights Markup Language (XrML) Management Specification - Security
Web services themselves provide a powerful new approach to PKI that prevents each Web service requestor and provider from having to build their own PKI: accessing a trusted PKI as a service. XKMS aims to do just that. This is part 2 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).
The eXtensible Rights Markup Language specifies rights to control access to digital content and services. XrML is part of the effort to create an infrastructure to manage digital rights on copyright and for-fee content that is moved across the public networks.
XrML is a rights language that supports a wide variety of business models from free content that still must control who accesses it (for example, real estate home listings) to valuable content that must be purchased by the end user (for example, digital music). It can specify simple and complex rights. It is designed to handle any type of digital content or service. It gives precise meaning to all components of the system. A couple of its critical early design goals were that it be interoperable with other standards and specifications and that it be platform neutral.
The XrML Data Model
The data model for XrML consists of four entities and the relationship between those entities. The most important relationship is the XrML assertion Grant. A Grant is structured as follows:
The Principal to whom the Grant is issued
The Right that the Grant specifies
The Resource that is the direct object of the "rights" verb
The Condition that must be met for the right to be exercised
A Principal is an individual who must present identification credentials such as an X.509 certificate or a digital signature. If the authentication of this individual is successful, that person may be granted some Rights to the digital content. The Right is a verb that a Principal can be granted to exercise agaist some content. For example, the Right might be to read, view, print, forward, or even grant rights to others. The Resource is the object to which a Principal can be granted a Right. It might be an e-book, an audio or video file, or an image. It can also be a service such as email or a Web service. A Condition specifies the terms, conditions, and obligations under which the Rights can be exercised. This might be a time interval, or it might require that someone else has also granted some Rights first, such as a trusted third party. The relationships of the four key XrML constructs are shown in Figure 9.10.
Figure 9.10 Core XrML constructs and their interrelationships.
This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.