ContentGuard Holdings, Inc. v. Amazon.com Inc. et al
Filing
1
COMPLAINT FOR PATENT INFRINGEMENT against Amazon.com Inc., Apple, Inc., BlackBerry Corporation (f/k/a Research In Motion Corporation), Huawei Device USA, Inc., Motorola Mobility LLC ( Filing fee $ 400 receipt number 0540-4447766.), filed by ContentGuard Holdings, Inc.. (Attachments: # 1 Exhibit A, # 2 Exhibit B, # 3 Exhibit C, # 4 Exhibit D, # 5 Exhibit E, # 6 Exhibit F, # 7 Exhibit G, # 8 Exhibit H, # 9 Exhibit I, # 10 Exhibit J, # 11 Exhibit K, # 12 Civil Cover Sheet)(Baxter, Samuel)
Exhibit C
111111
1111111111111111111111111111111111111111111111111111111111111
US006963859B2
United States Patent
(10)
Stefik et al.
(12)
(45)
(54)
CONTENT RENDERING REPOSITORY
(75)
Inventors: Mark J. Stefik, Portola Valley, CA
(US); Peter L. Pirolli, San Francisco,
CA(US)
(73)
Assignee: ContentGuard Holdings, Inc.,
Wilmington, DE (US)
( *)
Notice:
(21)
(22)
Filed:
3,790,700
3,798,605
4,159,468
4,220,991
Prior Publication Data
US 2003/0225699 A1 Dec. 4, 2003
Related U.S. Application Data
( 63)
(51)
(52)
(58)
Continuation of application No. 09/778,006, filed on Feb. 7,
2001, now Pat. No. 6,714,921, which is a division of
application No. 08/967,084, filed on Nov. 10, 1997, now Pat.
No. 6,236,971, which is a continuation of application No.
08/344,760, filed on Nov. 23, 1994, now abandoned.
Int. Cl? ................................................ G06F 17/60
U.S. Cl. ............................. 705/51; 705/52; 705/53;
705/54; 705!55; 705!56; 705/57; 705/58;
705!59; 705!50; 380/201; 707/9; 707/104.1;
713/182; 713/183; 713/184; 713/185; 713/186
Field of Search ...................... 705!50--59; 380/201,
380/30; 707/9, 104.1; 713/182-186, 156;
235/449; 379/93
References Cited
(56)
U.S. PATENT DOCUMENTS
3,263,158 A
3,609,697 A
7/1966 Bargen et a!.
9/1971 Blevins et a!.
2/1974
3/1974
6/1979
9/1980
Nov. 8, 2005
Callais et a!.
Feistel
Barnes et a!.
Hamano et a!.
FOREIGN PATENT DOCUMENTS
EP
EP
EP
EP
EP
0
0
0
0
0
084
180
332
651
668
441
460
707
554
695
7/1983
5/1986
9/1989
5/1995
8/1995
(Continued)
OTHER PUBLICATIONS
Jan. 16, 2003
(65)
A
A
A
A
US 6,963,859 B2
(Continued)
Appl. No.: 10/345,390
Subject to any disclaimer, the term of this
patent is extended or adjusted under 35
U.S.C. 154(b) by 78 days.
Patent No.:
Date of Patent:
Weber, Robert. Digital Rights Management Technologies.
Oct. 1995. Retrieved from IDS.*
"National Semiconductor and EPR Partner for Information
Metering/Data Security Cards" Mar. 4, 1994, Press Release
from Electronic Publishing Resources, Inc.
(Continued)
Primary Examiner-James A Reagan
(74) Attorney, Agent, or Firm-Marc S. Kaufman; Nixon
Peabody, LLP
(57)
ABSTRACT
A rendering system adapted for use in a system for managing
use of content and operative to rendering content in accordance with usage rights associated with the content. The
system includes a rendering device configured to render the
content and a repository coupled to the rendering device and
operative to enforce usage rights associated with the content
and permit the rendering device to render the content in
accordance with a manner of use specified by the usage
rights.
84 Claims, 13 Drawing Sheets
US 6,963,859 B2
Page 2
U.S. PATENT DOCUMENTS
4,278,837
4,323,921
4,442,486
4,529,870
4,558,176
4,593,376
4,614,861
4,644,493
4,658,093
4,713,753
4,796,220
4,817,140
4,827,508
4,868,376
4,891,838
4,924,378
4,932,054
4,937,863
4,949,187
4,953,209
4,961,142
4,975,647
4,977,594
4,999,806
5,010,571
5,014,234
5,023,907
5,047,928
5,050,213
5,052,040
5,058,164
5,103,476
5,113,519
5,136,643
5,138,712
5,146,499
5,148,481
5,159,182
5,183,404
5,191,193
5,204,897
5,222,134
5,235,642
5,247,575
5,255,106
5,260,999
5,263,157
5,263,158
5,276,444
5,276,735
5,291,596
5,295,266
5,301,231
5,311,591
5,319,705
5,335,346
5,337,357
5,339,091
5,339,392
5,341,429
5,347,579
5,381,526
5,394,469
5,410,598
5,412,717
5,428,606
5,432,849
5,438,508
5,444,779
5,453,601
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
*
*
*
*
*
7/1981
4/1982
4/1984
7/1985
12/1985
6/1986
9/1986
2/1987
4/1987
12/1987
1!1989
3/1989
5/1989
9/1989
1!1990
5/1990
6/1990
6/1990
8/1990
8/1990
10/1990
12/1990
12/1990
3/1991
4/1991
5/1991
6/1991
9/1991
9/1991
9/1991
10/1991
4/1992
5/1992
8/1992
8/1992
9/1992
9/1992
10/1992
2/1993
3/1993
4/1993
6/1993
8/1993
9/1993
10/1993
11/1993
11/1993
11/1993
1!1994
1!1994
3/1994
3/1994
4/1994
5/1994
6/1994
8/1994
8/1994
8/1994
8/1994
8/1994
9/1994
1!1995
2/1995
4/1995
5/1995
6/1995
7/1995
8/1995
8/1995
9/1995
Best
Guillou
Mayer
Chaum
Arnold eta!.
Yolk
Pavlov eta!.
Chandra et a!.
Hellman
Beobert et a!.
Wolfe
Chandra et a!.
Shear
Lessin eta!.
Faber
Hershey et a!.
Chou eta!.
Robert eta!.
Cohen
Ryder, Sr. et a!.
Elliott et a!.
Downer eta!.
Shear
Chernow et a!.
Katznelson
Edwards, Jr.
Johnson et a!.
Wiedemer
Shear
Preston et a!.
Elmer eta!.
Waite eta!.
Johnson et a!.
Fischer
Corbin ....................... 713/200
Geffrotin
Abraham et a!.
Eisele
Aldous eta!.
LeRoux
Wyman
Waite eta!.
Wobber eta!.
Sprague et a!.
Castro
Wyman ....................... 705!59
Janis
Janis
McNair
Boebert et a!.
Mita
Hinsley et a!. ............. 718/101
Abraham et a!.
Fischer
Halter eta!.
Fabbio ....................... 711!163
Chou eta!.
Yamazaki eta!.
Risberg et a!. ............. 345/762
Stringer et a!.
Blandford
Elison
Nagel eta!.
Shear
Fischer
Moskowitz
Johnson et a!.
Wyman
Daniele
Rosen
5,455,953
5,457,746
5,473,687
5,473,692
5,499,298
5,502,766
5,504,814
5,504,818
5,504,837
5,509,070
5,530,235
5,532,920
5,534,975
5,539,735
5,563,946
5,568,552
5,621,797
5,629,980
5,633,932
5,634,012
5,638,443
5,649,013
5,655,077
5,708,717
5,734,823
5,734,891
5,737,413
5,737,416
5,745,569
5,748,783
5,757,907
5,761,686
5,765,152
5,768,426
5,825,892
5,892,900
5,910,987
5,915,019
5,917,912
5,920,861
5,940,504
5,943,422
5,949,876
5,982,891
5,999,949
6,047,067
6,112,181
6,115,471
6,138,119
6,157,721
6,185,683
6,226,618
6,233,684
6,237,786
6,240,185
6,253,193
6,266,618
6,292,569
6,301,660
6,327,652
6,330,670
6,345,256
6,363,488
6,389,402
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
A
B1
B1
B1
B1
B1
B1
B1
B1
B1
B1
B1
B1
B1
B1
10/1995
10/1995
12/1995
12/1995
3/1996
3/1996
4/1996
4/1996
4/1996
4/1996
6/1996
7/1996
7/1996
7/1996
10/1996
10/1996
4/1997
5/1997
5/1997
5/1997
6/1997
7/1997
8/1997
1!1998
3/1998
3/1998
4/1998
4/1998
4/1998
5/1998
5/1998
6/1998
6/1998
6/1998
10/1998
4/1999
6/1999
6/1999
6/1999
7/1999
8/1999
8/1999
9/1999
11/1999
12/1999
4/2000
8/2000
9/2000
10/2000
12/2000
2/2001
5/2001
5/2001
5/2001
5/2001
6/2001
7/2001
9/2001
10/2001
12/2001
12/2001
2/2002
3/2002
5!2002
Russell
Dolphin
Lipscomb et a!.
Davis
Narasimhalu et a!.
Boebert et a!.
Miyahara
Okano
Griffeth et a!.
Schull
Stefik eta!.
Hartrick et a!.
Stefik eta!.
Moskowitz
Cooper eta!.
Davis
Rosen
Stefik eta!.
Davis eta!.
Stefik eta!.
Stefik eta!.
Stuckey et a!.
Jones eta!.
Alasia
Saigh eta!.
Saigh
Akiyama et a!.
Cooper eta!.
Moskowitz et a!.
Rhoads
Cooper eta!.
Bloomberg
Erickson
Rhoads
Braudaway et a!.
Ginter eta!.
Ginter eta!.
Ginter eta!.
Ginter eta!.
Hallet a!.
Griswold
VanWie eta!.
Ginter eta!.
Ginter eta!.
Crandall
Rosen
Shear eta!.
Oki eta!.
Hallet a!.
Shear eta!.
Ginter eta!.
Downs eta!.
Stefik eta!.
Ginter eta!.
VanWie eta!.
Ginter eta!.
Ye eta!.
Shear eta!.
Benson
England et a!.
England et a!.
Milsted et a!.
Ginter eta!.
Ginter eta!.
FOREIGN PATENT DOCUMENTS
EP
GB
GB
JP
JP
0 725 376
2 136 175
2 236 604
62-241061
64-068835
8/1996
9/1984
4/1991
10/1987
3/1989
US 6,963,859 B2
Page 3
JP
JP
JP
JP
JP
JP
JP
JP
JP
wo
wo
wo
wo
wo
wo
wo
wo
wo
H03-282733
04-369068
05-268415
06-175794
06-215010
07-084852
07-200317
07-244639
0 715 241
wo 92/20022
wo 93/01550
wo 94/01821
wo 96/24092
wo 97/48203
wo 98/11690
wo 98/42098
wo 99/49615
wo 01/63528
* 12/1991
............. G06F/9/06
12/1992
10/1993
6/1994
8/1994
3/1995
8/1995
9/1995
6/1996
11/1992
1!1993
1!1994
8/1996
12/1997
3/1998
9/1998
9/1999
8/2001
01HER PUBLICATIONS
Weber, R., "Digital Rights Management Technology" Oct.
1995.
Flasche, U. et al., "Decentralized Processing of Documents", pp. 119-131, 1986, Comput. & Graphics, vol. 10,
No.2.
Mori, R. et al., "Superdistribution: The Concept and the
Architecture", pp. 1133-1146, 1990. The Transactions of the
IEICE, Vo. E 73, No. 7, Tokyo, JP.
Weber, R., "Metering Technologies for Digital Intellectual
Property", pp. 1-29, Oct. 1994, A Report to the International
Federation of Reproduction Rights Organizations.
Clark, P.C. et al., "Bits: A Smartcard protected Operating
System", pp. 66-70 and 94, Nov. 1994, Communications of
the ACM, vol. 37, No. 11.
Ross, P.E., "Data Guard", pp. 101, Jun. 6, 1994, Forbes.
Saigh, W.K., "Knowledge is Sacred", 1992, Video Pocket/
Page Reader Systems, Ltd.
Kahn, R.E., "Deposit, Registration and Recordation in an
Electronic Copyright Management System", pp. 1-19, Aug.
1992, Corporation for National Research Initiatives, Virginia.
Hilts, P. et al., "Books While U Wait", pp. 48-50, Jan. 3,
1994, Publishers Weekly.
Strattner, A, "Cash Register on a Chip may Revolutionaize
Software Pricing and Distribution; Wave Systems Corp.",
pp. 1-3,Apr. 1994, Computer Shopper, vol. 14, No.4, ISSN
0886-0556.
O'Conner, M., "New Distribution Option for Electronic
Publishers; iOpener Data Encryption and Metering System
for CD-ROM use; Column", pp. 1-6, Mar. 1994, CD-ROM
Professional, vol. 7, No. 2, ISSN: 1409-0833.
Willett, S., "Metered PCs: Is Your System Watching You?
Wave System beta tests new technology", pp. 84, May 2,
1994, InfoWorld.
Linn, R., "Copyright and Information Services in the Context of the National Research and Education Network", pp.
9-20, Jan. 1994, IMAintellectual Property Project Proceedings, vol. 1, Issue 1.
Perrit, Jr., H., "Permission Headers and Contract Law", pp.
27-48, Jan. 1994, IMA Intellectual Property Project Proceedings, vol. 1, Issue 1.
Upthegrove, L., "Intellectual Property Header Descriptors:
A Dynamic Approach", pp. 63-66, Jan. 1994, IMA Intellectual Property Proceedings, vol. 1, Issue 1.
Sirbu, M., "Internet Billing Service Design and prototype
Implementation", pp. 67-80, Jan. 1994, IMA Intellectual
Property Project Proceedings, vol. 1, Issue 1.
Simmell, S. et al., "Metering and Licensing of Resources:
Kala's General Purpose Approach", pp. 81-110, Jan. 1994,
IMA Intellectual Property Project Proceedings, vol. 1, Issue
1.
Kahn, R., "Deposit Registration and Recordation in an
Electronic Copyright Management System", pp. 111-120,
Jan. 1994, IMA Intellectual Property Project Proceedings,
vol. 1, Issue 1.
Tygar, J. et al., "Dyad: A System for Using Physically Secure
Coprocessors", pp. 121-152, Jan. 1994, IMA Intellectual
Property Project Proceedings, vol. 1, Issue 1.
Griswold, G., "A Method for Protecting Copyright on Networks", pp. 169-178, Jan. 1994, IMA Intellectual Property
Project Proceedings, vol. 1 Issue 1.
Nelson, T., "A Publishing and Royalty Model for Networked
Documents", pp. 257-259, Jan. 1994, IMA Intellectual
Property Project Proceedings, vol. 1, Issue 1.
Robinson, E., "Redefining Mobile Computing", pp.
238-240, 247-248 and 252, Jul. 1993, PC Computing.
Abadi, M. et al., "Authentication and Delegation with
Smart-cards", pp. 1-24, 1990, Research Report DEC Systems Research Center.
Mark Stefik, "Letting Loose the Light: Igniting Commerce
in Electronic Publication", pp. 219-253, 1996, Internet
Dreams: Archetypes, Myths, and Metaphors, IDSN
0-262-19373-6.
Mark Stefik, "Letting Loose the Light: Igniting Commerce
in Electronic Publication", pp. 2-35, Feb. 8, 1995, Internet
Dreams: Archetypes, Myths and Metaphors.
Henry H. Perritt, Jr., "Technological Strategies for Protecting Intellectual Property in the Networked Multimedia Environment", Apr. 2-3, 1993, Knowbots, Permissions
Headers & Contract Law.
* cited by examiner
U.S. Patent
Nov. 8, 2005
Sheet 1 of 13
US 6,963,859 B2
Figure 1
101
Creator Creates A
Digital Work
~~
102
Usage Rights Attached To
Oi~ital Work and
Deposited In Repository 1
,,
103
Repository 2 Initiates A
Sess1on With Repository 1
,.
104
Repository 2 Requests
Access To Digital Work for
A Stated Purpose
~·
105
1 Checks Usage
Rights of Digital Work To
Determined if Access May Be
Granted
Reposito~
Access Denied
,,
106
Repostiory 1
Terminates Session
With Error
Access Granted
107
Repository 1 Transmits
Digital Work To
Repository 2
108
Repository 1and 2 Each
Generate Billing
Information and Transmit
To Credit Server
U.S. Patent
Nov. 8, 2005
Sheet 2 of 13
US 6,963,859 B2
Figure 2
•...........•
: Master :
·: Repository :
•
Repository
Transactions
••
I
2\..
••••••••••••••••
.
•
• • •
Repository
Transactions
205
• • 1 I
. .
•
•
:
::4-!..--...'~. ............ •. .• ....
.. 202 . • •
•.•
• •
•
. .
.•.•.. .......
• .....
_.·~.....H
:Authorization ..__..·_
:
: Repository • •
204
Repository
201
••••••••••••
•
•
1-~-~-+:: Rendering :
. : Repository ::
•
.._.._....,..--...e:. 203 .
....•
••
•
••••••••••••
Agure 3
.••• ••
.
•
•
Repository
201
.....
.....
•
. .
•
•
•
Billin11
/
...
.
•
I
•
•
Transactions
302
......
Credit
Server
301
4~
.••/
..
... .. ... .•
.... Billing• .. ••:
•• ••
:
•
' •••••
,~
•
: Clearinghouse:
:
303
:
••••••••••••••••
Clearinghouse
Protocol
304
U.S. Patent
Nov. 8, 2005
US 6,963,859 B2
Sheet 3 of 13
Printer System
401
Figure 4a
r---------------------~
I
I
I
Printer
Repository
...
...
402
I
I
I
I
I
Print Device
403
I
I
--- ·------------4 ~
L--
Repository
404
Figure 4b
Multi-Function System
410
I
r------------------------------~
I
Credit
Server
414
...
-""
...
...
Display/
Execution
Repository
411
A~
L-
r+
-
Display
Engine
412
I
I
...
I
Execution
Engine
413
-----------·, ,------------Repository
415
I
I
I
I
I
I
I
I
I
____ .J
U.S. Patent
Nov. 8, 2005
40.000
20,000
0
US 6,963,859 B2
Sheet 4 of 13
80,000
60,000
so.ooo
30.000
70,000
I
10.000
I
I
Story A
510
Ad
511
90,000
StoryC
513
Story&
512
Figure 5
0
10.000
30.000
1.500
Text
614
25,000
Photo
Graphics
615
616
Figure 6
Sidebar
617
U.S. Patent
US 6,963,859 B2
Sheet 5 of 13
Nov. 8, 2005
Identifier 701
Figure 7
Starting Address 702
Descriptor
Block
(d-block)
700
length 703
Rights Portion 704
Parent Pointer 705
.
•
.
.
•
.
•
I
Child Pointer 706
Child Pointer 706
Top
d-block
Figure 8
d-block
821
(Story A)
Figure 9
I
820
d-block
822
(Ad)
d-block.
823
(Story B)
d-block
824
(Story C)
d-block
821
(Story A)
d-block
d-block
d-block
925
927
(Graphics)
(Sidebar)
(Text)
928
U.S. Patent
Nov. 8, 2005
Sheet 6 of 13
Figure 10
Right
COde
1050
Status
Information
1052
Figure 14
Right
1450
Transactional
Component
1451
Specification
Component
1452
Fees/Incentives
1454
US 6,963,859 B2
U.S. Patent
Nov. 8, 2005
Sheet 7 of 13
US 6,963,859 B2
Identifier (Magazine)
Starting Address (0)
Figure 11
Length (100,000)
root
d-block
1101
Rights Portion
(PRINT,VIEW)
Parent Pointer
Child Pointers
Identifier (Article 2)
"Starting Address
(25,001)
Starting Address (0)
Length (25,000)
Length (25,000)
Rights Portion
(PRINT,VIEW)
Parent Pointer
Rights Portion
(PRINT,VIEW)
Parent Pointer
Child Pointers
Child Pointers
d-block
1102
Identifier (Article 3) ·
Starting Address
(50,001)
Starting Address
(75,001)
Length (25,000)
Length (25,000)
Rights Portion
(VIEW)
Rights Portion
(PRINT (Fee))
Parent Potnter
Parent Pointer
Child Pointers
Child Pointers
d-b lock
1103
d-b lock
1104
U.S. Patent
US 6,963,859 B2
Sheet 8 of 13
Nov. 8, 2005
Figure 12
Processing
Means
................................L ..
.
Clock
1205
•
--+:
.
.
...
Processing ,
Element
Processor
Memory
...
.
.
.
.
.
.
""'-
·······r···r·········· ····
1202
1201
P'
: •••••••.••••••••.•••••..••••••••••• : /
.
:
:
:
Descriptor
Storage
co·ntent
Storage
.
1204
. 1203
.
.
....•· .................................•
Figure 13
User
Interface
1305
Repository Spedic
SoftWare
Function/Services
1304
Usage Transaction
Handlers
1303
Core Repository
Serv1ces/
Transaction
Handling
1302
Operating
System
1301
Identification
Certificates
1306
1200
.
External
Interface
1206
~~~~
1207
U.S. Patent
Nov. 8, 2005
Sheet 9 of 13
US 6,963,859 B2
1501 -Digital Work Rights:= (Rights*)
1502-- Right : = (Right-Code {Copy-Count} {Control-Spec} {Time-Spec}
{Access-Spec} {Fee-Spec})
1503 .._Right-Code:= Render-Code I Transport-Code I File-ManagementCode( Derivative-Works- Code I Configuration-Code
1504-Render-Code : = [Play: {Player: Player-ID} IPrint: {Printer: Printer-ID}]
1505 -Tran&port-Code: = [Copy ITransfer I Loan {Remaining-Rights:
Next-Set-of-Rights}]{(Next-Copy-Rights: Next-Set-of-Rights)}
1506 ._File-Management-Code : = Backup {Back-Up-Copy-Rights:
Next-Set-of-Rights} I Restore IDelete I Folder
I Directory {Name: Hide-Local\ Hide-Remote}
{Parts: Hide-Local I Hide-Remote}
1507--Derivative-Works-Code:= [Extract I Embed I Edit{Process:
Process-ID}] {Next-Copy-Rights:
Next-Set-of Rights}
1508-...Confiruration-Code: = Install! Unin.stall
1509-...Next-Set-of-Rights :={(Add: Set-Of-Rights)}{(Delete:
Set-Of-Rights)} {(Replace: Set-Of-Rights )}{(Keep: Set-Of-Rights)}
1510..._.Copy-Count := (Copies:positive-integer I 0 I Unlimited)
1511-Control-Spec: = (Control: {Restrictable I Unrestrictable}
{Unchargeable I Chargeable})
'1512-Time-Spec:= ({Fixed-Interval (Sliding-Interval! Meter-Time}
Until: Expiration-Date)
1513 .._Fixed-Interval:= From: Start-Time
1514-Sliding-Interval :=Interval: Use-Duration
1515-Me&er-Time: =Time-Remaining: Remaining-Use
1516 ....__Access-Spec : = ({SC: Security-Class} {Authorization: Authorization-ID*}
{Other-Authorization: Authorization-In*} {Ticket: Tick.et-ID})
1511-- Fee-Spec:= {Scheduled-Discount} Regular-F~pec IScheduled-Fee-Spec I
Markup-Spec
1518--Scheduled-Discount: = Scheduled-Discount: (Scheduled-Discount:
(Time-Spec Percentage)*)
1519--.R.egular-Fee-Spec := ({Fee: I Incentive:} [Per-Use-Spec I Metered-RateSpec I Best-Price-Spec I Call-For-Price-Spec]
{Min: Money-Unit Per: Time-Spec}{Max:
Money-Unit Per: Time-Spec} To: Account-!D)
1520-Per-Use-Spec: Per-Use: Money-unit
1521- Metered-Rate-Spec : = Metered: Money-Unit Per: Time-Spec
1522- Best-Price-Spec : Best-Price: Money-unit Max: Money-unit
=
=
1523--Call-For-Price-Spec :=Call-For -Price
1524- Scheduled-Fee-Spec:= (Schedule: (Time-Sp c Regular-Fee-Spec) )
1525-- Markup-Spec:= Markup: perc ntage To: Account-ID
Fig.15
U.S. Patent
Sheet 10 of 13
Nov. 8, 2005
REPOSITORY-1
US 6,963,859 B2
REPOSITORY·2
1601
Generate R~istration
ldenti ier
1602
1605
1603
Transmit Registration
Message
1606
1611
Decrypt Performance
Message
1607
Extract Repository-1
Identifier
Transmit Performance
Message
Transmit Nonce
Yes
1616
Repository-1
Terminate Transaction
Rep sitory- 2
Terminate Transaction
Fig.16
U.S. Patent
Sheet 11 of 13
Nov. 8, 2005
US 6,963,859 B2
REPOSITORY-1
REPOSITORY-2
Encrypt Second Key Using
Generate Timestamp
Pubhc Key of Repository-2
Exchange Message
1703
1706
Transmit Encrypted Second
Key To Repository-2
Transmit Timestamp
Exchange Message
To Repository,;.1
Generate Timestamp
Message
1708
Transmit Timestamp
Message To Repository-2
Compare Current Time With
. Time From Repository-1
Compute Adjusted
Time Delta
Fig.17
U.S. Patent
Nov. 8, 2005
US 6,963,859 B2
Sheet 12 of 13
Figure 18
SERVER
REQUESTER
t803
Server Generates Transaction
Identifier
Deuement Copy
Count For Right
1813
Determine Set
Of Remaining
Rights
1805
1817
Decrement Copies In Use For
Right By Number In Request
1818
For Metered Use, Subtract
Elapsed nme From Remaining
Use Time For Right
1819
Initiate End-Charge Financial
Transaction to Confirm Billing
U.S. Patent
US 6,963,859 B2
Sheet 13 of 13
Nov. 8, 2005
Figure 19
SERVER
(C.nceCJ
Fail
1912
Wait For Ad:
1908
New
Send
Transaction .,___ _~ Next Data
1902
19CMi
I
Commit Repart To
Credit Server
1914
I
'II
'
'II
'
I
t
''
\
~
Date
''
\
1907
Start\
1903 \I
\
\
\I
''
''t
I
Act
''
''
'~
'\
.
•..•........ ,' .•••••...•••.••••••.•.•
'
CUENT
I
I
'
'II
I
I
''
~.
W1itFor
Datil
1905
I
I
I
..•..•...•.....•
I
I
'
I
Walt for
Transaction
1904
i·············~········
I
I
Line
1.901
I
I
I
I
Act
I
I
'•
•
I
t
O.bl
Received
No More
om
Commit Report To
Credit Server
1-
19115
1909
More
O.ta
Acknowledge
1910
(C..C•OV
Fall
1913
Report Error
To Credit Server
1918
I
I
Done
1919
~
US 6,963,859 B2
1
2
provided on a medium along with the entire product. The
demos can be freely used, but in order to use the actual
product, the key must be purchased. These scheme do not
Continuation of prior application Ser. No.: 09/778,006
hinder copying of the software once the key is initially
filed Feb. 7, 2001, now U.S. Pat. No. 6,714,921; which is a
Division of U.S. Ser. No.: 08/967,084 filed Nov. 10, 1997, 5 purchased.
now U.S. Pat. No. 6,236,971 and which is a Continuation of
A system for ensuring that licenses are in place for using
U.S. Ser. No.: 08/344,760 filed Nov. 23, 1994, now abanlicensed products is described in PCT Publication WO
doned.
93/01550 to Griswold entitled "License Management System and Method." The licensed product may be any elecFIELD OF THE INVENTION
10 tronically published work but is most effective for use with
works that are used for extended periods of time such as
The present invention relates to the field of distribution
software programs. Griswold requires that the licensed prodand usage rights enforcement for digitally encoded works.
uct contain software to invoke a license check monitor at
BACKGROUND OF THE INVENTION
predetermined time intervals. The license check monitor
A fundamental issue facing the publishing and informa- 15 generates request datagrams which identify the licensee. The
request datagrams are sent to a license control system over
tion industries as they consider electronic publishing is how
an appropriate communication facility. The license control
to prevent the unauthorized and unaccounted distribution or
system then checks the datagram to determine if the datausage of electronically published materials. Electronically
gram is from a valid licensee. The license control system
published materials are typically distributed in a digital form
and recreated on a computer based system having the 20 then sends a reply datagram to the license check monitor
indicating denial or approval of usage. The license control
capability to recreate the materials. Audio and video
system will deny usage in the event that request datagrams
recordings, software, books and multimedia works are all
go unanswered after a predetermined period of time (which
being electronically published. Companies in these indusmay indicate an unauthorized attempt to use the licensed
tries receive royalties for each accounted for delivery of the
materials, e.g. the sale of an audio CD at a retail outlet. Any 25 product). In this system, usage is managed at a central
location by the response datagrams. So for example if
unaccounted distribution of a work results in an unpaid
license fees have not been paid, access to the licensed
royalty (e.g. copying the audio recording CD to another
product is terminated.
digital medium.)
It is argued by Griswold that the described system is
The ease in which electronically published works can be 30
advantageous because it can be implemented entirely in
"perfectly" reproduced and distributed is a major concern.
software. However, the system described by Griswold has
The transmission of digital works over networks is comlimitations. An important limitation is that during the use of
monplace. One such widely used network is the Internet.
the licensed product, the user must always be coupled to an
The Internet is a widespread network facility by which
computer users in many universities, corporations and gov- 35 appropriate communication facility in order to send and
receive datagrams. This creates a dependency on the comernment entities communicate and trade ideas and informamunication facility. So if the communication facility is not
tion. Computer bulletin boards found on the Internet and
available, the licensed product cannot be used. Moreover,
commercial networks such as CompuServ and Prodigy
some party must absorb the cost of communicating with the
allow for the posting and retrieving of digital information.
Information services such as Dialog and LEXIS/NEXIS 40 license server.
A system for controlling the distribution of digitally
provide databases of current, information on a wide variety
encoded books is embodied in a system available from VPR
of topics. Another factor which will exacerbate the situation
Systems, LTD. of St. Louis, Mo. The VPR system is
is the development and expansion of the National Informaself-contained and is comprised of: (1) point of sale kiosks
tion Infrastructure (the Nil). It is anticipated that, as the Nil
grows, the transmission of digital works over networks will 45 for storing and downloading of books, (2) personal storage
mediums (cartridges) to which the books are downloaded,
increase many times over. It would be desirable to utilize the
and (3) readers for viewing the book. In a purchase
Nil for distribution of digital works without the fear of
transaction, a purchaser will purchase a voucher card repwidespread unauthorized copying.
resenting the desired book. The voucher will contain suffiThe most straightforward way to curb unaccounted distribution is to prevent unauthorized copying and transmis- 50 cient information to identify the book purchased and perhaps
some demographic information relating to the sales transsian. For existing materials that are distributed in digital
action. To download the book, the voucher and the cartridge
form, various safeguards are used. In the case of software,
are inserted into the kiosk.
copy protection schemes which limit the number of copies
The VPR system may also be used as a library. In such an
that can be made or which corrupt the output when copying
is detected have been employed. Another scheme causes 55 embodiment, the kiosk manages the number of "copies" that
may be checked out at one time. Further, the copy of the
software to become disabled after a predetermined period of
book is erased from the users cartridge after a certain
time has lapsed. A technique used for workstation based
check-out time has expired. However, individuals cannot
software is to require that a special hardware device must be
loan books because the cartridges may only be used with the
present on the workstation in order for the software to run,
e.g., see U.S. Pat. No. 4,932,054 entitled "Method and 60 owners reader.
Apparatus for Protecting Computer Software Utilizing
The foregoing distribution and protection schemes operCoded Filter Network in Conjunction with an Active Coded
ate in part by preventing subsequent distribution of the work.
Hardware Device." Such devices are provided with the
While this certainly prevents unauthorized distributions, it
software and are commonly referred to as dongles.
does so by sacrificing the potential for subsequent revenue
Yet another scheme is to distribute software, but which 65 bearing uses. For example, it may be desirable to allow the
requires a "key" to enable it's use. This is employed in
lending of a purchased work to permit exposure of the work
distribution schemes where "demos" of the software are
to potential buyers. Another example would be to permit the
CONTENT RENDERING REPOSITORY
US 6,963,859 B2
3
4
creation of a derivative work for a fee. Yet another example
FIG. 2 is a block diagram illustrating the various reposiwould be to permit copying the work for a fee (essentially
tory types and the repository transaction flow between them
purchasing it). Thus, it would be desirable to provide flexin the currently preferred embodiment of the present invenibility in how the owner of a digital work may allow it to be
tion.
distributed.
5
FIG. 3 is a block diagram of a repository coupled with a
While flexibility in distribution is a concern, the owners
credit server in the currently preferred embodiment of the
of a work want to make sure they are paid for such
present invention.
distributions. In U.S. Pat. No. 4,977,594 to Shear, entitled
"Database Usage Metering and Protection System and
FIGS. 4a and 4b are examples of rendering systems as
Method," a system for metering and billing for usage of 10 may be utilized in the currently preferred embodiment of the
information distributed on a CD-ROM is described. The
present invention.
system requires the addition of a billing module to the
FIG. 5 illustrates a contents file layout for a digital work
computer system. The billing module may operate in a
as may be utilized in the currently preferred embodiment of
number of different ways. First, it may periodically comthe present invention.
municate billing data to a central billing facility, whereupon
the user may be billed. Second, billing may occur by 15
FIG. 6 illustrates a contents file layout for an individual
disconnecting the billing module and the user sending it to
digital work of the digital work of FIG. 5 as may be utilized
a central billing facility where the data is read and a user bill
in the currently preferred embodiment of the present invengenerated.
tion.
U.S. Pat. No. 5,247,575, Sprague et al., entitled "Information Distribution System", describes an information dis- 20
FIG. 7 illustrates the components of a description block of
tribution system which provides and charges only for user
the currently preferred embodiment of the present invention.
selected information. A plurality of encrypted information
FIG. 8 illustrates a description tree for the contents file
packages (IPs) are provided at the user site, via high and/or
layout of the digital work illustrated in FIG. 5.
low density storage media and/or by broadcast transmission.
Some of the IPs may be of no interest to the user. The IPs 25
FIG. 9 illustrates a portion of a description tree correof interest are selected by the user and are decrypted and
sponding to the individual digital work illustrated in FIG. 6.
stored locally. The IPs may be printed, displayed or even
FIG. 10 illustrates a layout for the rights portion of a
copied to other storage medias. The charges for the selected
description block as may be utilized in the currently preIP's are accumulated within a user apparatus and periodically reported by telephone to a central accounting facility. 30 ferred embodiment of the present invention.
The central accounting facility also issues keys to decrypt
FIG. 11 is a description tree wherein certain d-blocks have
the IPs. The keys are changed periodically. If the central
PRINT usage rights and is used to illustrate "strict" and
accounting facility has not issued a new key for a particular
"lenient" rules for resolving usage rights conflicts.
user station, the station is unable to retrieve information
from the system when the key is changed.
FIG. 12 is a block diagram of the hardware components
35
A system available from Wave Systems Corp. of
of a repository as are utilized in the currently preferred
Princeton, N.Y., provides for metering of software usage on
embodiment of the present invention.
a personal computer. The system is installed onto a computer
FIG. 13 is a block diagram of the functional (logical)
and collects information on what software is in use, encrypts
components of a repository as are utilized in the currently
it and then transmits the information to a transaction center.
From the transaction center, a bill is generated and sent to 40 preferred embodiment of the present invention.
the user. The transaction center also maintains customer
FIG. 14 is diagram illustrating the basic components of a
accounts so that licensing fees may be forwarded directly to
usage right in the currently preferred embodiment of the
the software providers. Software operating under this system
present invention.
must be modified so that usage can be accounted.
FIG. 15 lists the usage rights grammar of the currently
Known techniques for billing do not provide for billing of 45
preferred embodiment of the present invention.
copies made of the work. For example, if data is copied from
the CD-ROM described in Shear, any subsequent use of the
FIG. 16 is a flowchart illustrating the steps of certificate
copy of the information cannot be metered or billed. In other
delivery, hotlist checking and performance testing as perwords, the means for billing runs with the media rather than
the underlying work. It would be desirable to have a 50 formed in a registration transaction as may be performed in
the currently preferred embodiment of the present invention.
distribution system where the means for billing is always
transported with the work.
FIG. 17 is a flowchart illustrating the steps of session
information exchange and clock synchronization as may be
SUMMARY OF THE INVENTION
performed in the currently preferred embodiment of the
An aspect of the invention is a rendering system adapted
55 present invention, after each repository in the registration
for use in a system for managing use of content and
transaction has successfully completed the steps described in
operative to rendering content in accordance with usage
FIG. 16.
rights associated with the content. The system includes a
rendering device configured to render the content and a
FIG. 18 is a flowchart illustrating the basic flow for a
repository coupled to the rendering device and operative to
usage transaction, including the common opening and closenforce usage rights associated with the content and permit 60 ing step, as may be performed in the currently preferred
the rendering device to render the content in accordance
embodiment of the present invention.
with a manner of use specified by the usage rights.
FIG. 19 is a state diagram of server and client repositories
BRIEF DESCRIPTION OF THE DRAWINGS
in accordance with a transport protocol followed when
FIG. 1 is a flowchart illustrating a simple instantiation of 65 moving a digital work from the server to the client
the operation of the currently preferred embodiment of the
repositories, as may be performed in the currently preferred
present invention.
embodiment of the present invention.
US 6,963,859 B2
5
DETAILED DESCRIPTION OF 1HE
PREFERRED EMBODIMENT
6
software) that may be required for recreating the work. The
term composite work refers to a digital work comprised of
a collection of other digital works. The term "usage rights"
or "rights" is a term which refers to rights granted to a
TABLE OF CONTENTS
5 recipient of a digital work. Generally, these rights define
OVERVIEW
how a digital work can be used and if it can be further
RENDERING SYSTEMS
distributed. Each usage right may have one or more specified
ATTACHING USAGE RIGHTS TO A DIGITAL WORK
conditions which must be satisfied before the right may be
exercised. Appendix 1 provides a Glossary of the terms used
Resolving Conflicting Rights
10 herein.
REPOSITORIES
A key feature of the present invention is that usage rights
Repository Security Classes
are permanently "attached" to the digital work. Copies made
Repository User Interface
of a digital work will also have usage rights attached. Thus,
CREDIT SERVICES
the usage rights and any associated fees assigned by a
USAGE RIGHTS LANGUAGE
15 creator and subsequent distributor will always remain with
Copy Count Specification
a digital work.
Control Specification
The enforcement elements of the present invention are
embodied in repositories. Among other things, repositories
Time Specification
are used to store digital works, control access to digital
Security Class and Authorization Specification
20 works, bill for access to digital works and maintain the
Usage Fees and Incentives Specification
security and integrity of the system.
Examples of Sets of Usage Rights
The combination of attached usage rights and repositories
REPOSITORY TRANSACTIONS
enable distinct advantages over prior systems. As noted in
Message Transmission
the prior art, payment of fees are primarily for the initial
Session Initiation Transactions
25 access. In such approaches, once a work has been read,
Billing Transactions
computational control over that copy is gone.
Transmission Protocol
Metaphorically, "the content genie is out of the bottle and no
more fees can be billed." In contrast, the present invention
The Copy Transaction
never separates the fee descriptions from the work. Thus, the
The Transfer Transaction
30 digital work genie only moves from one trusted bottle
The Loan Transaction
(repository) to another, and all uses of copies are potentially
The Play Transaction
The Print Transaction
controlled and billable.
The Backup Transaction
FIG. 1 is a high level flowchart omitting various details
but which demonstrates the basic operation of the present
The Restore Transaction
The Delete Transaction
35 invention. Referring to FIG. 1, a creator creates a digital
The Directory Transaction
work, step 101. The creator will then determine appropriate
The Folder Transaction
usage rights and fees, attach them to the digital work, and
The Extract Transaction
store them in Repository 1, step 102. The determination of
The Embed Transaction
appropriate usage rights and fees will depend on various
The Edit Transaction
40 economic factors. The digital work remains securely in
The Authorization Transaction
Repository 1 until a request for access is received. The
request for access begins with a session initiation by another
The Install Transaction
repository. Here a Repository 2 initiates a session with
The Uninstall Transaction
DISTRIBUTION AND USE SCENARIOS
Repository 1, step 103. As will be described in greater detail
APPENDIX A GLOSSARY
45 below, this session initiation includes steps which helps to
Overview
insure that the respective repositories are trustworthy.
A system for controlling use and distribution of digital
Assuming that a session can be established, Repository 2
may then request access to the Digital Work for a stated
works is disclosed. The present invention is directed to
purpose, step 104. The purpose may be, for example, to print
supporting commercial transactions involving digital works.
The transition to digital works profoundly and fundamen- 50 the digital work or to obtain a copy of the digital work. The
purpose will correspond to a specific usage right. In any
tally changes how creativity and commerce can work. It
changes the cost of transporting or storing works because
event, Repository 1 checks the usage rights associated with
digital property is almost "massless." Digital property can
the digital work to determine if the access to the digital work
be transported at electronic speeds and requires almost no
may be granted, step 105. The check of the usage rights
warehousing. Keeping an unlimited supply of virtual copies 55 essentially involves a determination of whether a right
on hand requires essentially no more space than keeping one
associated with the access request has been attached to the
copy on hand. The digital medium also lowers the costs of
digital work and if all conditions associated with the right
alteration, reuse and billing.
are satisfied. If the access is denied, repository 1 terminates
There is a market for digital works because creators are
the session with an error message, step 106. If access is
strongly motivated to reuse portions of digital works from 60 granted, repository 1 transmits the digital work to repository
2, step 107. Once the digital work has been transmitted to
others rather than creating their own completely. This is
repository 2, repository 1 and 2 each generate billing inforbecause it is usually so much easier to use an existing stock
mation for the access which is transmitted to a credit server,
photo or music clip than to create a new one from scratch.
Herein the terms "digital work", "work" and "content"
step 108. Such double billing reporting is done to insure
refer to any work that has been reduced to a digital repre- 65 against attempts to circumvent the billing process.
sentation. This would include any audio, video, text, or
FIG. 2 illustrates the basic interactions between repository
types in the present invention. As will become apparent from
multimedia work and any accompanying interpreter (e.g.
US 6,963,859 B2
7
8
FIG. 2, the various repository types will serve different
some instances contain an ephemeral copy of a digital work
functions. It is fundamental that repositories will share a
which remains until it is printed out by the print engine 403.
core set of functionality which will enable secure and trusted
In other instances, the printer repository 402 may contain
communications. Referring to FIG. 2, a repository 201
digital works such as fonts, which will remain and can be
represents the general instance of a repository. The reposi- 5 billed based on use. This design assures that all communitory 201 has two modes of operation; a server mode and a
cation lines between printers and printing devices are
encrypted, unless they are within a physically secure boundrequester mode. When in the server mode, the repository
ary. This design feature eliminates a potential "fault" point
will be receiving and processing access requests to digital
works. When in the requester mode, the repository will be
through which the digital work could be improperly
initiating requests to access digital works. Repository 201 is 10 obtained. The printer device 403 represents the printer
general in the sense that it's primary purpose is as an
components used to create the printed output.
exchange medium for digital works. During the course of
Also illustrated in FIG. 4a is the repository 404. The
operation, the repository 201 may communicate with a
repository 404 is coupled to the printer repository 402. The
plurality of other repositories, namely authorization reposirepository 404 represents an external repository which contory 202, rendering repository 203 and master repository 15 tains digital works.
FIG. 4b is an example of a computer system as a rendering
204. Communication between repositories occurs utilizing a
repository transaction protocol 205.
system. A computer system may constitute a "multiCommunication with an authorization repository 202 may
function" device since it may execute digital works (e.g.
occur when a digital work being accessed has a condition
software programs) and display digital works (e.g. a digirequiring an authorization. Conceptually, an authorization is 20 tized photograph). Logically, each rendering device can be
a digital certificate such that possession of the certificate is
viewed as having it's own repository, although only one
required to gain access to the digital work. An authorization
physical repository is needed. Referring to FIG. 4b, a
is itself a digital work that can be moved between reposicomputer system 410 has contained therein a display/
tories and subjected to fees and usage rights conditions. An
execution repository 411. The display/execution repository
authorization may be required by both repositories involved 25 411 is coupled to display device, 412 and execution device
in an access to a digital work.
413. The dashed box surrounding the computer system 410
Communication with a rendering repository 203 occurs in
represents a security boundary within which communicaconnection with the rendering of a digital work. As will be
tions are assumed to be secure. The display/execution
described in greater detail below, a rendering repository is
repository 411 is further coupled to a credit server 414 to
coupled with a rendering device (e.g. a printer device) to 30 report any fees to be billed for access to a digital work and
a repository 415 for accessing digital works stored therein.
comprise a rendering system.
Structure of Digital Works
Communication with a master repository 205 occurs in
connection with obtaining an identification certificate. IdenUsage rights are attached directly to digital works. Thus,
tification certificates are the means by which a repository is
it is important to understand the structure of a digital work.
identified as "trustworthy". The use of identification certifi- 35 The structure of a digital work, in particular composite
digital works, may be naturally organized into an acyclic
cates is described below with respect to the registration
structure such as a hierarchy. For example, a magazine has
transaction.
various articles and photographs which may have been
FIG. 3 illustrates the repository 201 coupled to a credit
server 301. The credit server 301 is a device which accucreated and are owned by different persons. Each of the
mulates billing information for the repository 201. The 40 articles and photographs may represent a node in a hierarcredit server 301 communicates with repository 201 via
chical structure. Consequently, controls, i.e. usage rights,
billing transactions 302 to record billing transactions. Billmay be placed on each node by the creator. By enabling
ing transactions are reported to a billing clearinghouse 303
control and fee billing to be associated with each node, a
by the credit server 301 on a periodic basis. The credit server
creator of a work can be assured that the rights and fees are
301 communicates to the billing clearinghouse 303 via 45 not circumvented.
clearinghouse transactions 304. The clearinghouse transacIn the currently preferred embodiment, the file information for a digital work is divided into two files: a "contents"
tions 304 enable a secure and encrypted transmission of
information to the billing clearinghouse 303.
file and a "description tree" file. From the perspective of a
repository, the "contents" file is a stream of addressable
Rendering Systems
A rendering system is generally defined as a system 50 bytes whose format depends completely on the interpreter
comprising a repository and a rendering device which can
used to play, display or print the digital work. The descriprender a digital work into its desired form. Examples of a
tion tree file makes it possible to examine the rights and fees
for a work without reference to the content of the digital
rendering system may be a computer system, a digital audio
system, or a printer. A rendering system has the same
work. It should be noted that the term description tree as
security features as a repository. The coupling of a rendering 55 used herein refers to any type of acyclic structure used to
repository with the rendering device may occur in a manner
represent the relationship between the various components
suitable for the type of rendering device.
of a digital work.
FIG. 4a illustrates a printer as an example of a rendering
FIG. 5 illustrates the layout of a contents file. Referring to
system. Referring to FIG. 4, printer system 401 has conFIG. 5, a digital work 509 is comprised of story A 510,
tained therein a printer repository 402 and a print device 60 advertisement 511, story B 512 and story C 513. It is
assumed that the digital work is stored starting at a relative
403. It should be noted that the the dashed line defining
address of 0. Each of the parts of the digital work are stored
printer system 401 defines a secure system boundary. Communications within the boundary is assumed to be secure.
linearly so that story A 510 is stored at approximately
addresses 0-30,000, advertisement 511 at addresses
Depending on the security level, the boundary also represents a barrier intended to provide physical integrity. The 65 30,001-40,000, story B 512 at addresses 40,001-60,000 and
printer repository 402 is an instantiation of the rendering
story C 513 at addresses 60,001-SSK. The detail of story A
repository 205 of FIG. 2. The printer repository 402 will in
510 is illustrated in FIG. 6. Referring to FIG. 6, the story A
US 6,963,859 B2
9
10
510 is further broken down to show text 614 stored at
address 0-1500, soldier photo 615 at addresses 1501-10,
TABLE 1
000, graphics 616 stored at addresses 10,001-25,000 and
DIGITAL WORK STATE INFORMATION
sidebar 617 stored address 25,001-30,000. Note that the
data in the contents file may be compressed (for saving 5 Property
Value
Use
storage) or encrypted (for security).
Copies -inNumber
A counter of the number of copies of a
From FIGS. 5 and 6 it is readily observed that a digital
Use
work that are in use. Incremented when
work can be represented by its component parts as a hieranother copy is used; decremented when
archy. The description tree for a digital work is comprised of
use is completed.
Indicator of the maximum number of
a set of related descriptor blocks ( d-blocks). The contents of 10 Loan-Period Time-Units
time-units that a document can be
each d-block is described with respect to FIG. 7. Referring
loaned out
to FIG. 7, ad-block 700 includes an identifier 701 which is
Indicator that the current work is a
Loaner-Copy Boolean
a unique identifier for the work in the repository, a starting
loaned out copy of an authorized digital
work.
address 702 providing the start address of the first byte of the
Indicator of the remaining time of use
work, a length 703 giving the number of bytes in the work, 15 Remaining- Time-Units
Time
on a metered document right.
a rights portion 704 wherein the granted usage rights and
DocumentString
A string containing various identifying
their status data are maintained, a parent pointer 705 for
information about a document. The
Descr
exact format of this is not specified, but
pointing to a parent d-block and child pointers 706 for
it can include information such as a
pointing to the child d-blocks In the currently preferred
publisher name, author name, ISBN
embodiment, the identifier 701 has two parts. The first part 20
number, and so on.
is a unique number assigned to the repository upon manuRevenueRO-Descr
A handle identifying a revenue owner
for a digital work. This is used for
Owner
facture. The second part is a unique number assigned to the
reporting usage fees.
work upon creation. The rights portion 704 will contain a
Publication- Date-Descr
The date that the digital work was
data structure, such as a look-up table, wherein the various
Date
published.
information associated with a right is maintained. The 25 History-list History-Rec
A list of events recording the repostories
and dates for operations that copy,
information required by the respective usage rights is
transfer, backup, or restore a digital
described in more detail below. D-blocks form a strict
work.
hierarchy. The top d-block of a work has no parent; all other
d-blocks have one parent. The relationship of usage rights
between parent and child d-blocks and how conflicts are 30 viable alternatives but may introduce processing overhead,
resolved is described below.
e.g. the interpretation of the objects.
A special type of d-block is a "shell" d-block. A shell
Digital works are stored in a repository as part of a
d-block adds no new content beyond the content of its parts.
hierarchical file system. Folders (also termed directories and
A shell d-block is used to add rights and fee information,
sub-directories) contain the digital works as well as other
35 folders. Digital works and folders in a folder are ordered in
typically by distributors of digital works.
FIG. 8 illustrates a description tree for the digital work of
alphabetical order. The digital works are typed to reflect how
the files are used. Usage rights can be attached to folders so
FIG. 5. Referring to FIG. 8, a top d-block 820 for the digital
that the folder itself is treated as a digital work. Access to the
work points to the various stories and advertisements confolder would then be handled in the same fashion as any
tained therein. Here, the top d-block 820 points to d-block
821 (representing story A 510), d-block 822 (representing 40 other digital work As will be described in more detail below,
the advertisement 511), d-block 823 (representing story B
the contents of the folder are subject to their own rights.
512) and and d-block 824 (representing story C 513).
Moreover, file management rights may be attached to the
folder which define how folder contents can be managed.
The portion of the description tree for Story A 510 is
illustrated in FIG. 9. D-block 925 represents text 614,
Attaching Usage Rights to a Digital Work
d-block 926 represents photo 615, d-block 927 represents 45
It is fundamental to the present invention that the usage
graphics 616 by and d-block 928 represents sidebar 617.
rights are treated as part of the digital work. As the digital
The rights portion 704 of a descriptor block is further
work is distributed, the scope of the granted usage rights will
illustrated in FIG. 10. FIG. 10 illustrates a structure which
remain the same or may be narrowed. For example, when a
is repeated in the rights portion 704 for each right. Referring
digital work is transferred from a document server to a
to FIG. 10, each right will have a right code field 1001 and 50 repository, the usage rights may include the right to loan a
status information field 1002. The right code field 1001 will
copy for a predetermined period of time (called the original
contain a unique code assigned to a right. The status
rights). When the repository loans out a copy of the digital
information field 1002 will contain information relating to
work, the usage rights in the loaner copy (called the next set
the state of a right and the digital work. Such information is
of rights) could be set to prohibit any further rights to loan
indicated below in Table 1. The rights as stored in the rights 55 out the copy. The basic idea is that one cannot grant more
portion 304 may typically be in numerical order based on the
rights than they have.
The attachment of usage rights into a digital work may
right code.
The approach for representing digital works by separating
occur in a variety of ways. If the usage rights will be the
description data from content assumes that parts of a file are
same for an entire digital work, they could be attached when
contiguous but takes no position on the actual representation 60 the digital work is processed for deposit in the digital work
of content. In particular, it is neutral to the question of
server. In the case of a digital work having different usage
whether content representation may take an object oriented
rights for the various components, this can be done as the
approach. It would be natural to represent content as objects.
digital work is being created. An authoring tool or digital
In principle, it may be convenient to have content objects
work assembling tool could be utilized which provides for
that include the billing structure and rights information that 65 an automated process of attaching the usage rights.
is represented in the d-blocks. Such variations in the design
As will be described below, when a digital work is copied,
transferred or loaned, a "next set of rights" can be specified.
of the representation are possible and are
US 6,963,859 B2
11
12
The "next set of rights" will be attached to the digital work
as it is transported.
Resolving Conflicting Rights
Because each part of a digital work may have its own
usage rights, there will be instances where the rights of a
"contained part" are different from its parent or container
part. As a result, conflict rules must be established to dictate
when and how a right may be exercised. The hierarchical
structure of a digital work facilitates the enforcement of such
rules. A "strict" rule would be as follows: a right for a part
in a digital work is sanctioned if and only if it is sanctioned
for the part, for ancestor d-blocks containing the part and for
all descendent d-blocks. By sanctioned, it is meant that (1)
each of the respective parts must have the right, and (2) any
conditions for exercising the right are satisfied.
It also possible to implement the present invention using
a more lenient rule. In the more lenient rule, access to the
part may be enabled to the descendent parts which have the
right, but access is denied to the descendents which do not.
Example of applying both the strict rule and lenient is
illustrated with reference to FIG. 11. Referring to FIG. 11, a
root d-block 1101 has child d-blocks 1102-1105. In this
case, root d-block represents a magazine, and each of the
child d-blocks 1102-1105 represent articles in the magazine.
Suppose that a request is made to PRINT the digital work
represented by root d-block 1101 wherein the strict rule is
followed. The rights for the root d-block 1101 and child
d-blocks 1102-1105 are then examined. Root d-block 1101
and child d-blocks 1102 and 1105 have been granted PRINT
rights. Child d-block 1103 has not been granted PRINT
rights and child d-block 1104 has PRINT rights conditioned
on payment of a usage fee.
Under the strict rule the PRINT right cannot be exercised
because the child d-block does not have the PRINT right.
Under the lenient rule, the result would be different. The
digital works represented by child d-blocks 1102 and 1105
could be printed and the digital work represented by d-block
1104 could be printed so long as the usage fee is paid. Only
the digital work represented by d-block 1103 could not be
printed. This same result would be accomplished under the
strict rule if the requests were directed to each of the
individual digital works.
The present invention supports various combinations of
allowing and disallowing access. Moreover, as will be
described below, the usage rights grammar permits the
owner of a digital work to specify if constraints may be
imposed on the work by a container part. The manner in
which digital works may be sanctioned because of usage
rights conflicts would be implementation specific and would
depend on the nature of the digital works.
Repositories
Many of the powerful functions of repositories-such as
their ability to "loan" digital works or automatically handle
the commercial reuse of digital works-are possible because
they are trusted systems. The systems are trusted because
they are able to take responsibility for fairly and reliably
carrying out the commercial transactions. That the systems
can be responsible ("able to respond") is fundamentally an
issue of integrity. The integrity of repositories has three
parts: physical integrity, communications integrity, and
behavioral integrity.
Physical integrity refers to the integrity of the physical
devices themselves. Physical integrity applies both to the
repositories and to the protected digital works. Thus, the
higher security classes of repositories themselves may have
sensors that detect when tampering is attempted on their
secure cases. In addition to protection of the repository
itself, the repository design protects access to the content of
digital works. In contrast with the design of conventional
magnetic and optical devices-such as floppy disks,
CD-ROMs, and videotapes-repositories never allow nontrusted systems to access the works directly. A maker of
generic computer systems cannot guarantee that their platform will not be used to make unauthorized copies. The
manufacturer provides generic capabilities for reading and
writing information, and the general nature of the functionality of the general computing device depends on it. Thus, a
copy program can copy arbitrary data. This copying issue is
not limited to general purpose computers. It also arises for
the unauthorized duplication of entertainment "software"
such as video and audio recordings by magnetic recorders.
Again, the functionality of the recorders depends on their
ability to copy and they have no means to check whether a
copy is authorized. In contrast, repositories prevent access to
the raw data by general devices and can test explicit rights
and conditions before copying or otherwise granting access.
Information is only accessed by protocol between trusted
repositories.
Communications integrity refers to the integrity of the
communications channels between repositories. Roughly
speaking, communications integrity means that repositories
cannot be easily fooled by "telling them lies." Integrity in
this case refers to the property that repositories will only
communicate with other devices that are able to present
proof that they are certified repositories, and furthermore,
that the repositories monitor the communications to detect
"impostors" and malicious or accidental interference. Thus
the security measures involving encryption, exchange of
digital certificates, and nonces described below are all
security measures aimed at reliable communication in a
world known to contain active adversaries.
Behavioral integrity refers to the integrity in what repositories do. What repositories do is determined by the software
that they execute. The integrity of the software is generally
assured only by knowledge of its source. Restated, a user
will trust software purchased at a reputable computer store
but not trust software obtained off a random (insecure)
server on a network. Behavioral integrity is maintained by
requiring that repository software be certified and be distributed with proof of such certification, i.e. a digital certificate. The purpose of the certificate is to authenticate that
the software has been tested by an authorized organization,
which attests that the software does what it is supposed to do
and that it does not compromise the behavioral integrity of
a repository. If the digital certificate cannot be found in the
digital work or the master repository which generated the
certificate is not known to the repository receiving the
software, then the software cannot be installed.
In the description of FIG. 2, it was indicated that repositories come in various forms. All repositories provide a core
set of services for the transmission of digital works. The
manner in which digital works are exchanged is the basis for
all transaction between repositories. The various repository
types differ in the ultimate functions that they perform.
Repositories may be devices themselves, or they may be
incorporated into other systems. An example is the rendering
repository 205 of FIG. 2.
A repository will have associated with it a repository
identifier. Typically, the repository identifier would be a
unique number assigned to the repository at the time of
manufacture. Each repository will also be classified as being
in a particular security class. Certain communications and
transactions may be conditioned on a repository being in a
particular security class. The various security classes are
described in greater detail below.
s
10
15
20
25
30
35
40
45
so
ss
60
65
US 6,963,859 B2
13
14
As a prerequisite to operation, a repository will require
possession of an identification certificate. Identification certificates are encrypted to prevent forgery and are issued by
a Master repository. A master repository plays the role of an
authorization agent to enable repositories to receive digital
works. Identification certificates must be updated on a
periodic basis. Identification certificates are described in
greater detail below with respect to the registration transaction.
A repository has both a hardware and functional embodiment. The functional embodiment is typically software
executing on the hardware embodiment. Alternatively, the
functional embodiment may be embedded in the hardware
embodiment such as an Application Specific Integrated
Circuit (ASIC) chip.
The hardware embodiment of a repository will be
enclosed in a secure housing which if compromised, may
cause the repository to be disabled. The basic components of
the hardware embodiment of a repository are described with
reference to FIG. 12. Referring to FIG. 12, a repository is
comprised of a processing means 1200, storage system
1207, clock 1205 and external interface 1206. The processing means 1200 is comprised of a processor element 1201
and processor memory 1202. The processing means 1201,
provides controller, repository transaction, and usage rights
transaction functions for the repository. Various functions in
the operation of the repository such as decryption and/or
decompression of digital works and transaction messages
are also performed by the processing means 1200. The
processor element 1201 may be a microprocessor or other
suitable computing component. The processor memory 1202
would typically be further comprised of Read Only Memories (ROM) and Random Access Memories (RAM). Such
memories would contain the software instructions utilized
by the processor element 1201 in performing the functions
of the repository.
The storage system 1207 is further comprised of descriptor storage 1203 and content storage 1204. The description
tree storage 1203 will store the description tree for the digital
work and the content storage will store the associated
content. The description tree storage 1203 and content
storage 1204 need not be of the same type of storage
medium, nor are they necessarily on the same physical
device. So for example, the descriptor storage 1203 may be
stored on a solid state storage (for rapid retrieval of the
description tree information), while the content storage 1204
may be on a high capacity storage such as an optical disk.
The clock 1205 is used to time-stamp various time based
conditions for usage rights or for metering usage fees which
may be associated with the digital works. The clock 1205
will have an uninterruptable power supply, e.g. a battery, in
order to maintain the integrity of the time-stamps. The
external interface means 1206 provides for the signal connection to other repositories and to a credit server. The
external interface means 1206 provides for the exchange of
signals via such standard interfaces such as RS-232 or
Personal Computer Manufacturers Card Industry Association (PCMCIA) standards, or FDDI. The external interface
means 1206 may also provide network connectivity.
The functional embodiment of a repository is described
with reference to FIG. 13. Referring to FIG. 13, the functional embodiment is comprised of an operating system
1301, core repository services 1302, usage transaction handlers 1303, repository specific functions, 1304 and a user
interface 1305. The operating system 1301 is specific to the
repository and would typically depend on the type of processor being used. The operating system 1301 would also
provide the basic services for controlling and interfacing
between the basic components of the repository.
The core repository services 1302 comprise a set of
functions required by each and every repository. The core
repository services 1302 include the session initiation transactions which are defined in greater detail below. This set of
services also includes a generic ticket agent which is used to
"punch" a digital ticket and a generic authorization server
for processing authorization specifications. Digital tickets
and authorizations are specific mechanisms for controlling
the distribution and use of digital works and are described
and more detail below. Note that coupled to the core
repository services are a plurality of identification certificates 1306. The identification certificates 1306 are required
to enable the use of the repository.
The usage transactions handler 1303 comprise functionality for processing access requests to digital works and for
billing fees based on access. The usage transactions supported will be different for each repository type. For
example, it may not be necessary for some repositories to
handle access requests for digital works.
The repository specific functionality 1304 comprises
functionality that is unique to a repository. For example, the
master repository has special functionality for issuing digital
certificates and maintaining encryption keys. The repository
specific functionality 1304 would include the user interface
implementation for the repository.
Repository Security Classes
For some digital works the losses caused by any individual instance of unauthorized copying is insignificant and
the chief economic concern lies in assuring the convenience
of access and low-overhead billing. In such cases, simple
and inexpensive handheld repositories and network-based
workstations may be suitable repositories, even though the
measures and guarantees of security are modest.
At the other extreme, some digital works such as a digital
copy of a first run movie or a bearer bond or stock certificate
would be of very high value so that it is prudent to employ
caution and fairly elaborate security measures to ensure that
they are not copied or forged. A repository suitable for
holding such a digital work could have elaborate measures
for ensuring physical integrity and for verifying authorization before use.
By arranging a universal protocol, all kinds of repositories
can communicate with each other in principle. However,
creators of some works will want to specify that their works
will only be transferred to repositories whose level of
security is high enough. For this reason, document repositories have a ranking system for classes and levels of
security. The security classes in the currently preferred
embodiment are described in Table 2.
5
10
15
20
25
30
35
40
45
50
TABLE 2
55
REPOSITORY SECURITY LEVELS
Level Description of Security
0
60
65
Open system. Document transmission is unencrypted. No digital
certificate is required for identification. The security of the system
depends mostly on user honesty, since only modest knowledge may
be needed to circumvent the security measures. The repository
has no provisions for preventing unauthorized programs from
running and accessing or copying files. The system does not
prevent the use of removable storage and does not encrypt stored
files.
Minimal security. Like the previous class except that stored files
are minimally encrypted, including ones on removable storage.
US 6,963,859 B2
15
16
lar user interface will depend on the functionality that a
repository will provide.
TABLE 2-continued
Credit Servers
REPOSITORY SECURITY LEVELS
In the present invention, fees may be associated with the
5 exercise of a right. The requirement for payment of fees is
Level Description of Security
described with each version of a usage right in the usage
2 Basic security. Like the previous class except that special tools
rights language. The recording and reporting of such fees is
and knowledge are required to compromise the programming, the
performed by the credit server. One of the capabilities
contents of the repository, or the state of the clock. All digital
enabled by associating fees with rights is the possibility of
communications are encrypted. A digital certificate is provided as
identification. Medium level encryption is used. Repository
10 supporting a wide range of charging models. The simplest
identification number is unforgeable.
model, used by conventional software, is that there is a
3 General security. Like the previous class plus the requirement of
single fee at the time of purchase, after which the purchaser
special tools are needed to compromise the physical integrity of the
obtains unlimited rights to use the work as often and for as
repository and that modest encryption is used on all transmissions.
Password protection is required to use the local user interface. The
long as he or she wants. Alternative models, include metered
digital clock system cannot be reset without authorization. No
15 use and variable fees. A single work can have different fees
works would be stored on removable storage. When executing
for different uses. For example, viewing a photograph on a
works as programs, it runs them in their own address space and
display could have different fees than making a hardcopy or
does not give them direct access to any file storage or other
memory containing system code or works. They can access works
including it in a newly created work. A key to these
only through the transmission transaction protocol.
alternative charging models is to have a low overhead means
4 Like the previous class except that high level encryption is used on
20 of establishing fees and accounting for credit on these
all communications. Sensors are used to record attempts at
transactions.
physical and electronic tampering. After such tampering, the
repository will not perform other transactions until it has reported
A credit server is a computational system that reliably
such tampering to a designated server.
authorizes and records these transactions so that fees are
5 Like the previous class except that if the physical or digital
billed and paid. The credit server reports fees to a billing
attempts at tampering exceed some preset thresholds that
25 clearinghouse. The billing clearinghouse manages the finanthreaten the physical integrity of the repository or the integrity of
digital and cryptographic barriers, then the repository will save
cial transactions as they occur. As a result, bills may be
only document description records of history but will erase or
generated and accounts reconciled. Preferably, the credit
destroy any digital identifiers that could be misused if released to
server would store the fee transactions and periodically
an unscrupulous party. It also modifies any certificates of
communicate via a network with billing clearinghouse for
authenticity to indicate that the physical system has been
compromised. It also erases the contents of designated documents.
30 reconciliation. In such an embodiment, communications
Like the previous class except that the repository will attempt
with the billing clearinghouse would be encrypted for integwireless communication to report tampering and will employ noisy
rity and security reasons. In another embodiment, the credit
alarms.
server acts as a "debit card" where transactions occur in
10 This would correspond to a very high level of security. This server
would maintain constant communications to remote security
"real-time" against a user account.
systems reporting transactions, sensor readings, and attempts to
35
A credit server is comprised of memory, a processing
circumvent security.
means, a clock, and interface means for coupling to a
repository and a financial institution (e.g. a modem). The
credit server will also need to have security and authentiThe characterization of security levels described in Table
cation functionality. These elements are essentially the same
2 is not intended to be fixed. More important is the idea of
having different security levels for different repositories. It is 40 elements as those of a repository. Thus, a single device can
anticipated that new security classes and requirements will
be both a repository and a credit server, provided that it has
evolve according to social situations and changes in techthe appropriate processing elements for carrying out the
nology.
corresponding functions and protocols. Typically, however,
Repository User Interface
a credit server would be a card-sized system in the possesA user interface is broadly defined as the mechanism by 45 sian of the owner of the credit. The credit server is coupled
which a user interacts with a repository in order to invoke
to a repository and would interact via financial transactions
transactions to gain access to a digital work, or exercise
as described below. Interactions with a financial institution
usage rights. As described above, a repository may be
may occur via protocols established by the financial instiembodied in various forms. The user interface for a repositutions themselves.
In the currently preferred embodiment credit servers
tory will differ depending on the particular embodiment. The 50
associated with both the server and the repository report the
user interface may be a graphical user interface having icons
financial transaction to the billing clearinghouse. For
representing the digital works and the various transactions
example, when a digital work is copied by one repository to
that may be performed. The user interface may be a generated dialog in which a user is prompted for information.
another for a fee, credit servers coupled to each of the
The user interface itself need not be part of the repository. 55 repositories will report the transaction to the billing clearinghouse. This is desirable in that it insures that a transaction
As a repository may be embedded in some other device, the
will be accounted for in the event of some break in the
user interface may merely be a part of the device in which
the repository is embedded. For example, the repository
communication between a credit server and the billing
could be embedded in a "card" that is inserted into an
clearinghouse. However, some implementations may
available slot in a computer system. The user interface may 60 embody only a single credit server reporting the transaction
to minimize transaction processing at the risk of losing some
be combination of a display, keyboard, cursor control device
transactions.
and software executing on the computer system.
Usage Rights Language
At a minimum, the user interface must permit a user to
The present invention uses statements m a high level
input information such as access requests and alpha numeric
data and provide feedback as to transaction status. The user 65 "usage rights language" to define rights associated with
digital works and their parts. Usage rights statements are
interface will then cause the repository to initiate the suitable
interpreted by repositories and are used to determine what
transactions to service the request. Other facets of a particu-
US 6,963,859 B2
17
18
transactions can be successfully carried out for a digital
(or YYYY/MMM/DD). Note that these time and date representations may specify moments in time or units of time
work and also to determine parameters for those transacMoney units are specified in terms of dollars.
tions. For example, sentences in the language determine
Finally, in the usage rights language, various "things" will
whether a given digital work can be copied, when and how
it can be used, and what fees (if any) are to be charged for 5 need to interact with each other. For example, an instance of
a usage right may specify a bank account, a digital ticket,
that use. Once the usage rights statements are generated,
etc. Such things need to be identified and are specified herein
they are encoded in a suitable form for accessing during the
using the suffix "-ID."
processing of transactions.
The Usage Rights Grammar is listed in it's entirety in
Defining usage rights in terms of a language in combination with the hierarchical representation of a digital work 10 FIG. 15 and is described below.
Grammar element 1501 "Digital Work Rights:=
enables the support of a wide variety of distribution and fee
(Rights*)" define the digital work rights as a set of rights.
schemes. An example is the ability to attach multiple verThe set of rights attached to a digital work define how that
sions of a right to a work. So a creator may attach a PRINT
digital work may be transferred, used, performed or played.
right to make 5 copies for $10.00 and a PRINT right to make
unlimited copies for $100.00. A purchaser may then choose 15 A set of rights will attach to the entire digital work and in the
case of compound digital works, each of the components of
which option best fits his needs. Another example is that
the digital work. The usage rights of components of a digital
rights and fees are additive. So in the case of a composite
may be different.
work, the rights and fees of each of the components works
Grammar element 1502 "Right:=(Right-Code{ Copyis used in determining the rights and fees for the work as a
whole. Other features and benefits of the usage rights 20 Count} {Control-Spec} {Time-Spec} {Access-Spec} {FeeSpec})" enumerates the content of a right. Each usage right
language will become apparent in the description of distrimust specify a right code. Each right may also optionally
bution and use scenarios provided below.
specify conditions which must be satisfied before the right
The basic contents of a right are illustrated in FIG. 14.
can be exercised. These conditions are copy count, control,
Referring to FIG. 14, a right 1450 has a transactional
component 1451 and a specifications component 1452. A 25 time, access and fee conditions. In the currently preferred
embodiment, for the optional elements, the following
right 1450 has a label (e.g. COPY or PRINT) which indicate
defaults apply: copy count equals 1, no time limit on the use
the use or distribution privileges that are embodied by the
of the right, no access tests or a security level required to use
right. The transactional component 1451 corresponds to a
the right and no fee is required. These conditions will each
particular way in which a digital work may be used or
distributed. The transactional component 1451 is typically 30 be described in greater detail below.
It is important to note that a digital work may have
embodied in software instructions in a repository which
multiple versions of a right, each having the same right code.
implement the use or distribution privileges for the right.
The multiple version would provide alternative conditions
The specifications components 1452 are used to specify
and fees for accessing the digital work.
conditions which must be satisfied prior to the right being
Grammar element 1503 "Right-Code: =Renderexercised or to designate various transaction related param- 35
CodeiTransport-CodeiFile-Management-CodeiDerivativeeters. In the currently preferred embodiment, these specifiWorks-Code Configuration-Code" distinguishes each of the
cations include copy count 1453, Fees and Incentives 1454,
specific rights into a particular right type (although each
Time 1455, Access and Security 1456 and Control 1457.
right is identified by distinct right codes). In this way, the
Each of these specifications will be described in greater
detail below with respect to the language grammar elements. 40 grammar provides a catalog of possible rights that can be
associated with parts of digital works. In the following,
The usage rights language is based on the grammar
rights are divided into categories for convenience in describdescribed below. A grammar is a convenient means for
ing them.
defining valid sequence of symbols for a language. In
Grammar element 1504 "Render-Code:=[Play:{Player:
describing the grammar the notation "[albic]" is used to
indicate distinct choices among alternatives. In this example, 45 Player-ID }IPrint:{Printer:Printer-ID} ]" lists a category of
rights all involving the making of ephemeral, transitory, or
a sentence can have either an "a", "b" or "c". It must include
non-digital copies of the digital work. After use the copies
exactly one of them. The braces { } are used to indicate
are erased.
optional items. Note that brackets, bars and braces are used
Play A process of rendering or performing a digital work
to describe the language of usage rights sentences but do not
on some processor. This includes such things as playing
appear in actual sentences in the language.
50
digital movies, playing digital music, playing a video
In contrast, parentheses are part of the usage rights
game, running a computer program, or displaying a
language. Parentheses are used to group items together in
document on a display.
lists. The notation (x*) is used to indicate a variable length
list, that is, a list containing one or more items of type x. The
Print To render the work in a medium that is not further
notation (x)* is used to indicate a variable number of lists 55
protected by usage rights, such as printing on paper.
containing x.
Grammar element 1505 "Transport-Code:=
Keywords in the grammar are words followed by colons.
[(CopyiTransferiLoan{Remaining-Rights: Next-Set-ofRights}]{ (Next-Copy-Rights:Next-Set of Rights)}" lists a
Keywords are a common and very special case in the
category of rights involving the making of persistent, usable
language. They are often used to indicate a single value,
typically an identifier. In many cases, the keyword and the 60 copies of the digital work on other repositories. The optional
parameter are entirely optional. When a keyword is given, it
Next-Copy-Rights determine the rights on the work after it
often takes a single identifier as its value. In some cases, the
is transported. If this is not specified, then the rights on the
transported copy are the same as on the original. The
keyword takes a list of identifiers.
optional Remaining-Rights specify the rights that remain
In the usage rights language, time is specified in an
hours:minutes:seconds (or hh:mm:ss) representation. Time 65 with a digital work when it is loaned out. If this is not
zone indicators, e.g. PDT for Pacific Daylight Time, may
specified, then the default is that no rights can be exercised
also be specified. Dates are represented as year/month/day
when it is loaned out.
US 6,963,859 B2
19
20
Copy Make a new copy of a work
If Remaining-Rights is not specified, then there are no
rights for the original after all Loan copies are loaned out. If
Transfer Moving a work from one repository to another.
Remaining-Rights is specified, then the Keep: token can be
Loan Temporarily loaning a copy to another repository for
used to simplify the expression of what rights to keep
a specified period of time.
Grammar element 1506 "File-Management-Code:= 5 behind. A list of right codes following keep means that all of
the versions of those listed rights are kept in the remaining
Backup{Back-Up-Copy-Rights:Next-Set of
copy. This specification can be overridden by subsequent
Rights} IRestoreiDeleteiFolderiDirectory {N arne :HideDelete: or Replace: specifications.
LocaliHide-Remote }{Parts:Hide-LocaliHide-Remote }"lists
Copy Count Specification
a category of rights involving operations for file
For various transactions, it may be desirable to provide
10
management, such as the making of backup copies to protect
some limit as to the number of "copies" of the work which
the copy owner against catastrophic equipment failure.
may be exercised simultaneously for the right. For example,
Many software licenses and also copyright law give a
it may be desirable to limit the number of copies of a digital
copy owner the right to make backup copies to protect
work that may be loaned out at a time or viewed at a time.
against catastrophic failure of equipment. However, the
Grammar element 1510 "Copy-Count:=(Copies:positivemaking of uncontrolled backup copies is inherently at odds 15
integeriOunlimited)" provides a condition which defines the
with the ability to control usage, since an uncontrolled
number of "copies" of a work subject to the right. A copy
backup copy can be kept and then restored even after the
count can be 0, a fixed number, or unlimited. The copy-count
authorized copy was sold.
is associated with each right, as opposed to there being just
The File management rights enable the making and restor20 a single copy-count for the digital work. The Copy-Count
ing of backup copies in a way that respects usage rights,
for a right is decremented each time that a right is exercised.
honoring the requirements of both the copy owner and the
When the Copy-Count equals zero, the right can no longer
rights grantor and revenue owner. Backup copies of work
be exercised. If the Copy-Count is not specified, the default
descriptions (including usage rights and fee data) can be sent
1s one.
under appropriate protocol and usage rights control to other
document repositories of sufficiently high security. Further 25 Control Specification
Rights and fees depend in general on rights granted by the
rights permit organization of digital works into folders
creator as well as further restrictions imposed by later
which themselves are treated as digital works and whose
distributors. Control specifications deal with interactions
contents may be "hidden" from a party seeking to determine
between the creators and their distributors governing the
the contents of a repository.
30 imposition of further restrictions and fees. For example, a
Backup To make a backup copy of a digital work as
distributor of a digital work may not want an end consumer
protection against media failure.
of a digital work to add fees or otherwise profit by comRestore To restore a backup copy of a digital work.
mercially exploiting the purchased digital work.
Delete To delete or erase a copy of a digital work.
Grammar element 1511 "Control-Spec:=
Folder To create and name folders, and to move files and 35 (Control: {RestrictableiU nrestrictable} {U nchargeablel
Chargeable})" provides a condition to specify the effect of
folders between folders.
usage rights and fees of parents on the exercise of the right.
Directory To hide a folder or it's contents.
A digital work is restrictable if higher level d-blocks can
Grammar element 1507 "Derivative-Works-Code:
impose further restrictions (time specifications and access
[ExtractiEmbediEdit {Process:Process-ID} ]{Next-CopyRights:Next-Set-ofRights }"lists a category of rights involv- 40 specifications) on the right. It is unrestrictable if no further
restrictions can be imposed. The default setting is restricting the use of a digital work to create new works.
able. A right is unchargeable if no more fees can be imposed
Extract To remove a portion of a work, for the purposes
on the use of the right. It is chargeable if more fees can be
of creating a new work.
imposed. The default is chargeable.
Embed To include a work in an existing work.
45 Time Specification
Edit To alter a digital work by copying, selecting and
It is often desirable to assign a start date or specify some
modifying portions of an existing digital work.
duration as to when a right may be exercised. Grammar
Grammar element 1508 "Configuration-Code:=
element 1512 "Time-Spec:=( {Fixed-IntervaliSlidingInstalliUninstall" lists a category of rights for installing and
IntervaliMeter-Time} Until:Expiration-Date )" provides for
uninstalling software on a repository (typically a rendering 50 specification of time conditions on the exercise of a right.
repository.) This would typically occur for the installation of
Rights may be granted for a specified time. Different kinds
a new type of player within the rendering repository.
of time specifications are appropriate for different kinds of
Install: To install new software on a repository.
rights. Some rights may be exercised during a fixed and
predetermined duration. Some rights may be exercised for
Uninstall: To remove existing software from a repository.
Grammar element 1509 "Next-Set-of-Rights:={ (Add:Set- 55 an interval that starts the first time that the right is invoked
Of-Rights)} {(Delete:Set-Of-Rights)} {(Replace: Set-Ofby some transaction. Some rights may be exercised or are
Rights)}{(Keep:Set-Of-Rights)}" defines how rights are
charged according to some kind of metered time, which may
carried forward for a copy of a digital work. If the Nextbe split into separate intervals. For example, a right to view
Copy-Rights is not specified, the rights for the next copy are
a picture for an hour might be split into six ten minute
the same as those of the current copy. Otherwise, the set of 60 viewings or four fifteen minute viewings or twenty three
rights for the next copy can be specified. Versions of rights
minute viewings.
The terms "time" and "date" are used synonymously to
after Add: are added to the current set of rights. Rights after
Delete: are deleted from the current set of rights. If only right
refer to a moment in time. There are several kinds of time
codes are listed after Delete:, then all versions of rights with
specifications. Each specification represents some limitation
those codes are deleted. Versions of rights after Replace: 65 on the times over which the usage right applies. The
subsume all versions of rights of the same type in the current
Expiration-Date specifies the moment at which the usage
set of rights.
right ends. For example, if the Expiration-Date is "Jan. 1,
US 6,963,859 B2
21
22
1995," then the right ends at the first moment of 1995. If the
In some cases, an authorization may be required from a
source other than the document server and repository. An
Expiration-Date is specified as *forever*, then the rights are
authorization object referenced by an Authorization-ID can
interpreted as continuing without end. If only an expiration
contain digital address information to be used to set up a
date is given, then the right can be exercised as often as
5 communications link between a repository and the authoridesired until the expiration date.
zation source. These are analogous to phone numbers. For
Grammar element 1513 "Fixed-Interval:=From:Startsuch access tests, the communication would need to be
Time" is used to define a predetermined interval that runs
established and authorization obtained before the right could
from the start time to the expiration date.
be exercised.
Grammar element 1514 "Sliding-Interval:=Interval:UseFor one-time usage rights, a variant on this scheme is to
Duration" is used to define an indeterminate (or "open") 10
have a digital ticket. A ticket is presented to a digital ticket
start time. It sets limits on a continuous period of time over
agent, whose type is specified on the ticket. In the simplest
which the contents are accessible. The period starts on the
case, a certified generic ticket agent, available on all
first access and ends after the duration has passed or the
repositories, is available to "punch" the ticket. In other
expiration date is reached, whichever comes first. For
cases, the ticket may contain addressing information for
example, if the right gives 10 hours of continuous access, the 15 locating a "special-" ticket agent. Once a ticket has been
use-duration would begin when the first access was made
punched, it cannot be used again for the same kind of
and end 10 hours later.
transaction (unless it is unpunched or refreshed in the
Grammar element 1515 "Meter-Time: Timemanner described below.) Punching includes marking the
Remaining:Remaining-Use" is used to define a "meter
ticket with a timestamp of the date and time it was used.
time," that is, a measure of the time that the right is actually 20 Tickets are digital works and can be copied or transferred
between repositories according to their usage rights.
exercised. It differs from the Sliding-Interval specification in
In the currently preferred embodiment, a "punched" ticket
that the time that the digital work is in use need not be
becomes "unpunched" or "refreshed" when it is copied or
continuous. For example, if the rights guarantee three days
extracted. The Copy and Extract operations save the date
of access, those days could be spread out over a month. With
this specification, the rights can be exercised until the meter 25 and time as a proper of the digital ticket. When a ticket agent
is given a ticket, it can simply check whether the digital copy
time is exhausted or the expiration date is reached, whichwas made after the last time that it was punched. Of course,
ever comes first.
the digital ticket must have the copy or extract usage rights
Remaining-Use:= Time-Unit
attached thereto.
Start-Time:= Time-Unit
The capability to unpunch a ticket is important in the
30
Use-Duration:= Time-Unit
following cases:
All of the time specifications include time-unit specifications
A digital work is circulated at low cost with a limitation
in their ultimate instantiation.
that it can be used only once.
Security Class and Authorization Specification
A digital work is circulated with a ticket that can be used
The present invention provides for various security
once to give discounts on purchases of other works.
mechanisms to be introduced into a distribution or use 35
A digital work is circulated with a ticket (included in the
scheme. Grammar element 1516 "Access-Spec:=
purchase price and possibly embedded in the work) that
( { SC:Security-Class} { Authorization:Authorizationcan be used for a future upgrade.
ID*} { Other-Authorization:AuthorizationIn each of these cases, if a paid copy is made of the digital
ID*}{Ticket:Ticket-ID})" provides a means for restricting
work (including the ticket) the new owner would expect to
access and transmission. Access specifications can specify a 40 get a fresh (unpunched) ticket, whether the copy seller has
required security class for a repository to exercise a right or
used the work or not. In contrast, loaning a work or simply
a required authorization test that must be satisfied.
transferring it to another repository should not revitalize the
The keyword "SC:" is used to specify a minimum security
ticket.
level for the repositories involved in the access. If "SC:" is
Usage Fees and Incentives Specification
45
The billing for use of a digital work is fundamental to a
not specified, the lowest security level is acceptable.
commercial distribution system. Grammar Element 1517
The optional "Authorization:" keyword is used to specify
"Fee -Spec:= {Scheduled-Discount} Regular-Feerequired authorizations on the same repository as the work.
The optional "Other-Authorization:" keyword is used to
SpeciScheduled-Fee-SpeciMarkup-Spec" provides a range
of options for billing for the use of digital works.
specify required authorizations on the other repository in the
A key feature of this approach is the development of
50
transaction.
low-overhead billing for transactions in potentially small
The optional "Ticket:" keyword specifies the identity of a
ticket required for the transaction. A transaction involving
amounts. Thus, it becomes feasible to collect fees of only a
few cents each for thousands of transactions.
digital tickets must locate an appropriate digital ticket agent
who can "punch" or otherwise validate the ticket before the
The grammar differentiates between uses where the
transaction can proceed. Tickets are described in greater 55 charge is per use from those where it is metered by the time
detail below.
unit. Transactions can support fees that the user pays for
In a transaction involving a repository and a document
using a digital work as well as incentives paid by the right
server, some usage rights may require that the repository
grantor to users to induce them to use or distribute the digital
have a particular authorization, that the server have some
work.
authorization, or that both repositories have (possibly 60
The optional scheduled discount refers to the rest of the
different) authorizations. Authorizations themselves are
fee specification--discounting it by a percentage over time.
If it is not specified, then there is no scheduled discount.
digital works (hereinafter referred to as an authorization
object) that can be moved between repositories in the same
Regular fee specifications are constant over time. Scheduled
manner as other digital works. Their copying and transferfee specifications give a schedule of dates over which the fee
ring is subject to the same rights and fees as other digital 65 specifications change. Markup specifications are used in
works. A repository is said to have an authorization if that
d-blocks for adding a percentage to the fees already being
authorization object is contained within the repository.
charged.
US 6,963,859 B2
23
24
Grammar Element 1518 "Scheduled-Discount:=
Grammar element 1525 "Markup-Spec:=
(Scheduled-Discount:(Time-Spec Percentage)*)" A
Markup:percentage To:Account-ID" is provided for adding
Scheduled-Discount is a essentially a scheduled modifier of
a percentage to the fees already being charged. For example,
any other fee specification for this version of the right of the
a 5% markup means that a fee of 5% of cumulative fee so
digital work. (It does not refer to children or parent digital 5 far will be allocated to the distributor. A markup specificaworks or to other versions of rights.). It is a list of pairs of
tion can be applied to all of the other kinds of fee specifications. It is typically used in a shell provided by a distributimes and percentages. The most recent time in the list that
has not yet passed at the time of the transaction is the one in
tor. It refers to fees associated with d-blocks that are parts of
the current d-block. This might be a convenient specification
effect. The percentage gives the discount percentage. For
10 for use in taxes, or in distributor overhead.
example, the number 10 refers to a 10% discount.
Grammar Element 1519 "Regular-Fee-Spec:=
Examples of Sets of Usage Rights
( {Fee:IIncentive: }[Per-Use-SpeciMetered-Rate-SpeciBest((Play) (Transfer (SC: 3)) (Delete)
Price -Specl Call- For- Price -Spec] {Min: Maney- Unit
This work can be played without requirements for fee or
Per: Time-Spec} {Max: Money- Unit Per: Timeauthorization on any rendering system. It can be transferred
Spec} To:Account-ID)" provides for several kinds of fee 15 to any other repository of security level 3 or greater. It can
specifications.
be deleted.
Fees are paid by the copy-owner/user to the revenue((Play) (Transfer (SC: 3)) (Delete) (Backup) (Restore
owner if Fee: is specified. Incentives are paid by the
(Fee: Per-Use: $5 To: Account-ID-678)))
revenue-owner to the user if Incentive: is specified. If the
Same as the previous example plus rights for backup and
Min: specification is given, then there is a minimum fee to 20 restore. The work can be backed up without fee. It can be
be charged per time-spec unit for its use. If the Max:
restored for a $5 fee payable to the account described by
specification is given, then there is a maximum fee to be
Account-ID-678.
charged per time-spec for its use. When Fee: is specified,
((Play) (Transfer (SC: 3))
Account-ID identifies the account to which the fee is to be
(Copy (SC:3)(Fee: Per-Use: $5 To: Account-ID-678))
paid. When Incentive: is specified, Account-ID identifies the 25
(Delete (Incentive: Per-Use: $2.50 To: Account-IDaccount from which the fee is to be paid.
678)))
Grammar element 1520 "Per-Use-Spec:=Per-Use:MoneyThis work can be played, transferred, copied, or deleted.
unit" defines a simple fee to be paid every time the right is
Copy or transfer operations can take place only with reposiexercised, regardless of how much time the transaction
tories of security level three or greater. The fee to make a
30
takes.
copy is $5 payable to Account-ID-678. If a copy is deleted,
Grammar element 1521 "Metered-Rate-Spec:=
then an incentive of $2.50 is paid to the former copy owner.
Metered:Money-Unit Per:Time-Spec" defines a metered((Play) (Transfer (SC: 3))
rate fee paid according to how long right is exercised. Thus,
Copy (SC: 3) (Fee: Per-Use: $10 To: Account-ID-678))
the time it takes to complete the transaction determines the
Delete) (Backup) (Restore (SC: 3) (Fee: Per-Use: $5
fee.
35
To: Account-ID-678)))
Grammar element 1522 "Best-Price-Spec:=BestSame as the previous example plus fees for copying. The
Price:Money-unit Max:Money-unit" is used to specify a
work can be copied digitally for a fee of $10 payable to
best-price that is determined when the account is settled.
Account-ID-678. The repository on which the work is
This specification is to accommodate special deals, rebates,
and pricing that depends on information that is not available 40 copied or restored must be at security level 3 or greater.
((Play) (Transfer (SC: 3))
to the repository. All fee specifications can be combined with
(Copy Authorization: License-123-ID (SC: 3)))
tickets or authorizations that could indicate that the conThe digital work can be played, transferred, or copied.
sumer is a wholesaler or that he is a preferred customer, or
Copies or transfers must be on repositories of security level
that the seller be authorized in some way. The amount of
money in the Max: field is the maximum amount that the use 45 3 or greater. Copying requires the license License-123-ID
issued to the copying repository. None of the rights require
will cost. This is the amount that is tentatively debited from
fees.
the credit server. However, when the transaction is ulti((Play) (Print Printer: Printer-567-ID (Fee: Per-Use: $1
mately reconciled, any excess amount will be returned to the
To: Account-ID-678)))
consumer in a separate transaction.
This work can be played for free. It can be printed on any
Grammar element 1523 "Call-For-Price-Spec:=Call-For- 50
printer with the identifier Printer-567-ID for a fee of $1
Price" is similar to a "Best-Price-Spec" in that it is intended
payable to the account described by Account-ID-678.
to accommodate cases where prices are dynamic. A Call((Play Player: Player-876-ID) (From: 94/02/14 Until:
For-Price Spec requires a communication with a dealer to
95/02/15) (Fee: Metered: $0.01 Per: 0:1:0 Min: $0.25
determine the price. This option cannot be exercised if the
Per: 0!1/0 To: Account-ID-567))
repository cannot communicate with a dealer at the time that 55
This work can be played on any player holding the ID
the right is exercised. It is based on a secure transaction
Player-876-ID. The time of this right is from Feb. 14, 1994
whereby the dealer names a price to exercise the right and
until Feb. 15, 1995. The fee for use is one cent per minute
passes along a deal certificate which is referenced or
with a minimum of 25 cents in any day that it is used,
included in the billing process.
Grammar element 1524 "Scheduled-Fee-Spec:= 60 payable to the account described by Account-ID-567.
(Schedule:(Time-Spec Regular-Fee-Spec)*)" is used to pro((Play) (Transfer) (Delete)(Loan 2 (Delete: Transfer
vide a schedule of dates over which the fee specifications
Loan)))
change. The fee specification with the most recent date not
This work can be played, transferred, deleted, or loaned.
Up to two copies can be loaned out at a time. The loaned
in the future is the one that is in effect. This is similar to but
more general than the scheduled discount. It is more general, 65 copy has the same rights except that it cannot be transferred.
because it provides a means to vary the fee agreement for
When both copies are loaned out, no rights can be exercised
each time period.
on the original on the repository.
US 6,963,859 B2
25
26
((Play) (Transfer) (Delete) (Backup) (Restore (SC:3))
encrypted utilizing a public key encryption technique. Pub(Loan 2 Remaining-Copy-Rights: (Delete: Play
lic key encryption is a well known technique in the encrypTransfer)
tion arts. The term key refers to a numeric code that is used
Next-Set-of-Rights: (Delete: Transfer Loan)))
with encryption and decryption algorithms. Keys come in
Similar to previous example. Rights to Backup and 5 pairs, where "writing keys" are used to encrypt data and
"checking keys" are used to decrypt data. Both writing and
Restore the work are added, where restoration requires a
checking keys may be public or private. Public keys are
repository of at least security level three. When all copies of
those that are distributed to others. Private keys are mainthe work are loaned out, the remaining copy cannot be
tained in confidence.
played or transferred.
Key management and security is instrumental in the
((Play) (Transfer) (Copy) (Print) (Backup) (Restore 10
success of a public key encryption system. In the currently
(SC:3))
preferred embodiment, one or more master repositories
(Loan 1 Remaining-Copy-Rights: (Add: Play Print
maintain the keys and create the identification certificates
Backup)
used by the repositories.
Next-Set-of-Rights: (Delete: Transfer Loan)
When a sending repository transmits a message to a
(Fee: Metered: $10 Per: 1:0:0 To: Account-ID-567)) 15 receiving repository, the sending repository encrypts all of
(Loan 1 Remaining-Copy-Rights:
its data using the public writing key of the receiving reposiAdd: ((Play Player: Player-876-ID) 2 (From: 94/02/14
tory. The sending repository includes its name, the name of
Until: 95/02/15)
the receiving repository, a session identifier such as a nonce
(Fee: Metered: $0.01 Per: 0:1:0 Min: $0.25 Per: 0!1/0
(described below), and a message counter in each message.
To: Account-ID-567))))
In this way, the communication can only be read (to a high
20
The original work has rights to Play, Transfer, Copy, Print,
probability) by the receiving repository, which holds the
Backup, Restore, and Loan. There are two versions of the
private checking key for decryption. The auxiliary data is
Loan right. The first version of the loan right costs $10 per
used to guard against various replay attacks to security. If
day but allows the original copy owner to exercise free use
messages ever arrive with the wrong counter or an old
of the Play, Print and Backup rights. The second version of 25 nonce, the repositories can assume that someone is interferthe Loan right is free. None of the original rights are
ing with communication and the transaction terminated.
applicable. However a right to Play the work at the specified
The respective public keys for the repositories to be used
metered rate is added.
for encryption are obtained in the registration transaction
((Play Player: Player-Small-Screen-123-ID)
described below.
30 Session Initiation Transactions
(Embed (Fee: Per-Use $0.01 To: Account-678-ID))
(Copy (Fee: Per-Use $1.00 To: Account-678-ID)))
A usage transaction is carried out in a session between
The digital work can be played on any player with the
repositories. For usage transactions involving more than one
identifier Player-Small-Screen-123-ID. It can be embedded
repository, or for financial transactions between a repository
in a larger work. The embedding requires a modest one cent
and a credit server, a registration transaction is performed. A
registration fee to Account-678-ID. Digital copies can be 35 second transaction termed a login transaction, may also be
made for $1.00.
needed to initiate the session. The goal of the registration
transaction is to establish a secure channel between two
Repository Transactions
repositories who know each others identities. As it is
When a user requests access to a digital work, the
repository will initiate various transactions. The comb inaassumed that the communication channel between the
tion of transactions invoked will depend on the specifica- 40 repositories is reliable but not secure, there is a risk that a
non-repository may mimic the protocol in order to gain
tions assigned for a usage right. There are three basic types
illegitimate access to a repository.
of transactions, Session Initiation Transactions, Financial
Transactions and Usage Transactions. Generally, session
The registration transaction between two repositories is
initiation transactions are initiated first to establish a valid
described with respect to FIGS. 16 and 17. The steps
session. When a valid session is established, transactions 45 described are from the perspective of a "repository-!".
corresponding to the various usage rights are invoked.
registering its identity with a "repository-2". The registraFinally, request specific transactions are performed.
tion must be symmetrical so the same set of steps will be
repeated for repository-2 registering its identity with
Transactions occur between two repositories (one acting
repository-!. Referring to FIG. 16, repository-! first generas a server), between a repository and a document playback
platform (e.g. for executing or viewing), between a reposi- 50 ates an encrypted registration identifier, step 1601 and then
tory and a credit server or between a repository and an
generates a registration message, step 1602. A registration
message is comprised of an identifier of a master repository,
authorization server. When transactions occur between more
than one repository, it is assumed that there is a reliable
the identification certificate for the repository-! and an
encrypted random registration identifier. The identification
communication channel between the repositories. For
example, this could be a TCP!IP channel or any other 55 certificate is encrypted by the master repository in its private
commercially available channel that has built-in capabilities
key and attests to the fact that the repository (here
for detecting and correcting transmission errors. However, it
repository-!) is a bona fide repository. The identification
is not assumed that the communication channel is secure.
certificate also contains a public key for the repository, the
Provisions for security and privacy are part of the requirerepository security level and a timestamp (indicating a time
ments for specifying and implementing repositories and thus 60 after which the certificate is no longer valid.) The registraform the need for various transactions.
tion identifier is a number generated by the repository for
this registration. The registration identifier is unique to the
Message Transmission
session and is encrypted in repository-l's private key. The
Transactions require that there be some communication
between repositories. Communication between repositories
registration identifier is used to improve security of authenoccurs in units termed as messages. Because the communi- 65 tication by detecting certain kinds of communications based
cation line is assumed to be unsecure, all communications
attacks. Repository-! then transmit the registration message
with repositories that are above the lowest security class are
to repository-2, step 1603.
US 6,963,859 B2
27
28
Upon rece1vmg the registration message, repository-2
session information exchange and clock synchronization
steps (again from the perspective of repository-!.) Referring
determines if it has the needed public key for the master
to FIG. 17, repository-! creates a session key pair, step 1701.
repository, step 1604. If repository-2 does not have the
A first key is kept private and is used by repository-! to
needed public key to decrypt the identification certificate,
the registration transaction terminates in an error, step 1618. 5 encrypt messages. The second key is a public key used by
repository-2 to decrypt messages. The second key is
Assuming that repository-2 has the proper public key the
encrypted using the public key of repository-2, step 1702
identification certificate is decrypted, step 1605.
and is sent to repository-2, step 1703. Upon receipt,
Repository-2 saves the encrypted registration identifier, step
repository-2 decrypts the second key, step 1704. The second
1606, and extracts the repository identifier, step 1607. The
key is used to decrypt messages in subsequent communicaextracted repository identifier is checked against a "hotlist" 10
tions. When each repository has completed this step, they are
of compromised document repositories, step 1608. In the
both convinced that the other repository is bona fide and that
currently preferred embodiment, each repository will conthey are communicating with the original. Each repository
tain "hotlists" of compromised repositories. If the repository
has given the other a key to be used in decrypting further
is on the "hotlist", the registration transaction terminates in
communications during the session. Since that key is itself
an error per step 1618. Repositories can be removed from 15 transmitted in the public key of the receiving repository only
the hotlist when their certificates expire, so that the list does
it will be able to decrypt the key which is used to decrypt
not need to grow without bound. Also, by keeping a short list
subsequent messages.
of hotlist certificates that it has previously received, a
After the session information is exchanged, the repositorepository can avoid the work of actually going through the
ries must synchronize their clocks. Clock synchronization is
list. These lists would be encrypted by a master repository. 20 used by the repositories to establish an agreed upon time
base for the financial records of their mutual transactions.
A minor variation on the approach to improve efficiency
Referring back to FIG. 17, repository-2 initiates clock
would have the repositories first exchange lists of names of
synchronization by generating a time stamp exchange
hotlist certificates, ultimately exchanging only those lists
message, step 1705, and transmits it to repository-!, step
that they had not previously received. The "hotlists" are
25 1706. Upon receipt, repository-! generates its own time
maintained and distributed by Master repositories.
stamp message, step 1707 and transmits it back to
Note that rather than terminating in error, the transaction
repository-2, step 1708. Repository-2 notes the current time,
could request that another registration message be sent based
step 1709 and stores the time received from repository-!,
on an identification certificate created by another master
step 1710. The current time is compared to the time received
repository. This may be repeated until a satisfactory identification certificate is found, or it is determined that trust 30 from repository-!, step 1711. The difference is then checked
to see if it exceeds a predetermined tolerance (e.g. one
cannot be established.
minute), step 1712. If it does, repository-2 terminates the
Assuming that the repository is not on the hotlist, the
transaction as this may indicate tampering with the
repository identification needs to be verified. In other words,
repository, step 1713. If not repository-2 computes an
repository-2 needs to validate that the repository on the other
end is really repository-!. This is termed performance test- 35 adjusted time delta, step 1714. The adjusted time delta is the
difference between the clock time of repository-2 and the
ing and is performed in order to avoid invalid access to the
average of the times from repository-! and repository-2.
repository via a counterfeit repository replaying a recording
To achieve greater accuracy, repository-2 can request the
of a prior session initiation between repository-! and
time again up to a fixed number of times (e.g. five times),
repository-2. Performance testing is initiated by repository-2
generating a performance message, step 1609. The perfor- 40 repeat the clock synchronization steps, and average the
results.
mance message consists of a nonce, the names of the
A second session initiation transaction is a Login transrespective repositories, the time and the registration identiaction. The Login transaction is used to check the authenfier received from repository-!. A nonce is a generated
ticity of a user requesting a transaction. A Login transaction
message based on some random and variable information
(e.g. the time or the temperature.) The nonce is used to check 45 is particularly prudent for the authorization of financial
transactions that will be charged to a credit server. The Login
whether repository-! can actually exhibit correct encrypting
transaction involves an interaction between the user at a user
of a message using the private keys it claims to have, on a
interface and the credit server associated with a repository.
message that it has never seen before. The performance
The information exchanged here is a login string supplied by
message is encrypted using the public key specified in the
registration message of repository-!. The performance mes- 50 the repository/credit server to identify itself to the user, and
a Personal Identification Number (PIN) provided by the user
sage is transmitted to repository-!, step 1610, where it is
to identify himself to the credit server. In the event that the
decrypted by repository-! using its private key, step 1611.
user is accessing a credit server on a repository different
Repository-! then checks to make sure that the names of the
from the one on which the user interface resides, exchange
two repositories are correct, step 1612, that the time is
accurate, step 1613 and that the registration identifier cor- 55 of the information would be encrypted using the public and
private keys of the respective repositories.
responds to the one it sent, step 1614. If any of these tests
Billing Transactions
fails, the transaction is terminated per step 1616. Assuming
Billing Transactions are concerned with monetary transthat the tests are passed, repository-! transmits the nonce to
action with a credit server. Billing Transaction are carried
repository-2 in the clear, step 1615. Repository-2 then
compares the received nonce to the original nonce, step 60 out when all other conditions are satisfied and a usage fee is
required for granting the request. For the most part, billing
1617. If they are not identical, the registration transaction
transactions are well understood in the state of the art. These
terminates in an error per step 1618. If they are the same, the
transactions are between a repository and a credit server, or
registration transaction has successfully completed.
between a credit server and a billing clearinghouse. Briefly,
At this point, assuming that the transaction has not
terminated, the repositories exchange messages containing 65 the required transactions include the following:
session keys to be used in all communications during the
Registration and LOGIN transactions by which the
session and synchronize their clocks. FIG. 17 illustrates the
repository and user establish their bona-fides to a credit
US 6,963,859 B2
29
30
server. These transactions would be entirely internal in
brevity, when reference is made to checking whether the
cases where the repository and credit server are implerights exist and conditions for exercising are satisfied, it is
mented as a single system.
meant that all such checking takes place for each of the
relevant parts of the work.
Registration and LOGIN transactions, by which a credit
FIG. 18 illustrates the initial common opening and closing
server establishes its bona fides to a billing clearing- 5
steps for a transaction. At this point it is assumed that
house.
registration has occurred and that a "trusted" session is in
An Assign-fee transaction to assign a charge. The inforplace. General tests are tests on usage rights associated with
mation in this transaction would include a transaction
the folder containing the work or some containing folder
identifier, the identities of the repositories in the
10 higher in the file system hierarchy. These tests correspond to
transaction, and a list of charges from the parts of the
requirements imposed on the work as a consequence of its
digital work. If there has been any unusual event in the
being on the particular repository, as opposed to being
transaction such as an interruption of communications,
attached to the work itself. Referring to FIG. 18, prior to
that information is included as well.
initiating a usage transaction, the requester performs any
An Begin-charges transaction to assign a charge. This 15 general tests that are required before the right associated
transaction is much the same as an assign fee transacwith the transaction can be exercised, step, 1801. For
tion except that it is used for metered use. It includes
example, install, uninstall and delete rights may be implethe same information as the assign-fee transaction as
mented to require that a requester have an authorization
well as the usage fee information. The credit-server is
certificate before the right can be exercised. Another
then responsible for running a clock.
20 example is the requirement that a digital ticket be present
An End-charges transaction to end a charge for metered
and punched before a digital work may be copied to a
use. (In a variation on this approach, the repositories
requester. If any of the general tests fail, the transaction is
would exchange periodic charge information for each
not initiated, step, 1802. Assuming that such required tests
block of time.)
are passed, upon receiving the usage request, the server
A report-charges transaction between a personal credit 25 generates a transaction identifier that is used in records or
reports of the transaction, step 1803. The server then checks
server and a billing clearinghouse. This transaction is
whether the digital work has been granted the right correinvoked at least once per billing period. It is used to
pass along information about charges. On debit and
sponding to the requested transaction, step 1804. If the
credit cards, this transaction would also be used to
digital work has not been granted the right corresponding to
update balance information and credit limits as needed. 30 the request, the transaction terminates, step 1805. If the
digital work has been granted the requested right, the server
All billing transactions are given a transaction ID and are
then determines if the various conditions for exercising the
reported to the credit severs by both the server and the client.
This reduces possible loss of billing information if one of the
right are satisfied. Time based conditions are examined, step
1806. These conditions are checked by examining the time
parties to a transaction loses a banking card and provides a
check against tampering with the system.
35 specification for the the version of the right. If any of the
Usage Transactions
conditions are not satisfied, the transaction terminates per
After the session initiation transactions have been
step 1805.
completed, the usage request may then be processed. To
Assuming that the time based conditions are satisfied, the
server checks security and access conditions, step 1807.
simplify the description of the steps carried out in processing
a usage request, the term requester is used to refer to a 40 Such security and access conditions are satisfied if: 1) the
requester is at the specified security class, or a higher
repository in the requester mode which is initiating a
security class, 2) the server satisfies any specified authorirequest, and the term server is used to refer to a repository
in the server mode and which contains the desired digital
zation test and 3) the requester satisfies any specified authowork. In many cases such as requests to print or view a work,
rization tests and has any required digital tickets. If any of
the requester and server may be the same device and the 45 the conditions are not satisfied, the transaction terminates
per step 1805.
transactions described in the following would be entirely
Assuming that the security and access conditions are all
internal. In such instances, certain transaction steps, such as
satisfied, the server checks the copy count condition, step
the registration transaction, need not be performed.
1808. If the copy count equals zero, then the transaction
There are some common steps that are part of the semantics of all of the usage rights transactions. These steps are 50 cannot be completed and the transaction terminates per step
1805.
referred to as the common transaction steps. There are two
sets-the "opening" steps and the "closing" steps. For
Assuming that the copy count does not equal zero, the
server checks if the copies in use for the requested right is
simplicity, these are listed here rather than repeating them in
the descriptions of all of the usage rights transactions.
greater than or equal to any copy count for the requested
Transactions can refer to a part of a digital work, a 55 right (or relevant parts), step 1809. If the copies in use is
complete digital work, or a Digital work containing other
greater than or equal to the copy count, this indicates that
digital works. Although not described in detail herein, a
usage rights for the version of the transaction have been
exhausted. Accordingly, the server terminates the
transaction may even refer to a folder comprised of a
transaction, step 1805. If the copy count is less than the
plurality of digital works. The term "work" is used to refer
to what ever portion or set of digital works is being accessed. 60 copies in use for the transaction the transaction can continue,
Many of the steps here involve determining if certain
and the copies in use would be incremented by the number
of digital works requested in the transaction, step 1810.
conditions are satisfied. Recall that each usage right may
The server then checks if the digital work has a "Loan"
have one or more conditions which must be satisfied before
the right can be exercised. Digital works have parts and parts
access right, step 1811. The "Loan" access right is a special
have parts. Different parts can have different rights and fees. 65 case since remaining rights may be present even though all
copies are loaned out. If the digital work has the "Loan"
Thus, it is necessary to verify that the requirements are met
access right, a check is made to see if all copies have been
for ALL of the parts that are involved in a transaction For
US 6,963,859 B2
31
32
loaned out, step 1812. The number of copies that could be
FIG. 19 is a state diagram showing steps in the process of
loaned is the sum of the Copy-Counts for all of the versions
transmitting information during a transaction. Each box
of the loan right of the digital work. For a composite work,
represents a state of a repository in either the server mode
the relevant figure is the minimal such sum of each of the
(above the central dotted line 1901) or in the requester mode
components of the composite work. If all copies have been 5 (below the dotted line 1901). Solid arrows stand for transiloaned out, the remaining rights are determined, step 1813.
tions between states. Dashed arrows stand for message
The remaining-rights is determined from the remaining
communications between the repositories. A dashed mesrights specifications from the versions of the Loan right. If
sage arrow pointing to a solid transition arrow is interpreted
there is only one version of the Loan right, then the
as meaning that the transition takes place when the message
determination is simple. The remaining rights are the ones
10 is received. Unlabeled transition arrows take place unconspecified in that version of the Loan right, or none if
ditionally. Other labels on state transition arrows describe
Remaining-Rights: is not specified. If there are multiple
conditions that trigger the transition.
versions of the Loan right and all copies of all of the versions
Referring now to FIG. 19, the server is initially in a state
are loaned out, then the remaining rights is taken as the
1902 where a new transaction is initiated via start message
minimum set (intersection) of remaining rights across all of
the versions of the loan right. The server then determines if 15 1903. This message includes transaction information including a transaction identifier and a count of the blocks of data
the requested right is in the set of remaining rights, step
to be transferred. The requester, initially in a wait state 1904
1814. If the requested right is not in the set of remaining
then enters a data wait state 1905.
rights, the server terminates the transaction, step 1805.
The server enters a data transmit state 1906 and transmits
If Loan is not a usage right for the digital work or if all
copies have not been loaned out or the requested right is in 20 a block of data 1907 and then enters a wait for acknowlthe set of remaining rights, fee conditions for the right are
edgement state 1908. As the data is received, the requesters
then checked, step 1815. This will initiate various financial
enters a data receive state 1909 and when the data blocks is
transactions between the repository and associated credit
completely received it enters an acknowledgement state
server. Further, any metering of usage of a digital work will
1910 and transmits an Acknowledgement message 1911 to
commence. If any financial transaction fails, the transaction 25 the server.
terminates per step 1805.
If there are more blocks to send, the server waits until
It should be noted that the order in which the conditions
receiving an Acknowledgement message from the requester.
are checked need not follow the order of steps 1806-1815.
When an Acknowledgement message is received it sends the
At this point, right specific steps are now performed and
next block to the requester and again waits for acknowlare represented here as step 1816. The right specific steps are
30 edgement. The requester also repeats the same cycle of
described in greater detail below.
states.
The common closing transaction steps are now perIf the server detects a communications failure before
formed. Each of the closing transaction steps are performed
sending the last block, it enters a cancellation state 1912
by the server after a successful completion of a transaction.
wherein the transaction is cancelled. Similarly, if the
Referring back to FIG. 18, the copies in use value for the
requested right is decremented by the number of copies 35 requester detects a communications failure before receiving
the last block it enters a cancellation state 1913.
involved in the transaction, step 1817. Next, if the right had
If there are no more blocks to send, the server commits to
a metered usage fee specification, the server subtracts the
the transaction and waits for the final Acknowledgement in
elapsed time from the Remaining-Use-Time associated with
state 1914. If there is a communications failure before the
the right for every part involved in the transaction, step
1818. Finally, if there are fee specifications associated with 40 server receives the final Acknowledgement message, it still
commits to the transaction but includes a report about the
the right, the server initiates End-Charge financial transaction to confirm billing, step 1819.
event to its credit server in state 1915. This report serves two
purposes. It will help legitimize any claims by a user of
Transmission Protocol
An important area to consider is the transmission of the
having been billed for receiving digital works that were not
digital work from the server to the requester. The transmis- 45 completely received. Also it helps to identify repositories
sion protocol described herein refers to events occurring
and communications lines that have suspicious patterns of
after a valid session has been created. The transmission
use and interruption. The server then enters its completion
protocol must handle the case of disruption in the commustate 1916
nications between the repositories. It is assumed that interOn the requester side, when there are no more blocks to
ference such as injecting noise on the communication chan- 50 receive, the requester commits to the transaction in state
nel can be detected by the integrity checks (e.g., parity,
1917. If the requester detects a communications failure at
checksum, etc.) that are built into the transport protocol and
this state, it reports the failure to its credit server in state
are not discussed in detail herein.
1918, but still commits to the transaction. When it has
The underlying goal in the transmission protocol is to
committed, it sends an acknowledgement message to the
preclude certain failure modes, such as malicious or acci- 55 server. The server then enters its completion state 1919
dental interference on the communications channel.
The key property is that both the server and the requester
Suppose, for example, that a user pulls a card with the credit
cancel a transaction if it is interrupted before all of the data
server at a specific time near the end of a transaction. There
blocks are delivered, and commits to it if all of the data
should not be a vulnerable time at which "pulling the card"
blocks have been delivered.
There is a possibility that the server will have sent all of
causes the repositories to fail to correctly account for the 60
number of copies of the work that have been created.
the data blocks (and committed) but the requester will not
Restated, there should be no time at which a party can break
have received all of them and will cancel the transaction. In
a connection as a means to avoid payment after using a
this case, both repositories will presumably detect a comdigital work.
munications failure and report it to their credit server. This
If a transaction is interrupted (and fails), both repositories 65 case will probably be rare since it depends on very precise
timing of the communications failure. The only consequence
restore the digital works and accounts to their state prior to
the failure, modulo records of the failure itself.
will be that the user at the requester repository may want to
US 6,963,859 B2
33
34
request a refund from the credit services-and the case for
The Transfer Transaction
A Transfer transaction is a request to move copies of the
that refund will be documented by reports by both repositories.
work with the same or lesser usage rights to another reposiTo prevent loss of data, the server should not delete any
tory. In contrast with a copy transaction, this results in
transferred digital work until receiving the final acknowl- 5 removing the work copies from the server.
edgement from the requester. But it also should not use the
The requester sends the server a message to initiate the
file. A well known way to deal with this situation is called
Transfer Transaction. This message indicates the work
"two-phase commit" or 2PC.
to be transferred, the version of the transfer right to be
Two-phase commit works as follows. The first phase
used in the transaction, the destination address inforworks the same as the method described above. The server 10
mation for placing the work, the file data for the work,
sends all of the data to the requester. Both repositories mark
and the number of copies involved.
the transaction (and appropriate files) as uncommitted. The
The repositories perform the common opening transaction
server sends a ready-to-commit message to the requester.
steps.
The requester sends back an acknowledgement. The server
The server transmits the requested contents and data to the
then commits and sends the requester a commit message. 15
requester according to the transmission protocol. If a
When the requester receives the commit message, it comNext-Set-Of-Rights has been provided, those rights are
mits the file.
transmitted as the rights for the work. Otherwise, the
If there is a communication failure or other crash, the
rights of the original are transmitted. In either case, the
requester must check back with the server to determine the
Copy-Count field for the transmitted rights are set to
status of the transaction. The server has the last word on this. 20
the number-of-copies requested.
The requester may have received all of the data, but if it did
The requester records the work contents, data, and usage
not get the final message, it has not committed. The server
rights and stores the work.
can go ahead and delete files (except for transaction records)
The server decrements its copy count by the number of
once it commits, since the files are known to have been fully
copies involved in the transaction.
25
transmitted before starting the 2PC cycle.
The repositories perform the common closing transaction
There are variations known in the art which can be used
steps.
to achieve the same effect. For example, the server could use
an additional level of encryption when transmitting a work
If the number of copies remaining in the server is now
to a client. Only after the client sends a message acknowlzero, it erases the digital work from its memory.
edging receipt does it send the key. The client then agrees to 30 The Loan Transaction
pay for the digital work. The point of this variation is that it
A loan transaction is a mechanism for loaning copies of a
provides a clear audit trail that the client received the work.
digital work. The maximum duration of the loan is deterFor trusted systems, however, this variation adds a level of
mined by an internal parameter of the digital work. Works
encryption for no real gain in accountability.
are automatically returned after a predetermined time
The transaction for specific usage rights are now dis- 35 period.
cussed.
The requester sends the server a message to initiate the
The Copy Transaction
Transfer Transaction. This message indicates the work
A Copy transaction is a request to make one or more
to be loaned, the version of the loan right to be used in
independent copies of the work with the same or lesser usage
the transaction, the destination address information for
rights. Copy differs from the extraction right discussed later 40
placing the work, the number of copies involved, the
in that it refers to entire digital works or entire folders
file data for the work, and the period of the loan.
containing digital works. A copy operation cannot be used to
The server checks the validity of the requested loan
remove a portion of a digital work.
period, and ends with an error if the period is not valid.
The requester sends the server a message to initiate the
Loans for a loaned copy cannot extend beyond the
Copy Transaction. This message indicates the work to 45
period of the original loan to the server.
be copied, the version of the copy right to be used for
The repositories perform the common opening transaction
the transaction, the destination address information
steps.
(location in a folder) for placing the work, the file data
The server transmits the requested contents and data to the
for the work (including its size), and the number of
requester. If a Next-Set-Of-Rights has been provided,
50
copies requested.
those rights are transmitted as the rights for the work.
The repositories perform the common opening transaction
Otherwise, the rights of the original are transmitted, as
steps.
modified to reflect the loan period.
The server transmits the requested contents and data to the
The requester records the digital work contents, data,
client according to the transmission protocol. If a 55
usage rights, and loan period and stores the work.
Next-Set-Of-Rights has been provided in the version of
The server updates the usage rights information in the
the right, those rights are transmitted as the rights for
digital work to reflect the number of copies loaned out.
the work. Otherwise, the rights of the original are
The repositories perform the common closing transaction
transmitted. In any event, the Copy-Count field for the
steps.
copy of the digital work being sent right is set to the 60
The server updates the usage rights data for the digital
number-of-copies requested.
work. This may preclude use of the work until it is
The requester records the work contents, data, and usage
returned from the loan. The user on the requester
rights and stores the work. It records the date and time
platform can now use the transferred copies of the
that the copy was made in the properties of the digital
digital work. A user accessing the original repository
work.
65
cannot use the digital work, unless there are copies
The repositories perform the common closing transaction
remaining. What happens next depends on the order of
steps.
events in time.
US 6,963,859 B2
35
36
Case 1. If the time of the loan period is not yet
with ink on paper. However, the key aspect of "printing" in
exhausted and the requester sends the repository a
our use of the term is that it makes a copy of the digital work
Return message.
in a place outside of the protection of usage rights. As with
The return message includes the requester
all rights, this may require particular authorization certifiidentification, and the transaction ID.
5 cates.
The server decrements the copies-in-use field by the
Once a digital work is printed, the publisher and user are
number of copies that were returned. (If the numbound by whatever copyright laws are in effect. However,
printing moves the contents outside the control of repositober of digital works returned is greater than the
ries. For example, absent any other enforcement
number actually borrowed, this is treated as an
error.) This step may now make the work available 10 mechanisms, once a digital work is printed on paper, it can
be copied on ordinary photocopying machines without interat the server for other users.
vention by a repository to collect usage fees. If the printer to
The requester deactivates its copies and removes the
a digital disk is permitted, then that digital copy is outside
contents from its memory.
of the control of usage rights. Both the creator and the user
Case 2. If the time of the loan period is exhausted and
the requester has not yet sent a Return message.
15 know this, although the creator does not necessarily give
The server decrements the copies-in-use field by the
tacit consent to such copying, which may violate copyright
laws.
number digital works that were borrowed.
The requester automatically deactivates its copies of
The requester sends the server a message to initiate a Print
the digital work. It terminates all current uses and
transaction. This message indicates the work to be
erases the digital work copies from memory. One 20
played, the identity of the printer being used, the file
question is why a requester would ever return a
data for the work, and the number of copies in the
work earlier than the period of the loan, since it
request.
would be returned automatically anyway. One
The server checks the validity of the printer identification
reason for early return is that there may be a
and the compatibility of the printer identification with
metered fee which determines the cost of the loan. 25
the printer specification in the right. It ends with an
Returning early may reduce that fee.
error if these are not satisfactory.
The Play Transaction
The repositories perform the common opening transaction
A play transaction is a request to use the contents of a
steps.
work. Typically, to "play" a work is to send the digital work
The server transmits blocks of data according to the
through some kind of transducer, such as a speaker or a 30
transmission protocol.
display device. The request implies the intention that the
The requester prints the work contents, using the printer.
contents will not be communicated digitally to any other
When the printer is finished, the printer and the requester
system. For example, they will not be sent to a printer,
remove the contents from their memory.
recorded on any digital medium, retained after the transacThe repositories perform the common closing transaction
35
tion or sent to another repository.
steps.
This term "play" is natural for examples like playing
The Backup Transaction
music, playing a movie, or playing a video game. The
A Backup transaction is a request to make a backup copy
general form of play means that a "player" is used to use the
of a digital work, as a protection against media failure. In the
digital work. However, the term play covers all media and
kinds of recordings. Thus one would "play" a digital work, 40 context of repositories, secure backup copies differ from
other copies in three ways: (1) they are made under the
meaning, to render it for reading, or play a computer
control of a Backup transaction rather than a Copy
program, meaning to execute it. For a digital ticket the
transaction, (2) they do not count as regular copies, and (3)
player would be a digital ticket agent.
they are not usable as regular copies. Generally, backup
The requester sends the server a message to initiate the
play transaction. This message indicates the work to be 45 copies are encrypted.
Although backup copies may be transferred or copied,
played, the version of the play right to be used in the
depending on their assigned rights, the only way to make
transaction, the identity of the player being used, and
them useful for playing, printing or embedding is to restore
the file data for the work.
them.
The server checks the validity of the player identification
The output of a Backup operation is both an encrypted
50
and the compatibility of the player identification with
data file that contains the contents and description of a work,
the player specification in the right. It ends with an
and a restoration file with an encryption key for restoring the
error if these are not satisfactory.
encrypted contents. In many cases, the encrypted data file
The repositories perform the common opening transaction
would have rights for "printing" it to a disk outside of the
steps.
55 protection system, relying just on its encryption for security.
The server and requester read and write the blocks of data
Such files could be stored anywhere that was physically safe
as requested by the player according to the transmission
and convenient. The restoration file would be held in the
protocol. The requester plays the work contents, using
repository. This file is necessary for the restoration of a
the player.
backup copy. It may have rights for transfer between reposiWhen the player is finished, the player and the requester 60 tories.
remove the contents from their memory.
The requester sends the server a message to initiate a
backup transaction. This message indicates the work to
The repositories perform the common closing transaction
be backed up, the version of the backup right to be used
steps.
in the transaction, the destination address information
The Print Transaction
for placing the backup copy, the file data for the work.
A Print transaction is a request to obtain the contents of a 65
The repositories perform the common opening transaction
work for the purpose of rendering them on a "printer." We
use the term "printer" to include the common case of writing
steps.
US 6,963,859 B2
37
38
The server transmits the requested contents and data to the
roughly the same idea as protection codes in a conventional
requester. If a Next-Set-Of-Rights has been provided,
file system like TENEX, except that it is generalized to the
those rights are transmitted as the rights for the work.
full power of the access specifications of the usage rights
Otherwise, a set of default rights for backup files of the
language.
original are transmitted by the server.
5
The Directory transaction has the important role of passThe requester records the work contents, data, and usage
ing along descriptions of the rights and fees associated with
rights. It then creates a one-time key and encrypts the
a digital work. When a user wants to exercise a right, the
contents file. It saves the key information in a restorauser interface of his repository implicitly makes a directory
tion file.
request to determine the versions of the right that are
The repositories perform the common closing transaction 10 available. Typically these are presented to the user such as
steps.
with different choices of billing for exercising a right. Thus,
In some cases, it is convenient to be able to archive the
many directory transactions are invisible to the user and are
large, encrypted contents file to secure offline storage, such
exercised as part of the normal process of exercising all
as a magneto-optical storage system or magnetic tape. This
rights.
creation of a non-repository archive file is as secure as the 15
The requester sends the server a message to initiate a
encryption process. Such non-repository archive storage is
Directory transaction. This message indicates the file or
considered a form of "printing" and is controlled by a print
folder that is the root of the directory request and the
right with a specified "archive-printer." An archive-printer
version of the directory right used for the transaction.
device is programmed to save the encrypted contents file
The server verifies that the information is accessible to the
(but not the description file) offline in such a way that it can 20
requester.
be retrieved.
In particular, it does not return the names of any files that
The Restore Transaction
have a HIDE-NAME status in their directory specifications,
A Restore transaction is a request to convert an encrypted
and it does not return the parts of any folders or files that
backup copy of a digital work into a usable copy. A restore
have HIDE-PARTS in their specification. If the information
operation is intended to be used to compensate for cata- 25
is not accessible, the server ends the transaction with an
strophic media failure. Like all usage rights, restoration
error.
rights can include fees and access tests including authoriThe repositories perform the common opening transaction
zation checks.
steps.
The requester sends the server a message to initiate a
The server sends the requested data to the requester
Restore transaction. This message indicates the work to 30
according to the transmission protocol.
be restored, the version of the restore right for the
The requester records the data.
transaction, the destination address information for
placing the work, and the file data for the work.
The repositories perform the common closing transaction
The server verifies that the contents file is available (i.e.
steps.
a digital work corresponding to the request has been 35 The Folder Transaction
backed-up.) If it is not, it ends the transaction with an
A Folder transaction is a request to create or rename a
error.
folder, or to move a work between folders. Together with
The repositories perform the common opening transaction
Directory rights, Folder rights control the degree to which
steps.
organization of a repository can be accessed or modified
The server retrieves the key from the restoration file. It 40 from another repository.
decrypts the work contents, data, and usage rights.
The requester sends the server a message to 1mt1ate a
Folder transaction. This message indicates the folder
The server transmits the requested contents and data to the
that is the root of the folder request, the version of the
requester according to the transmission protocol. If a
Next-Set-Of-Rights has been provided, those rights are
folder right for the transaction, an operation, and data.
transmitted as the rights for the work. Otherwise, a set 45
The operation can be one of create, rename, and move
of default rights for backup files of the original are
file. The data are the specifications required for the
transmitted by the server.
operation, such as a specification of a folder or digital
work and a name.
The requester stores the digital work.
The repositories perform the common opening transaction
The repositories perform the common closing transaction 50
steps.
steps.
The Delete Transaction
The server performs the requested operation--creating a
A Delete transaction deletes a digital work or a number of
folder, renaming a folder, or moving a work between
copies of a digital work from a repository. Practically all
folders.
digital works would have delete rights.
The repositories perform the common closing transaction
55
The requester sends the server a message to initiate a
steps.
delete transaction. This message indicates the work to
The Extract Transaction
be deleted, the version of the delete right for the
A extract transaction is a request to copy a part of a digital
transaction.
work and to create a new work containing it. The extraction
The repositories perform the common opening transaction 60 operation differs from copying in that it can be used to
steps.
separate a part of a digital work from d-blocks or shells that
place additional restrictions or fees on it. The extraction
The server deletes the file, erasing it from the file system.
operation differs from the edit operation in that it does not
The repositories perform the common closing transaction
change the contents of a work, only its embedding in
steps.
The Directory Transaction
65 d-blocks. Extraction creates a new digital work.
The requester sends the server a message to initiate an
A Directory transaction is a request for information about
Extract transaction. This message indicates the part of
folders, digital works, and their parts. This amounts to
US 6,963,859 B2
39
40
the work to be extracted, the version of the extract right
size), the process-ID for the process, and the number of
copies involved.
to be used in the transaction, the destination address
information for placing the part as a new work, the file
The server checks the compatibility of the process-ID to
be used by the requester against any process-ID specidata for the work, and the number of copies involved.
fication in the right. If they are incompatible, it ends the
The repositories perform the common opening transaction 5
transaction with an error.
steps.
The repositories perform the common opening transaction
The server transmits the requested contents and data to the
steps.
requester according to the transmission protocol. If a
The requester uses the process to change the contents of
Next-Set-Of-Rights has been provided, those rights are
the digital work as desired. (For example, it can select
transmitted as the rights for the new work. Otherwise, 10
and duplicate parts of it; combine it with other inforthe rights of the original are transmitted. The Copymation; or compute functions based on the information.
Count field for this right is set to the number-of-copies
This can amount to editing text, music, or pictures or
requested.
taking whatever other steps are useful in creating a
The requester records the contents, data, and usage rights 15
derivative work.)
and stores the work. It records the date and time that
The repositories perform the common closing transaction
new work was made in the properties of the work.
steps.
The edit transaction is used to cover a wide range of kinds
The repositories perform the common closing transaction
of works. The category describes a process that takes as its
steps.
The Embed Transaction
20 input any portion of a digital work and then modifies the
An embed transaction is a request to make a digital work
input in some way. For example, for text, a process for
editing the text would require edit rights. A process for
become a part of another digital work or to add a shell
"summarizing" or counting words in the text would also be
d-block to enable the adding of fees by a distributor of the
considered editing. For a music file, processing could
work.
The requester sends the server a message to initiate an 25 involve changing the pitch or tempo, or adding
reverberations, or any other audio effect. For digital video
Embed transaction. This message indicates the work to
works, anything which alters the image would require edit
be embedded, the version of the embed right to be used
rights. Examples would be colorizing, scaling, extracting
in the transaction, the destination address information
still photos, selecting and combining frames into story
for placing the part as a a work, the file data for the
30 boards, sharpening with signal processing, and so on.
work, and the number of copies involved.
Some creators may want to protect the authenticity of
The server checks the control specifications for all of the
their works by limiting the kinds of processes that can be
rights in the part and the destination. If they are
performed on them. If there are no edit rights, then no
incompatible, the server ends the transaction with an
processing is allowed at all. A processor identifier can be
error.
included to specify what kind of process is allowed. If no
The repositories perform the common opening transaction 35 process identifier is specified, then arbitrary processors can
steps.
be used. For an example of a specific process, a photograThe server transmits the requested contents and data to the
pher may want to allow use of his photograph but may not
requester according to the transmission protocol. If a
want it to be colorized. A musician may want to allow
Next-Set-Of-Rights has been provided, those rights are
40 extraction of portions of his work but not changing of the
transmitted as the rights for the new work. Otherwise,
tonality.
the rights of the original are transmitted. The CopyAuthorization Transactions
Count field for this right is set to the number-of-copies
There are many ways that authorization transactions can
requested.
be defined. In the following, our preferred way is to simply
The requester records the contents, data, and usage rights 45 define them in terms of other transactions that we already
and embeds the work in the destination file.
need for repositories. Thus, it is convenient sometimes to
speak of "authorization transactions," but they are actually
The repositories perform the common closing transaction
made up of other transactions that repositories already have.
steps.
A usage right can specify an authorization-ID, which
The Edit Transaction
An Edit transaction is a request to make a new digital 50 identifies an authorization object (a digital work in a file of
a standard format) that the repository must have and which
work by copying, selecting and modifying portions of an
it must process. The authorization is given to the generic
existing digital work. This operation can actually change the
authorization (or ticket) server of the repository which
contents of a digital work. The kinds of changes that are
begins to interpret the authorization.
permitted depend on the process being used. Like the
As described earlier, the authorization contains a server
extraction operation, edit operates on portions of a digital 55
identifier, which may just be the generic authorization server
work. In contrast with the extract operation, edit does not
or it may be another server. When a remote authorization
effect the rights or location of the work. It only changes the
server is required, it must contain a digital address. It may
contents. The kinds of changes permitted are determined by
also contain a digital certificate.
the type specification of the processor specified in the rights.
If a remote authorization server is required, then the
In the currently preferred embodiment, an edit transaction 60
authorization process first performs the following steps:
changes the work itself and does not make a new work.
However, it would be a reasonable variation to cause a new
The generic authorization server attempts to set up the
copy of the work to be made.
communications channel. (If the channel cannot be set
up, then authorization fails with an error.)
The requester sends the server a message to initiate an
Edit transaction. This message indicates the work to be 65
When the channel is set up, it performs a registration
process with the remote repository. (If registration fails,
edited, the version of the edit right to be used in the
transaction, the file data for the work (including its
then the authorization fails with an error.)
US 6,963,859 B2
41
42
When registration is complete, the generic authorization
repository where it is no longer accessible as a work for
exercising any usage rights other than the execution of
server invokes a "Play" transaction with the remote
the software as part of repository operations in carrying
repository, supplying the authorization document as the
out other transactions.
digital work to be played, and the remote authorization
The repositories perform the common closing transaction
server (a program) as the "player." (If the player cannot 5
steps.
be found or has some other error, then the authorization
The Uninstall Transaction
fails with an error.)
An Uninstall transaction is a request to remove software
The authorization server then "plays" the authorization.
from a repository. Since uncontrolled or incorrect removal of
This involves decrypting it using either the public key
software from a repository could compromise its behavioral
of the master repository that issued the certificate or the 10
integrity, this step is controlled.
session key from the repository that transmitted it. The
The requester sends the server an Uninstall message. This
authorization server then performs various tests. These
message indicates the work to be uninstalled, the vertests vary according to the authorization server. They
sion of the Uninstall right being invoked, and the file
include such steps as checking issue and validity dates
data for the work (including its size).
of the authorization and checking any hot-lists of 15
The repositories perform the common opening transaction
known invalid authorizations. The authorization server
steps.
may require carrying out any other transactions on the
The requester extracts a copy of the digital certificate for
repository as well, such as checking directories, getting
the software. If the certificate cannot be found or the
some person to supply a password, or playing some
master repository for the certificate is not known to the
other digital work. It may also invoke some special 20
requester, the transaction ends with an error.
process for checking information about locations or
The requester checks whether the software is installed. If
recent events. The "script" for such steps is contained
the software is not installed, the transaction ends with
within the authorization server.
an error.
If all of the required steps are completed satisfactorily, the
The requester decrypts the digital certificate using the
25
authorization server completes the transaction
public key of the master repository, recording the
normally, signaling that authorization is granted.
identity of the supplier and creator, a key for decrypting
The Install Transaction
the software, the compatibility information, and a
An Install transaction is a request to install a digital work
tamper-checking code. (This step authenticates the ceras runnable software on a repository. In a typical case, the
tification of the software, including the script for unin30
requester repository is a rendering repository and the softstalling it.)
ware would be a new kind or new version of a player. Also
The requester decrypts the software using the key from
in a typical case, the software would be copied to file system
the certificate and computes a check code on it using a
of the requester repository before it is installed.
1-way hash function. If the check-code does not match
The requester sends the server an Install message. This
the tamper-checking code from the certificate, the
35
message indicates the work to be installed, the version
installation transaction ends with an error. (This step
of the Install right being invoked, and the file data for
assures that the contents of the software, including the
the work (including its size).
various scripts, have not been tampered with.)
The repositories perform the common opening transaction
The requester retrieves the instructions in the uninstallasteps.
tion script and follows them. If there is an error in this
40
The requester extracts a copy of the digital certificate for
process (such as insufficient resources), then the transthe software. If the certificate cannot be found or the
action ends with an error.
master repository for the certificate is not known to the
The repositories perform the common closing transaction
requester, the transaction ends with an error.
steps.
The requester decrypts the digital certificate using the 45 Distribution and Use Scenarios
public key of the master repository, recording the
To appreciate the robustness and flexibility of the present
identity of the supplier and creator, a key for decrypting
invention, various distribution and use scenarios for digital
the software, the compatibility information, and a
works are illustrated below. These scenarios are meant to be
tamper-checking code. (This step certifies the
exemplary rather than exhaustive.
software.)
50 Consumers as Unpaid Distributors
The requester decrypts the software using the key from
In this scenario, a creator distributes copies of his works
the certificate and computes a check code on it using a
to various consumers. Each consumer is a potential distribu1-way hash function. If the check-code does not match
tor of the work. If the consumer copies the digital work
the tamper-checking code from the certificate, the
(usually for a third party), a fee is collected and automatiinstallation transaction ends with an error. (This step 55 cally paid to the creator.
assures that the contents of the software, including the
This scenario is a new twist for digital works. It depends
various scripts, have not been tampered with.)
on the idea that "manufacturing" is just copying and is
The requester retrieves the instructions in the
essentially free. It also assumes that the consumers as
compatibility-checking script and follows them. If the
distributors do not require a fee for their time and effort in
software is not compatible with the repository, the 60 distributing the work.
installation transaction ends with an error. (This step
This scenario is performed as follows:
checks platform compatibility.)
A creator creates a digital work. He grants a Copy right
The requester retrieves the instructions in the installation
with fees paid back to himself. If he does not grant an Embed
script and follows them. If there is an error in this
right, then consumers cannot use the mechanism to act as
process (such as insufficient resources), then the trans- 65 distributors to cause fees to be paid to themselves on future
action ends with an error. Note that the installation
copies. Of course, they could negotiate side deals or trades
to transfer money on their own, outside of the system.
process puts the runnable software in a place in the
US 6,963,859 B2
43
44
Paid Distributors
Super Distributors
In another scenario, every time a copy of a digital work
This is a variation on the previous scenarios. A distributor
is sold a fee is paid to the creator and also to the immediate
can sell to anyone and anyone can sell additional copies,
distributor.
resulting in fees being paid back to the creator. However,
This scenario does not give special status to any particular 5 only licensed distributors can add fees to be paid to themdistributor. Anyone who sells a document has the right to
selves.
add a fee to the sale price. The fee for sale could be
This scenario gives distributors the right to add fees to
established by the consumer. It could also be a fixed nominal
cover their own advertising and promotional costs, without
amount that is contributed to the account of some charity.
making them be the sole suppliers. Their customers can also
This scenario is performed as follows:
10 make copies, thus broadening the channel without diminA creator creates a digital work. He grants a Copy right
ishing their revenues. This is because distributors collect
with fees to be paid back to himself. He grants an Embed
fees from copies of any copies that they originally sold. Only
right, so that anyone can add shells to have fees paid to
distributors can add fees.
themselves.
This scenario is performed similarly to the previous ones.
A distributor embeds the work in a shell, with fees 15 There are two key differences. (1) The creator only grants
specified to be paid back to himself. If the distributor is
Embed rights for people who have a Distribution license.
content to receive fees only for copies that he sells himself,
This is done by putting a requirement for a distributor's
he grants an Extract right on the shell.
license on the Embed right. Consequently, non-distributors
When a consumer buys a copy from the distributor, fees
cannot add their own fees. (2) The Distributor does not grant
are paid both to the distributor and to the creator. If he 20 Extract rights, so that consumers cannot avoid paying fees to
chooses, the consumer can extract the work from the disthe Distributor if they make subsequent copies.
tributor's shell. He cannot extract it from the creator's shell.
Consequently, all subsequent copies result in fees paid to the
He can add his own shell with fees to be paid to himself.
Distributor and the Creator.
Licensed Distribution
1-Level Distribution Fees
In this scenario, a creator wants to protect the reputation 25
In this scenario, a distributor gets a fee for any copy he
and value of his work by making certain requirements
sells directly. However, if one of his customers sells further
on its distributors. He issues licenses to distributors that
copies, he gets no further fee for those copies.
satisfy the requirements, and in turn, promises to
This scenario pays a distributor only for use of copies that
reward their efforts by assuring that the work will not
he actually sold.
be distributed over competing channels. The distribu- 30
This scenario is performed similarly to the previous ones.
tors incur expenses for selecting the digital work,
The key feature is that the distributor creates a shell which
explaining it to buyers, promoting its sale, and possibly
specifies fees to be paid to him. He puts Extract rights on the
for the license itself The distributor obtains the right to
shell. When a consumer buys the work, he can extract away
enclose the digital work in a shell, whose function is to
the distributor's shell. Copies made after that will not require
permit the attachment of usage fees to be paid to the 35 fees to be paid to the distributor.
distributor in addition to the fees to be paid to the
Distribution Trees
creator.
In another scenario, distributors sell to other distributors
This differs from the previous scenario in that it precludes
and fees are collected at each level. Every copy sold by any
the typical copy owner from functioning as a distributor,
distributor--even several d-blocks down in the chainsince the consumer lacks a license to copy the document. 40
results in a fee being paid back to all of the previous
Thus, a consumer cannot make copies, even for free. All
distributors.
copies must come initially from authorized distributors. This
This scenario is like a chain letter or value chain. Every
version makes it possible to hold distributors accountable in
contributor or distributor along the way obtains fees, and is
some way for the sales and support of the work, by conthereby encouraged to promote the sale of copies of the
trolling the distribution of certificates that enable distributors 45
digital work.
to legitimately charge fees and copy owners to make copies.
This scenario is performed similarly to the previous ones.
Since licenses are themselves digital works, the same
The key feature is that the distributor creates a shell which
mechanisms give the creators control over distributors by
specifies fees to be paid to him. He does not grant Extract
charging for licenses and putting time limits on their validrights on the shell. Consequently, all future copies that are
ity.
50
made will result in fees paid to him.
This scenario is performed as follows:
Weighted Distribution Trees
A creator purchases a digital distribution license that he
In this scenario, distributors make money according to a
will hand out to his distributors. He puts access requirements
distribution tree. The fee that they make depends on various
(such as a personal license) on the Copy and Transfer rights
on the distribution license so that only he can copy or 55 parameters, such as time since their sale or the number of
subsequent distributors.
transfer it.
This is a generalized version of the Distribution Tree
The creator also creates a digital work. He grants an
scenario, in that it tries to vary the fee to account for the
Embed right and a Copy right, both of which require the
significance of the role of the distributor.
distribution license to be exercised. He grants a Play right so
that the work can be played by anyone. He may optionally 60
This scenario is similar to the previous one. The difference is that the fee specification on the distributor's shell has
add a Transfer or Loan right, so that end consumers can do
provisions for changes in prices. For example, there could be
some non-commercial exchange of the work among friends.
a fee schedule so that copies made after the passage of time
A distributor obtains the distribution license and a number
will require lower fees to be paid to the distributor.
of copies of the work. He makes copies for his customers,
65 Alternatively, the distributor could employ a "best-price"
using his distribution license.
billing option, using any algorithm he chooses to determine
A customer buys and uses the work. He cannot make new
the fee up to the maximum specified in the shell.
copies because he lacks a distribution license.
US 6,963,859 B2
45
46
Fees for Reuse
Upgrading a Digital Work with a Vendor
In this scenario, a first creator creates a work. It is
A consumer buys a digital work together with an agreement that he can upgrade to a new version at a later date for
distributed by a first distributor and purchased by a second
a modest fee, much less than the usual purchase price. When
creator. The second creator extracts a portion of the work
and embeds in it a new work distributed by a second 5 the new version becomes available, he goes to a qualified
distributor. A consumer buys the new work from the second
vendor to make the transaction.
This scenario deals with a common situation in computer
distributor. The first creator receives fees from every transsoftware. It shows how a purchase may include future
action; the first distributor receives fees only for his sale; the
"rights." Two important features of the scenario are that the
second creator and second distributor receive fees for the
final sale.
transaction must take place at a qualified vendor, and that the
10
This scenario shows how that flexible automatic arrangetransaction can be done only once per copy of the digital
ments can be set up to create automatic charging systems
work purchased.
that mirror current practice. This scenario is analogous to
This scenario is performed as follows:
when an author pays a fee to reuse a figure in some paper.
The creator creates a digital work, an upgrade ticket, and
In the most common case, a fee is paid to the creator or
a distribution license. The upgrade ticket uses the a generic
15 ticket agent that comes with repositories. As usual, the
publisher, but not to the bookstore that sold the book.
The mechanisms for derived works are the same as those
distribution license does not have Copy or Transfer rights.
for distribution.
He distributes a bundled copies of the work and the ticket to
Limited Reuse
his distributors as well as distribution licenses.
In this scenario, several first creators create works. A
The distributor sells the old bundled work and ticket to
second creator makes a selection of these, publishing a 20 customers.
collection made up of the parts together with some new
The customer extracts the work and the ticket. He uses the
work according to the agreements until the new version
interstitial material. (For example, the digital work could be
becomes available.
a selection of music or a selection of readings.) The second
When the new work is ready, the creator gives it to
creator wants to continue to allow some of the selected
works to be extractable, but not the interstitial material.
25 distributors. The new work has a free right to copy from a
This scenario deals with fine grained control of the rights
distributor if a ticket is available.
and fees for reuse.
The consumer goes to distributors and arranges to copy
the work. The transaction offers the ticket. The distributor's
This scenario is performed as follows:
The first creators create their original works. If they grant
repository punches the ticket and copies the new version to
extraction and embedding rights, then the second creator can 30 the consumers repository.
include them in a larger collected work. The second creator
The consumer can now use the new version of the work.
creates the interstitial material. He does grant an Extract
Distributed Upgrading of Digital Works
A consumer buys a digital work together with an agreeright on the interstitial material. He grants Extract rights on
a subset of the reused material. A consumer of the collection
ment that he can upgrade to a new version at a later date for
can only extract portions that have that right. Fees are 35 a modest fee, much less than the usual purchase price. When
the new version becomes available, he goes to anyone who
automatically collected for all parts of the collection.
has the upgraded version and makes the transaction.
Commercial Libraries
This scenario is like the previous one in that the transacCommercial libraries buy works with the right to loan.
tion can only be done once per copy of the digital work
They limit the loan period and charge their own fees for use.
This scenario deals with fees for loaning rather than fees for 40 purchased, but the transaction can be accomplished without
making copies. The fees are collected by the same automatic
the need to connect to a licensed vendor.
mechanisms.
This scenario is similar to the previous one except that the
Copy right on the new work does not require a distribution
The mechanisms are the same as previous scenarios
except that the fees are associated with the Loan usage right
license. The consumer can upgrade from any repository
rather than the Copy usage right.
45 having the new version. He cannot upgrade more than once
Demo Versions
because the ticket cannot work after it has been punched. If
desired, the repository can record the upgrade transaction by
A creator believes that if people try his work that they will
want to buy it or use it. Consumers of his work can copy the
posting a zero cost bill to alert the creator that the upgrade
work for free, and play (or execute) a limited version of the
has taken place.
work for free, and can play or use the full featured version 50 Limited Printing
A consumer buys a digital work and wants to make a few
for a fee.
ephemeral copies. For example, he may want to print out a
This scenario deals with fees for loaning rather than fees
paper copy of part of a digital newspaper, or he may want to
for making copies. The fees are collected by the same
automatic mechanisms.
make a (first generation) analog cassette tape for playing in
This scenario is performed as follows:
55 his car. He buys the digital work together with a ticket
The creator creates a digital work and grants various rights
required for printing rights.
and fees. The creator grants Copy and Embed rights without
This scenario is like the common practice of people
a fee, in order to ensure widespread distribution of the work.
making cassette tapes to play in their car. If a publisher
Another of the rights is a limited play right with little or no
permits the making of cassette tapes, there is nothing to
fee attached. For example, this right may be for playing only 60 prevent a consumer from further copying the tapes.
a portion of the work. The play right can have various
However, since the tapes are "analog copies," there is a
restrictions on its use. It could have a ticket that limits the
noticeable quality loss with subsequent generations. The
number of times it is used. It could have internal restrictions
new contribution of the present invention is the use of tickets
that limit its functionality. It could have time restrictions that
in the access controls for the making of the analog copies.
invalidate the right after a period of time or a period of use. 65
This scenario is performed as follows:
The creator sells a work together with limited printing
Different fees could be associated with other versions of the
rights. The printing rights specify the kind of printer (e.g., a
Play right.
US 6,963,859 B2
47
48
kind of cassette recorder or a kind of desktop paper printer)
Rational Database Usage Charges
and also the kind of ticket required. The creator either
Online information retrieval services typically charge for
bundles a limited number of tickets or sells them separately.
access in a way that most clients find unpredictable and
If the tickets use the generic ticket agent, the consumer with
uncorrelated to value or information use. The fee depends on
the tickets can exercise the right at his convenience.
5 which databases are open, dial-up connect time, how long
the searches require, and which articles are printed out.
Demand Publishing
There are no provisions for extracting articles or
Professors in a business school want to put together
photographs, no method for paying to reuse information in
course books of readings selected from scenario studies
new works, no distinction between having the terminal sit
from various sources. The bookstore wants to be able to print
the books from digital masters, without negotiating for and 10 idly versus actively searching for data, no distinction
between reading articles on the screen and doing nothing,
waiting for approval of printing of each of the scenarios. The
and higher rates per search when the centralized facility is
copyright holders of the scenarios want to be sure that they
busy and slow servicing other clients. Articles can not be
are paid for every copy of their work that is printed.
ofiloaded to the client's machine for off-site search and
On many college campuses, the hassle of obtaining copy
clearances in a timely way has greatly reduced the viability 15 printing. To offer such billing or the expanded services, the
service company would need a secure way to account for
of preparing course books. Print shops have become much
and bill for how information is used.
more cautious about copying works in the absence of
This scenario is performed as follows:
documented permission.
The information service bundles its database as files in a
Demand Publishing is performed as follows: the creator
20 repository. The information services company assigns difsells a work together with printing rights for a fee. There can
ferent fees for different rights on the information files. For
be rights to copy (distribute) the work between bookstore
example, there could be a fee for copying a search database
repositories, with or without fee. The printing rights specify
or a source file and a different fee for printing. These fees
the kind of printer. Whenever a bookstore prints one of the
would be in addition to fees assigned by the original creator
works (either standalone or embedded in a collection), the
fee is credited to the creator automatically. To discourage 25 for the services. The fees for using information would be
different for using them on the information service compaunauthorized copying of the print outs, it would be possible
ny's computers or the client's computers. This billing disfor the printer to print tracer messages discretely on the
tinction would be controlled by having different versions of
pages identifying the printing transaction, the copy number,
the rights, where the version for use on the service compaand any other identifying information. The tracer informa30 ny's computer requires a digital certificate held locally. Fees
tion could be secretly embedded in the text itself (encoded
for copying or printing files would be handled in the usual
in the grey scale) or hidden in some other way.
way, by assigning fees to exercising those rights. The
Metered Use and Multiple Price Packages
distinction between searching and viewing information
A consumer does not know what music to purchase until
would be made by having different "players" for the differhe decides whether he likes it. He would like to be able to 35 ent functions. This distinction would be maintained on the
take it home and listen to it, and then decide whether to
client's computers as well as the service computers. Articles
purchase. Furthermore, he would like the flexibility of
could be extracted for reuse under the control of Extract and
paying less if he listens to it very infrequently.
Embed rights. Thus, if a client extracts part of an article or
This scenario just uses the capability of the approach to
photograph, and then sells copies of a new digital work
have multiple versions of a right on a digital work. Each 40 incorporating it, fees could automatically be collected both
version of the right has its own billing scheme. In this
by the information service and earlier creators and distribuscenario, the creator of the work can offer the Copy right
tors of the digital work. In this way, the information retrieval
without fee, and defer billing to the exercise of the Play
service could both offer a wider selection of services and
right. One version of the play right would allow a limited
billing that more accurately reflects the client's use of the
performance without fee-a right to "demo". Another ver- 45 information.
sian of the right could have a metered rate, of say $0.25 per
Print Spooling with Rights
hour of play. Another version could have a fee of $15.00 for
In the simplest scenario, when a user wants to print a
the first play, but no fee for further playing. When the
digital document he issues a print command to the user
consumer exercises a play right, he specifies which version
interface. If the document has the appropriate rights and the
of the right is being selected and is billed accordingly.
50 conditions are satisfied, the user agrees to the fee and the
Fees for Font Usage
document is printed. In other cases, the printer may be on a
A designer of type fonts invests several months in the
remote repository and it is convenient to spool the printing
design of special fonts. The most common way of obtaining
to a later time. This leads to several issues. The user
revenue for this work is to sell copies of the fonts to
requesting the printing wants to be sure that he is not billed
publishers for unlimited use over unlimited periods of time. 55 for the printing until the document is actually printed.
A font designer would like to charge a rate that reflects the
Restated, if he is billed at the time the print job is spooled
amount that the font is used.
but the job is canceled before printing is done, he does not
This scenario is performed as follows: the font designer
want to pay. Another issue is that when spooling is
creates a font as a digital work. He creates versions of the
permitted, there are now two times at which rights, condiPlay right that bill either for metered use or "per-use". Each 60 tions and fees could be checked: the time at which a print job
is spooled and the time at which a print is made. As with all
version of the play right would require that the player (a
print layout program) be of an approved category. The font
usage rights, it is possible to have rights that expire and to
designer assigns appropriate fees to exercise the Copy right.
have rights whose fee depends on various conditions. What
When a publisher client wants to use a font, he includes it
is needed is a means to check rights and conditions at the
as input to a layout program, and is billed automatically for 65 time that printing is actually done.
This scenario is performed as follows: A printing reposiits use. In this way, a publisher who makes little use of a font
tory is a repository with the usual repository characteristics
pays less than one who uses it a lot.
US 6,963,859 B2
49
50
plus the hardware and software to enable printing. Suppose
Description Tree:
that a user logs into a home repository and wants to spool
A structure which describes the location of content and
print jobs for a digital work at a remote printing repository.
the usage rights and usage fees for a digital work. A
The user interface for this could treat this as a request to
description tree is comprised of description blocks. Each
"spool" prints. Underneath this "spooling" request, 5 description block corresponds to a digital work or to an
interest (typically a revenue bearing interest) in a digital
however, are standard rights and requests. To support such
work.
requests, the creator of the work provides a Copy right,
Digital Work (Work):
which can be used to copy the work to a printing repository.
Any encapsulated digital information. Such digital inforIn the default case, this Copy right would have no fees
associated for making the copy. However, the Next-Set-Of- 10 mation may represent music, a magazine or book, or a
Rights for the copy would only include the Print rights, with
multimedia composition. Usage rights and fees are attached
to the digital work.
the usual fees for each variation of printing. This version of
the Copy right could be called the "print spooling" version
Distributor:
of the Copy right. The user's "spool request" is implemented
A term which refers to a party who legitimately obtains a
as a Copy transaction to put a copy of the work on the 15 copy of a digital work and offers it for sale.
Identification (Digital) Certificate:
printing repository, followed by Print transactions to create
A signed digital message that attests to the identity of the
the prints of the work. In this way, the user is only billed for
printing that is actually done. Furthermore, the rights, conpossessor. Typically, digital certificates are encrypted in the
ditions and fees for printing the work are determined when
private key of a well-known master repository.
the work is about to be printed.
20 Master Repository:
Thus, a system for enforcing the usage rights of digital
A special type of repository which issues identification
works is disclosed. While the embodiments disclosed herein
certificates and distributes lists of repositories whose integare preferred, it will be appreciate from this teaching that
rity have been compromised and which should be denied
various alternative, modifications, variations or improveaccess to digital works (referred to as repository "hotlists".)
ments therein may be made by those skilled in the art, which 25 Public Key Encryption:
are intended to be encompassed by the following claims.
A encryption technique used for secure transmission of
messages on a communication channel. Key pairs are used
Appendix A
for the encryption and decryption of messages. Typically
one key is referred to as the public key and the other is the
Glossary
30 private key. The keys are inverses of each other from the
Authorization Repository:
perspective of encryption. Restated, a digital work that is
A special type of repository which provides authorization
encryption by one key in the pair can be decrypted only by
service. An authorization may be specified by a usage right.
the other.
The authorization must be obtained before the right may be
Registration Transactions:
exercised.
35
The protocol used between repositories to established a
Billing Clearinghouse:
trusted session.
A financial institution or the like whose purpose is to
Rendering Repository:
reconcile billing information received from credit servers.
A special type of repository which is typically coupled to
The billing clearinghouse may generate bills to users or
a rendering system. The rendering repository will be typialternatively, credit and debit accounts involved in the
40 cally be embodied within the secure boundaries of a rencommercial transactions.
dering system.
Billing Transactions:
Rendering System:
The protocal used by which a repository reports billing
The combination of a rendering repository and a renderinformation to a credit server.
45 ing device. Examples of rendering systems include printing
Clearinghouse Transactions:
systems, displaying systems, general purpose computer
The protocal used between a credit server and a clearingsystems, video systems or audio systems.
house.
Repository:
Composite Digital Work:
Conceptually a set of functional specifications defining
A digital work comprised of distinguishable parts. Each of
the distinguishable parts is itself a digital work which have 50 core functionality in the support of usage rights. A repository
is a trusted system in that it maintains physical, communiusage rights attached.
cations and behavioral integrity.
Content:
Requester Mode:
The digital information (i.e. raw bits) representing a
A mode of repository where it is requesting access to a
digital work.
Copy Owner:
55 digital work.
Revenue Owners:
A term which refers to the party who owns a digital work
stored in a repository. In the typical case, this party has
A term which refers to the parties that maintain an interest
purchased various rights to the document for printing,
in collecting fees for document use or who stand to lose
revenue if illegitimate copies of the digital work are made.
viewing, transferring, or specific uses.
Creator:
60 Server Mode:
A term which refers to a party who produces a digital
A mode of a repository where it is processing an incoming
work.
request to access a digital work.
Credit Server:
Shell Description Block:
A special type of description block designating an interest
A device which collects and reports billing information
for a repository. In many implementations, this could be 65 in a digital work, but which does not add content. This will
typically be added by a distributor of a digital work to add
built as part of a repository. It requires a means for periodically communicating with a billing clearinghouse.
their fees.
US 6,963,859 B2
51
52
Transactions:
15. A rendering system as recited in claim 1 wherein said
A term used to refer to the protocols by which repositories
rendering device comprises a computer system and said
communicate.
repository comprises software executed on the computer
Usage Fees:
system.
16. A rendering system as recited in claim 1, further
A fee charged to a requester for access to a digital work. 5
comprising an execution device coupled to said repository,
Usage fees are specified within the usage rights language.
Usage Rights:
said repository being further operative to permit said execution device to execute a computer program only in a manner
A language for defining the manner in which a digital
work may be used or distributed, as well as any conditions
specified by the usage rights.
10
17. A rendering system as recited in claim 1, wherein the
on which use or distribution is premised.
content is a computer program and the manner of use is a
Usage Transactions:
manner of executing the computer program.
A set of protocols by which repositories communicate in
18. A rendering system as recited in claim 1, wherein the
the exercise of a usage rights. Each usage right has it's own
transaction steps.
manner of use is a manner of printing.
15
19. A rendering system as recited in claim 1, wherein the
What is claimed is:
manner of use is a manner of displaying.
1. A rendering system adapted for use in a distributed
system for managing use of content, said rendering system
20. A rendering system as recited in claim 1, wherein the
being operative to rendering content in accordance with
manner of use is a manner of playing.
usage rights associated with the content, said rendering
21. A rendering system as recited in claim 1, wherein the
system comprising:
20 rendering device and the repository are integrated into a
secure system having a secure boundary.
a rendering device configured to render the content; and
22. A rendering system as recited in claim 1, wherein the
a distributed repository coupled to said rendering device
rendering device and the repository are separate devices.
and including a requester mode of operation and server
23. A rendering system as recited in claim 1, wherein the
mode of operation,
25 usage rights include at least one condition that must be
wherein the server mode of operation is operative to
satisfied to exercise the manner of use, and wherein the
enforce usage rights associated with the content and
system further comprises means for communicating with an
permit the rendering device to render the content in
authorization repository for authorizing a condition.
accordance with a manner of use specified by the usage
24. A rendering system as recited in claim 1, further
rights,
30 comprising means for communicating with a master reposithe requester mode of operation is operative to request
tory for obtaining an identification certificate for the reposiaccess to content from another distributed repository,
tory.
and
25. A rendering system as recited in claim 1, further
comprising a boundary containing said repository and said
said distributed repository is operative to receive a request
to render the content and permit the content to be 35 rendering device in a secure environment.
rendered only if a manner of use specified in the request
26. A rendering system as recited in claim 23, wherein the
corresponds to a manner of use specified in the usage
condition is possession of a digital ticket.
rights.
27. A rendering as recited in claim 1, wherein the content
has plural components having usage lights associated there2. A rendering system as recited in claim 1, wherein said
rendering device is configured to render content into a 40 with and wherein said repository enforces the usage rights
for each component.
desired form.
3. A rendering system as recited in claim 1, wherein said
28. A rendering system as recited in claim 1, wherein said
repository comprises means for storing the content.
system is implemented using one or more hardware and/or
4. A rendering system as recited in claim 3 wherein said
software devices.
29. A rendering method adapted for use in a distributed
means for storing is means for storing ephemeral copies of 45
the content.
system for managing use of content, and operative to render
5. A rendering system as recited in claim 3 wherein said
content in accordance with usage rights associated with the
means for storing comprises means for storing content after
content, said method comprising:
rendering.
configuring a rendering device to render the content;
6. A rendering system as recited in claim 5 wherein the 50
configuring a distributed repository coupled to said rencontent comprises fonts.
dering device to include a requester mode of operation
7. A rendering system as recited in claim 5 wherein the
and server mode of operation;
content comprises music.
enforcing usage rights associated with the content and
8. A rendering system as recited in claim 5 wherein the
permitting the rendering device to render the content in
55
content comprises video.
accordance with a manner of use specified by the usage
9. A rendering system as recited in claim 3, wherein said
rights, when in the server mode of operation;
repository comprises removable media.
requesting access to content from another distributed
10. A rendering system as recited in claim 1, further
repository, when in the requester mode of operation;
comprising means for storing the content.
and
11. A rendering system as recited in claim 10, wherein 60
said means for storing comprises removable media.
receiving by said distributed repository a request to render
12. A rendering system as recited in claim 1 wherein said
the content and permitting the content to be rendered
rendering device comprises a printer.
only if a manner of use specified in the request corresponds to a manner of use specified in the usage rights.
13. A rendering system as recited in claim 1, wherein said
65
30. A rendering method as recited in claim 29, wherein
rendering device comprises a video system.
14. A rendering system as recited in claim 1, wherein said
said rendering device is configured to render content into a
rendering device comprises an audio system.
desired form.
US 6,963,859 B2
53
31. A rendering method as recited in claim 29, wherein
54
57. A rendering method as recited in claim 29, wherein
said repository comprises means for storing the content.
said method is implemented using a computer readable
32. A rendering method as recited in claim 31, further
medium including one or more computer readable instruccomprising storing ephemeral copies of the content.
tions embedded therein and configured to cause one or more
33. A rendering method as recited in claim 31, wherein 5 computer processors to perform said method.
said means for storing comprises means for storing content
58. A computer readable medium including one or more
after rendering.
computer readable instructions embedded therein for use in
34. A rendering method as recited in claim 33, wherein the
a distributed system for managing use of content, and
content comprises fonts.
operative to render content in accordance with usage rights
35. A rendering method as recited in claim 33, wherein the
10 associated with the content, said computer readable instruccontent comprises music.
tions configured to cause one or more computer processors
36. A rendering method as recited in claim 33, wherein the
to perform the steps of:
content comprises video.
configuring a rendering device to render the content;
37. A rendering method as recited in claim 29, further
comprising storing the content.
configuring a distributed repository coupled to said ren38. A rendering method as recited in claim 37, wherein 15
dering device to include a requester mode of operation
said means for storing comprises removable media.
and server mode of operation;
39. A rendering method as recited in claim 29, wherein
enforcing usage rights associated with the content and
said rendering device comprises a printer.
permitting the rendering device to render the content in
40. A rendering method as recited in claim 29, wherein
accordance with a manner of use specified by the usage
20
said rendering device comprises a video system.
rights, when in the server mode of operation;
41. A rendering method as recited in claim 29, wherein
requesting access to content from another distributed
said rendering device comprises an audio system.
repository, when in the requester mode of operation;
42. A rendering method as recited in claim 29, wherein
said rendering device comprises a computer system and said
and
repository comprises software executed on the computer 25
receiving by said distributed repository a request to render
system.
the content and permitting the content to be rendered
43. A rendering method as recited in claim 29, further
only if a manner of use specified in the request correcomprising:
sponds to a manner of use specified in the usage rights.
coupling an execution device to said repository; and
59. A computer readable medium as recited in claim 58,
permitting by said repository said execution device to 30 wherein said rendering device is configured to render conexecute a computer program only in a manner specified
tent into a desired form.
by the usage rights.
60. A computer readable medium as recited in claim 58,
44. A rendering method as recited in claim 29, wherein the
wherein said repository comprises means for storing the
content is a computer program and the manner of use is a
content.
manner of executing the computer program.
35
61. A computer readable medium as recited in claim 60,
45. A rendering method as recited in claim 29, wherein the
wherein said computer readable instructions are configured
manner of use is a manner of printing.
to cause the one or more computer processors to perform the
46. A rendering method as recited in claim 29, wherein the
step of storing ephemeral copies of the content.
manner of use is a manner of displaying.
62. A computer readable medium as recited in claim 60,
47. A rendering method as recited in claim 29, wherein the
40 wherein said means for storing comprises means for storing
manner of use is a manner of playing.
content after rendering.
48. A rendering method as recited in claim 29, wherein the
63. A computer readable medium as recited in claim 62,
rendering device and the repository are integrated into a
wherein the content comprises fonts.
secure system having a secure boundary.
49. A rendering method as recited in claim 29, wherein the
64. A computer readable medium as recited in claim 62,
45 wherein the content comprises music.
rendering device and the repository are separate devices.
50. A rendering method as recited in claim 29, wherein the
65. A computer readable medium as recited in claim 62,
wherein the content comprises video.
usage rights include at least one condition that must be
66. A computer readable medium as recited in claim 60,
satisfied to exercise the manner of use, and the method
wherein said repository comprises removable media.
further comprises communicating with an authorization
50
67. A computer readable medium as recited in claim 58,
repository for authorizing a condition.
51. A rendering method as recited in claim 29, further
wherein said computer readable instructions are configured
to cause the one or more computer processors to perform the
comprising communicating with a master repository for
step of storing the content.
obtaining an identification certificate for the repository.
52. A rendering method as recited in claim 29, further
68. A computer readable medium as recited in claim 58,
comprising configuring a boundary containing said reposi- 55 wherein said rendering device comprises a printer.
tory and said rendering device in a secure environment.
69. A computer readable medium as recited in claim 58,
53. A rendering method as recited in claim 50, wherein the
wherein said rendering device comprises a video system.
70. A computer readable medium as recited in claim 58,
condition is possession of a digital ticket.
54. A rendering method as recited in claim 29, wherein the
wherein said rendering device comprises an audio system.
71. A computer readable medium as recited in claim 58,
content has plural components having usage rights associ- 60
ated therewith and the method further comprises enforcing
wherein said rendering device comprises a computer system
by said repository the usage rights for each component.
and said repository comprises software executed on the
computer system.
55. A rendering method as recited in claim 31, wherein
72. A computer readable medium as recited in claim 58,
said repository comprises removable media.
56. A rendering method as recited in claim 29, wherein 65 wherein said computer readable instructions are configured
said method is implemented using one or more hardware
to cause the one or more computer processors to perform the
and/or software devices.
steps of:
US 6,963,859 B2
55
56
coupling an execution device coupled to said repository;
communicating with an authorization repository for authoand
rizing a condition.
80. A computer readable medium as recited in claim 79,
permitting by said repository said execution device to
execute a computer program only in a manner specified
wherein the condition is possession of a digital ticket.
5
by the usage rights.
81. A computer readable medium as recited in claim 58,
73. A computer readable medium as recited in claim 58,
wherein said computer readable instructions are configured
wherein the content is a computer program and the manner
to cause the one or more computer processors to perform the
of use is a manner of executing the computer program.
step of communicating with a master repository for obtain74. A computer readable medium as recited in claim 58, 10 ing an identification certificate for the repository.
wherein the manner of use is a manner of printing.
82. A computer readable medium as recited in claim 58,
75. A computer readable medium as recited in claim 58,
wherein said computer readable instructions are configured
wherein the manner of use is a manner of displaying.
to cause the one or more computer processors to perform the
76. A computer readable medium as recited in claim 58,
step of configuring a boundary containing said repository
wherein the manner of use is a manner of playing.
and said rendering device in a secure environment.
77. A computer readable medium as recited in claim 58, 15
83. A computer readable medium as recited in claim 58,
wherein the rendering device and the repository are intewherein the content has plural components having usage
grated into a secure system having a secure boundary.
rights associated therewith and said computer readable
78. A computer readable medium as recited in claim 58,
instructions are configured to cause the one or more comwherein the rendering device and the repository are separate
20 puter processors to perform the step of enforcing by said
devices.
repository the usage rights for each component.
79. A computer readable medium as recited in claim 58,
84. A computer readable medium as recited in claim 67,
wherein the usage rights include at least one condition that
wherein said means for storing comprises removable media.
must be satisfied to exercise the manner of use, and said
computer readable instructions are configured to cause the
one or more computer processors to perform the step of
* * * * *
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?