WO2001016835A1 - System and method providing interoperability between enforced policies - Google Patents

System and method providing interoperability between enforced policies Download PDF

Info

Publication number
WO2001016835A1
WO2001016835A1 PCT/US2000/023407 US0023407W WO0116835A1 WO 2001016835 A1 WO2001016835 A1 WO 2001016835A1 US 0023407 W US0023407 W US 0023407W WO 0116835 A1 WO0116835 A1 WO 0116835A1
Authority
WO
WIPO (PCT)
Prior art keywords
agent
policy
message
controller
law
Prior art date
Application number
PCT/US2000/023407
Other languages
French (fr)
Inventor
Naftaly H. Minsky
Victoria Ungureanu
Original Assignee
Rutgers, The State University Of New Jersey
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Rutgers, The State University Of New Jersey filed Critical Rutgers, The State University Of New Jersey
Priority to AU69384/00A priority Critical patent/AU6938400A/en
Publication of WO2001016835A1 publication Critical patent/WO2001016835A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management

Definitions

  • the present invention relates generally to coordination and control of distributed computation, and particularly to systems and methods for the specification and enforcement of access control policies and of policies for electronic commerce, including those for B2B commerce.
  • coordination policies need to be enforced; (2) the enforcement of a policy needs to be decentralized, to allow for scalability; (3) coordination policies need to be formulated explicitly, rather than being implicit in the code of the agents involved, and the policies should be enforced by means of a generic, broad spectrum mechanism; and (4) it should be possible to deploy and enforce a policy incrementally, without exacting any cost from agents and activities not subject to it.
  • Minsky et al. A coordination and control mechanism that satisfies all these principles has been described by Minsky et al., in "Law-governed Interaction: A Coordination and Control Mechanism for Heterogeneous Distributed Systems," in ACM Transactions on Software Engineering and Methodology (TOSEM) October 2000, hereafter referred to as Minsky et al.
  • LGI law-governed interaction
  • One of the limitations of the mechanism described in Minsky et al. is that it does not provide for interoperability between policies. But such interoperability is often desired, as is demonstrated in the following example from business-to-business (B2B) electronic-commerce.
  • a purchase transaction between an agent x, of an enterprise E, (the client in this case), and an agent x 2 of an enterprise E 2 (the vendor), may be subject to a conjunction of the following three policies:
  • policy P that governs the ability of agents of enterprise E, to engage in electronic commerce.
  • policy P may provide some of its agents with budgets, allowing an agent (a person or a program) to issue purchase orders only within the budget assigned to it.
  • a policy P 2 that governs the response of agents of enterprise E 7 to purchase orders.
  • policy P 2 may require that all responses to purchase orders should be monitored, for providing internal control.
  • Such an " ' interaction policy” may, for example, reflect a blanket agreement between these two enterprise, that calls for agents in enterprise E 2 to honor purchase orders from agents in enterprise E, for up to a certain cumulative value, referred to as the " blanket" for this pair of enterprises.
  • the present invention relates to a method and system for providing interoperability between polices that are enforced, like under LGI.
  • This invention allows a pair of agents operating under different policies to interact, subject to both of these policies while requiring minimal if any dependency between the policies themselves.
  • the policy can be represented as a law governed interaction (LGI).
  • LGI law governed interaction
  • the present invention allows agent x to send a message to agent y by exporting it to y, subject to policy P.
  • the exported message is imported by agent y subject to its own policy Q.
  • agent x The ability of agent x to export messages is governed by its policy P.
  • policy P can impose constraints on the kind of messages that can be exported, on the target of such an export, on the policy the target operates under, and on the state of the exporter x itself. Policy P can also mandate certain changes in the state of the exporter. For example, suppose that agent x belongs to an enterprise E, and is operating under the enterprise-policy P. This policy P might allow the export of purchase-order messages of a specified form to agents operating under a policy Q governing another enterprise E 2 Policy P might allow such exports of purchase orders only if the balance in the exporter's budget is high enough, requiring that this balance be automatically reduced by the price offered in the purchase order.
  • agent y The ability of agent y to import messages is governed by its policy Q, in an analogous manner. For example, suppose that agent y belongs to an enterprise E 2% and is operating under the enterprise-policy Q. Policy Q might allow the import of a specified type of purchase-order messages from agents operating under policy P. In addition policy Q can include the constraint that a copy of each imported message be sent to a designated auditor object. The interoperability between pairs of policies, can be used to create combinations of more than two policies, for example the combination of three policies as shown in the above described example.
  • Fig. 1 is a schematic diagram of a prior art system for enforcing a law-governed interaction.
  • Fig. 2 is a schematic diagram of a system for interoperability between enterprises having different policies in accordance with the teachings of the present invention.
  • Fig. 3 is a flow diagram of a method for interoperability between enterprises having different policies.
  • Fig. 4A is a flow diagram of implementation of interoperability between enterprises for initiating a single purchase transaction.
  • Fig. 4B illustrates a flow diagram of a method for exporting messages based on the supply order forwarded in Fig. 4A.
  • FIG. 1 illustrates a schematic diagram of a prior art system for enforcing a law-governed interaction (LGI) as described in Minsky et al., "Regulated Coordination in Open Distributed Systems," in the Proc. of Coordination'97: Second International Conference on Coordination Models and Languages; LNCS 1282; September 1997, hereby incorporated by reference into this application.
  • LGI law-governed interaction
  • LGI law-governed interaction
  • the law-governed interaction comprises policy P and is defined as a four-tuple:
  • M is the set of messages regulated by policy P also called P-messages
  • G is an open and heterogeneous group of agents that exchange messages belonging to , and is referred to as a P-group
  • CS is a mutable set ⁇ CS X
  • L is an enforced set of "rules of engagement” that regulates the exchange of messages between members of G.
  • the law is defined over a certain type of events occurring at members of group G, mandating the effect that any such event should. The mandate is called the ruling of the law for a given event.
  • the events thus subject to the law of a group under LGI are called regulated events. These events include the sending and arrival of P-messages, among others.
  • the law of a given group G is global with respect to group G, but it is defined locally at each member of it.
  • the law is global, in that all members of group G are subject to it, the law is defined locally, at each member, in the following respects:
  • the ruling of the law at a given agent x can mandate only local operations to be carried out at agent x, such as an update of the local control-state x, or the forwarding of a message from agent x to some other agent.
  • the globality of law L of group G establishes a common set of ground rules for all members of G, providing them with the ability to trust each other, in spite of the heterogeneity of the group.
  • the law L of a group is a function that returns a ruling for every possible regulated-event that might happen at a given agent.
  • the ruling returned by the law is a possibly empty sequence of primitive operations, which is to be carried out in response to the event in question, at its home.
  • An empty ruling implies that the event in question has no consequences, such an event is effectively ignored.
  • Prolog-like language is used to specify laws.
  • Members of a P-group are referred to as agents so as to represent autonomous actors that can interact with each other, and with their environment.
  • An agent can be an encapsulated software entity, with its own state and thread of control, or it might be a human that interacts with the system via some interface.
  • An agent does not imply either "intelligence" or mobility, although the agents can have these characteristics.
  • Members of a given P-group are viewed as sources of messages and targets for them.
  • the control-state CS X of a given agent x associates various attributes with this agent.
  • these attributes can be represented as a bag of Prolog-like terms.
  • the attributes are used to structure group G and provide state information about individual agents, thereby allowing law L to make distinctions between different members of the group.
  • the control-state CS x can be acted on by primitive operations, as described below, subject to law L.
  • the events that are subject to the law L of a policy are referred to as regulated events.
  • Each of the events occurs at an agent, referred to as the home of the event.
  • the following are two examples of event-types. 1. sent(x, m, y) - occurs when agent x sends a message m under law L addressed to agent y. The sender x is considered the home of this event.
  • Primitive operators include operations that update the control-state of the home agent and operations on messages.
  • Primitive operations on the control-state of the home agent include: (1) +t, which adds the term t to the control state; (2) -t, which removes a term t from the control-state; (3) tl — 12, which replaces term tl with term t2 in the control-state; (4) incr(t(v),d), which increments the value of the parameter v of a term t with quantity d in the control-state, v and d can be assumed to be integers; and (5) dcr(t(v),d), which decrements the value v of a term t with quantity d in the control-state.
  • Primitive operations on messages include operation forward (x, m, y) and operation deliver (x, m, y).
  • Operation forward (x, m, y) sends message m to agent y, where x identifies agent x as the sender of the message.
  • the receipt of the message triggers at agent y an arrived (x, m, y) event.
  • Operation deliver (x, m, y) delivers the message m to the home-agent y, where x is the nominal sender of this message.
  • the receipt of the message from the operation deliver at agent y does not trigger any event.
  • Law L is enforced by a set of controllers 12a-12d which are trusted entities that mediate the exchange of messages under policy P between agents 14a-14d.
  • Agents 14a-14d are members of group G.
  • a controller 12a-12d is logically placed between every active member represented by agents 14a-14d and communications medium 16.
  • Controllers 12a-12d have identical copies of law L of policy P, and each of controllers 12a-12d maintains the control-state, CS, of agents 14a-14d under its jurisdiction. This allows the controller C x assigned to agent x to compute the ruling of law L for every regulated event at agent x, and to carry out this ruling locally.
  • Controllers 12a-12d are generic, and can interpret and enforce any well-formed law.
  • a controller operates as an independent process, and it can be placed on the same machine as its client, or on another machine, located anywhere in the communications medium 16.
  • Each controller can serve several agents, operating under possibly different laws. This facilitates various optimization techniques, as discussed in Minsky et al.
  • Policy P is supported by server 18, called the secretary of policy P, and is denoted by S p Secretary S p maintains the law L of policy P and the membership of G and it acts as a name server for group G.
  • agent x For example, for agent x to be able to exchange messages under policy P, it needs to engage in a connection protocol 19 with server Sp 18.
  • Connection protocol 19 assigns agent x 14a to controller 12a.
  • Controller 12a is provided with law L p of policy P and the initial control state of x, CS X .
  • the following scenario relates to a pair of agents x and y that have joined a group G of a policy P.
  • Agent x 14a and agent y 14b are respectively assigned to controller C x 12a and controller C y 12b operating under law L p .
  • agent x 14a wants to send a message m to agent y 14b, agent x sends message m to controller C x 12a.
  • message m arrives at controller C x 12a, it triggers a sent (x, m, y) event.
  • controller C x 12a picks up this event, it evaluates the ruling of law L p for it, with respect to control-state CS X that it maintains, and carries out this ruling. If the ruling calls for the control-state CS X to be updated, such update is carried out directly by controller C X 12a.
  • controller C x 12a If the ruling for event sent (x, m, y) calls for message m to be forwarded to agent y, then controller C x 12a sends message m to controller C y 12b. If controller C x 12a does not have the address of controller C y 12b, controller C x 12a prompts server S p 18. When server S p 18 responds, controller C x 12a forwards message m to controller C y 12b and controller C x 12a caches the address of controller C y 12b. When message m arrives at controller C y 12b it triggers an arrived (x, m, y) event. Controller C y 12b evaluates and carries out the ruling of the law for this event. For example, this ruling can call for a message m to be delivered to agent y 14b, and for the control-state CS y maintained by controller C y 12b to be modified.
  • controller 12a evaluates the ruling of the law for each event and atomically carries out this ruling, thereby the sequence of operations that constitute the ruling for one event do not interleave with those of any other event occurring at agent x 14a.
  • one of the identifiers in the pair can be omitted.
  • C x appends its id(P) to the message it forwards to C y .
  • Controller y would accept this as a valid P-message only if id(P) is identical to its own.
  • Conventional cryptographic techniques can be used to ensure that messages are securely transmitted over the network.
  • controller software when a user is not concerned with malicious violations, the controller software can be trusted in a manner similar to that of various known tools on the internet, such as the e-mail software or browsers.
  • e-mail software or browsers when malicious violations are a concern, the validity of controllers, and of the host on which they operate, is certified by a certifying authority for controllers, called a "controller-server". These certificates are exchanged between controllers during their first hand-shake.
  • controllers depends here on the assumption that their private key is not disclosed. A confidence in this assumption can be enhanced by placing each controller on securely maintained hosts, or by building the controller into conventional physically secure coprocessors which devices are protected by sensing circuitry which erases non-volatile memory before attackers can penetrate far enough to disable the sensors or read memory contents.
  • Fig. 2 is a schematic diagram of a system for interoperability between different policies 20 in accordance with the teachings of the present invention.
  • the term "interoperability" between a pair of different policies P and Q is defined as the ability of an agent x/P, representing an agent x operating under policy P, to exchange messages with y/Q, representing an agent v operating under policy Q, such that the following properties are satisfied.
  • Consensus An exchange between a pair of policies is possible only if it is authorized by both.
  • Autonomy The effect that an exchange between x/P and y/Q may have on the structure and behavior of agents x/P and y/Q is subject to policies P and Q respectively.
  • Controller C x 22a is placed between agent x/P 24a and communication medium 26. Controller C x 22a operates under policy P. Controller Cy 22b is placed between agent y/Q 24b and communication medium 26. Controller C y 22b operates under policy Q. Controller C x 22a communicates with server S p 28a. Controller C y 22b communicates with server S p ' 28b. Server S p 28a includes the function of secretary as described above for server 18, and is extended to operate as a name server for policies that interoperate with policy P. For example, server S p , 28a maintains a list of policies P ' to which members of P are allowed to export to and respectively import from subject to law L p .
  • server S p 28a For each policy P ', server S p 28a records among other information the address of server S p 28b. Server S p 28b has similar functionality as server S p 28a.
  • Connection protocol 29 connects server S p 28a and server S p 28b to respective controller C x 22a and controller C y 22b; this protocol is essentially the same as protocol 19 of the prior art realization of LGI (see Fig. 1) with different features that, if a controller C x 22a is assigned to a member in a policy P, then this controller maintains a list of the policies P ' which inter-operates with P. For every policy P ' in the list, controller C x 22a records an identifier ⁇ (P), defined as we have seen before. This information is given to controller 22a by server S p 28a at the time agent x 24a is assigned to controller C x 22a. A similar connection protocol 29 is used in controller C y 22b.
  • An interoperability primitive operation provides an initialization of an exchange of messages between agent x/P 24a and agent y/Q 24b.
  • the interoperability primitive operation is represented by operation export (x/P, m, y/Q) operating under policy P invoked by agent x to initiate an exchange between agent x/P 24a and agent y/Q 24b operating under policy Q.
  • an imported event is invoked under Q.
  • the imported event is represented by event imported (x/P, m, y/Q).
  • Fig. 3 is a flow diagram of an implementation of a method for providing interoperability between different policies using system 20.
  • controller C x 22a When an agent x/P 24a operating under policy P, and suppose that some event occurs at its controller C x 22a) whose ruling, by policy P, is to export a message m to agent y/Q 24b, as shown in block 31. If controller C x 22a does not already have the address of controller C y 24b, controller C x 24a sends a request for the address of controller C y 24b to server S p ' 28b, in block 32. When server S p ' 28b responds, controller C x 22a will cache the address of controller C y 24b.
  • controller C y 24b In block 33, the export of message from controller C x 24a to controller C y 24b is performed.
  • a controller-to-controller interaction protocol can be used in this step, which differs from the analogous protocol used by LGI for interaction under the same policy in that the policies under which C x 24a and C y 24b operate are not identical, and neither are their identifiers.
  • controller C y 22b evaluates the ruling of its law for its import and carries out its ruling.
  • system 20 satisfies the desired conditions of consensus, autonomy, and transparency, described above.
  • the consensus condition stipulated that interoperation between a pair of agents under two different policies should be authorized by both policies. This condition is satisfied because for an agent under policy P to communicate to an agent under a different policy Q, policy P must have a rule that invokes an export operation to policy Q and policy Q must have a rule that responds to the resulting imported event from policy P.
  • the autonomy condition which stipulates that the effect that an exchange initiated by agent x/P may have on the structure and behavior of agent y/Q, should be subject to policy Q alone, is satisfied since the effect on agent y/Q of an import of a message from elsewhere is determined by the ruling of the law of policy Q concerning "imported" events.
  • Policy Pi governs the ability of agents within an enterprise Ei to issue purchase orders. Specifically, Pi requires that for an agent c, representing a client in enterprise E], to issue a purchase order (PO) for price p, it must have a budget assigned to it, with a balance not smaller than p. Once a PO is issued, the agent's budget is reduced accordingly. If the purchase order is declined then the client's budget is to be restored.
  • agent c representing a client in enterprise E
  • PO purchase order
  • the set of Py-messages subject to this policy comprise the following:
  • each member in this policy contains a term budget(val), where val is the value of the budget.
  • the law of policy Pi is presented in Table 1, and it consists of three rules. Under this law members are allowed to export to and import from members of policy P , described later. The language used to define laws for LGI is described in detail in Minsky et al. Each rule is followed by an informal explanation in italics.
  • Rl sent(Xl, purchaseOrder(Specs,Price,Xl),X2):- budget(Val)@CS, Val>Price, do(dcr(budget(Val),Price)). do(export(Xl/P ⁇ ,purchaseOrder(Specs,Price,Xl),X2/ P ⁇ , 2 )).
  • Rule Rl purchaseOrder message is exported to the vendor X2 that operates under the inter-enterprise policy P;, 2 if Price, the amount XI is willing to pay for the merchandise is less than val.
  • Policy P 2 which governs the response of agents of enterprise E 2 to purchase orders, requires that all purchase orders and all responses to them be monitored by a designated agent called "auditor". Unlike policy Pi which allows for interoperability only with policy Py, 2 the law of policy P 2 allows for interoperability with arbitrary policies to allow for interoperability between groups of policies.
  • the law of policy P 2 is displayed in Table 2. In this embodiment the set of messages recognized by policy P 2 is the same as for policy Pi. In alternate embodiments the set of messages between policy Py and policy P 2 can be different. Table 2
  • Rl imported(I/IP,purchaseOrder(Specs,Price,Xl),X2/ P 2 ) do(+order(Specs,I,IP)), do(deliver(X2, purchaseOrder(specs,Price,Xl),auditor)), do(deliver(X2, purchaseOrder(Specs,Price),X2)).
  • a message sent by the vendor is delivered to the auditor.
  • the message is exported to I, the interactant from which this order originally came, under an interaction policy IP.
  • I can be an object blanket operating under policy P .
  • Policy P ⁇ , 2 which governs purchasing interactions between agents in enterprise Ei and agents in enterprise E 2 , represents a blanket agreement between the two enterprises. Specifically, this policy requires that a purchase order be processed by the vendor only if the amount offered by the client does not exceed the remaining balance in the blanket.
  • the group of agents subject to this policy consists of the set of agents from the vendor-enterprise £ 2 that may serve purchase orders, and a distinguished agent, referred to as the blanket agent that maintains the balance for the purchases of the client- enterprise Ei.
  • the law Ly, 2 of policy P;, 2 is defined in Table 3. Table 3
  • Agent blanket has in its control state a term of the form balancefval), where val denotes the remaining amount of money that the agent of enterprise E] has available to purchases, at a given moment in time.
  • policy Pi and policy P 2 do not depend on each other in any way. Each of these policies provides for export to, and import from, the interaction policy P ⁇ , 2 but the policies have no dependency on the internal structure of P J .
  • Fig. 4A and Fig. 4B it is illustrated how the above-described policies function together, by means of a step-by-step description of the progression of a single purchasing transaction initiated by a purchase order (PO) sent by agent xi/Pi (i.e., agent x; operating under policy Pi) of an enterprise Ei (the client) to an agent x 2 /P 2 of enterprise E 2 (the vendor).
  • PO purchase order
  • a PO sent by agent x/P; to agent x 2 /P 2 is handled under rule Rl of policy Pi. If the budget of agent xi/Pi is smaller than the specified price, then the PO is ignored. If the budget of agent x Pi is greater than or equal to the specified price the following operations are carried out: (a) the budget of agent x/P; is decremented by the specified price; and (b) the PO is exported to agent x 2 /P;. 2 .
  • the import of a PO by agent x 2 /P;, 2 activates the forwarding of this PO to the blanket agent, under policy Py ? (see rule R; of policy Pi, 2)-
  • the agent blanket which operates under policy P ⁇ ,2, and has in its control-state the term balance(V), where V represents the remaining balance under the blanket agreement between the two enterprises.
  • the arrival of a PO, at the blanket agent causes a balance of the blanket to be compared with the price of the PO, as shown in block 43. If the balance of the blanket is bigger than the price of PO, the balance of the blanket is decremented by this price, and PO is exported to the vendor agent x 2 /P under Rule R2 of policy Pi, 2 , in block 44a. Alternatively, if the balance is smaller than the price, a declineOrder message is exported back to agent xy/Py under Rule R3 of policy Pi, in block 44b.
  • Fig. 4B describes the treatment of a PO once it is exported to x 2 /P 2 .
  • the PO is imported by x 2 /P 2 , and is immediately delivered to two agents: (a) to the vendor agent x 2 /P 2 itself, for its disposition; and (b) to the agent auditor, designated to maintain the audit trail for all purchase orders received by vendors, and for the responses of the vendors to these orders.
  • agent x 2 /P 2 that received a PO can respond by sending one of two kinds of messages to agent xy/Py that originated the PO: a supplyOrder message, or a declineOrder message.
  • the sending of either of these messages triggers two operations under Rule R2 of policy P 2 : (a) the message is exported to blanket, operating under policy policy Pj, 2 , and (b) a copy of this message is delivered to the auditor agent, under policy P 2 .
  • block 48 it is determined if the import of the response of agent x 2 /P 2 by the agent blanket, operating under policy Py, 2 is a supplyOrder or a declineOrder message. If the response is a supplyOrder message, then this message is automatically exported to the agent xy/Py under Rule R5 of policy Py, 2 in block 49a. If the response is a declineOrder message, then the blanket balance is incremented by the price amount it had been previously decremented, and the declineOrder message is exported to the agent xy/Py under Rule R4 of policy Py, 2 in block 49b.
  • the import of a supplyOrder message into agent xy/Py causes this message to be delivered to agent xy/Py under Rule R2 of policy Py.
  • the import of a declineOrder message into xy/Py causes the budget of agent xy/Py to be restored, before the message is delivered to it under Rule R3 of policy Py.

Abstract

The present invention relates to a method and system for providing interoperability between policies. In one aspect of the invention, a controller (22a, 22b) is assigned to each agent (24a, 24b) which are communicating with one another. The controller includes a list of policies (Lp) to which each agenter can interoperate. A message is exported from a first controller under a first law for enforcing a first policy. The message is imported at the second agent under a second law for enforcing a second policy if the message identifier to the first policy is in the list of policies to which the second agent can operate. In addition, the method of the present invention provides a secure implementation of interoperability by applying a verifiable authentication to the message before exporting the message from the first controller and the verifiable authentication is verified at the second controller. The method and system can be used to provide inter-enterprise electronic commerce, for example, in a purchase order transaction.

Description

SYSTEM AND METHOD PROVIDING INTEROPERABILITY BETWEEN ENFORCED POLICHCS
Background of the Invention
1. Field of the Invention
The present invention relates generally to coordination and control of distributed computation, and particularly to systems and methods for the specification and enforcement of access control policies and of policies for electronic commerce, including those for B2B commerce.
2. Description of the Related Art
Software technology is undergoing a transition from monolithic systems, constructed according to a single overall design, into conglomerates of semi-autonomous, heterogeneous and independently designed subsystems, constructed and managed by different organizations, with little, if any, knowledge of each other. Among the problems inherent in such conglomerates is the difficulty to control the activities of the disparate agents operating in it, and the difficulty for such agents to coordinate their activities with each other.
The nature of coordination and control required for such systems calls for the following principles to be satisfied: (1) coordination policies need to be enforced; (2) the enforcement of a policy needs to be decentralized, to allow for scalability; (3) coordination policies need to be formulated explicitly, rather than being implicit in the code of the agents involved, and the policies should be enforced by means of a generic, broad spectrum mechanism; and (4) it should be possible to deploy and enforce a policy incrementally, without exacting any cost from agents and activities not subject to it. A coordination and control mechanism that satisfies all these principles has been described by Minsky et al., in "Law-governed Interaction: A Coordination and Control Mechanism for Heterogeneous Distributed Systems," in ACM Transactions on Software Engineering and Methodology (TOSEM) October 2000, hereafter referred to as Minsky et al. This mechanism implements the concept of law-governed interaction (LGI), which is a scalable mode of message-exchange that allows a heterogeneous group of distributed agents to interact with each other, with confidence that an explicitly specified policy is strictly observed by each of its members. One of the limitations of the mechanism described in Minsky et al. is that it does not provide for interoperability between policies. But such interoperability is often desired, as is demonstrated in the following example from business-to-business (B2B) electronic-commerce.
A purchase transaction between an agent x, of an enterprise E, (the client in this case), and an agent x2 of an enterprise E2 (the vendor), may be subject to a conjunction of the following three policies:
• A policy P, that governs the ability of agents of enterprise E, to engage in electronic commerce. For example, policy P, may provide some of its agents with budgets, allowing an agent (a person or a program) to issue purchase orders only within the budget assigned to it.
• A policy P2 that governs the response of agents of enterprise E7 to purchase orders. For example, policy P2 may require that all responses to purchase orders should be monitored, for providing internal control.
• A policy PJJ that governs the interaction between these two enterprises, reflecting a prior contract between them. Such an " ' interaction policy" may, for example, reflect a blanket agreement between these two enterprise, that calls for agents in enterprise E2 to honor purchase orders from agents in enterprise E, for up to a certain cumulative value, referred to as the " blanket" for this pair of enterprises.
The conventional approach for achieving interoperability between agents operating under different policies is to combine the policies into a single, super-policy," as described in Qian et al., "Computational Issues in Secure Interoperation," IEEE Transactions on Software Engineering, pages 43-52 (January 1996); and in Bidan et al. "Dealing with Multi-policy Security in Large Open Distributed Systems," in Proceedings of 5' European Symposium on Research in Computer Security, pages 51-66 (September 1998). In the above-described example, in particular, the three policies would be combined into a single "superpolicy." This approach has several drawbacks. First, the approach does not provide for the autonomy and the privacy of constituent sub-policies which is particularly limiting when dealing with B2B commerce between two inherently autonomous enterprises. The problem is that the creation of a super-policy requires knowledge of the text of sub-policies. However, divulging to a third party the internal business rules of an enterprise is not common practice in today's commerce. Second, interoperation by forming a composed policy requires that changes of a sub-policy be reflected in all super-policies it is part of. Accordingly, if the number of policy components is large and the individual policies are likely to change it will be cumbersome to implement maintenance of the superpolicy.
It is therefore desirable to provide a method and a system for interoperability of policies under LGI that allows for a scalable interoperation between agents operating under different policies, in a manner that preserves the privacy and the autonomy of each policy, and that provides for their mutual transparency.
Summary of the Invention The present invention relates to a method and system for providing interoperability between polices that are enforced, like under LGI. This invention allows a pair of agents operating under different policies to interact, subject to both of these policies while requiring minimal if any dependency between the policies themselves. The policy can be represented as a law governed interaction (LGI). For instance, in a scenario in which an agent x operating under an LGI policy P and an agent y operating under a different policy Q, the present invention allows agent x to send a message to agent y by exporting it to y, subject to policy P. The exported message is imported by agent y subject to its own policy Q.
The ability of agent x to export messages is governed by its policy P. In particular, policy P can impose constraints on the kind of messages that can be exported, on the target of such an export, on the policy the target operates under, and on the state of the exporter x itself. Policy P can also mandate certain changes in the state of the exporter. For example, suppose that agent x belongs to an enterprise E, and is operating under the enterprise-policy P. This policy P might allow the export of purchase-order messages of a specified form to agents operating under a policy Q governing another enterprise E2 Policy P might allow such exports of purchase orders only if the balance in the exporter's budget is high enough, requiring that this balance be automatically reduced by the price offered in the purchase order. The ability of agent y to import messages is governed by its policy Q, in an analogous manner. For example, suppose that agent y belongs to an enterprise E2% and is operating under the enterprise-policy Q. Policy Q might allow the import of a specified type of purchase-order messages from agents operating under policy P. In addition policy Q can include the constraint that a copy of each imported message be sent to a designated auditor object. The interoperability between pairs of policies, can be used to create combinations of more than two policies, for example the combination of three policies as shown in the above described example.
Brief Description of the Drawings
For a better understanding of the present invention, reference may be made to the accompanying drawings.
Fig. 1 is a schematic diagram of a prior art system for enforcing a law-governed interaction.
Fig. 2 is a schematic diagram of a system for interoperability between enterprises having different policies in accordance with the teachings of the present invention.
Fig. 3 is a flow diagram of a method for interoperability between enterprises having different policies.
Fig. 4A is a flow diagram of implementation of interoperability between enterprises for initiating a single purchase transaction.
Fig. 4B illustrates a flow diagram of a method for exporting messages based on the supply order forwarded in Fig. 4A.
Detailed Description
Reference will now be made in greater detail to a preferred embodiment of the invention, an example of which is illustrated in the accompanying drawings. Wherever possible, the same reference numerals will be used throughout the drawings and the description to refer to the same or like parts. Fig. 1 illustrates a schematic diagram of a prior art system for enforcing a law-governed interaction (LGI) as described in Minsky et al., "Regulated Coordination in Open Distributed Systems," in the Proc. of Coordination'97: Second International Conference on Coordination Models and Languages; LNCS 1282; September 1997, hereby incorporated by reference into this application. A law-governed interaction (LGI) is a scalable mode of interaction that allows a heterogeneous group of distributed agents to interact with each other, with confidence that an explicitly specified set of rules of engagement, referred to as the law of the group, is strictly observed by each of its members, which are referred to as agents.
The law-governed interaction comprises policy P and is defined as a four-tuple:
{M, G, CS, L) where M is the set of messages regulated by policy P also called P-messages; G is an open and heterogeneous group of agents that exchange messages belonging to , and is referred to as a P-group; CS is a mutable set {CSX | x e G} of control states with one per member of group G; and L is an enforced set of "rules of engagement" that regulates the exchange of messages between members of G. The law is defined over a certain type of events occurring at members of group G, mandating the effect that any such event should. The mandate is called the ruling of the law for a given event. The events thus subject to the law of a group under LGI are called regulated events. These events include the sending and arrival of P-messages, among others.
The law of a given group G is global with respect to group G, but it is defined locally at each member of it. The law is global, in that all members of group G are subject to it, the law is defined locally, at each member, in the following respects:
• The law regulates explicitly only local events at individual agents,
• The ruling of the law for an event e at agent x depends only on event e itself and on the local control-state of event x.
• The ruling of the law at a given agent x can mandate only local operations to be carried out at agent x, such as an update of the local control-state x, or the forwarding of a message from agent x to some other agent. The globality of law L of group G establishes a common set of ground rules for all members of G, providing them with the ability to trust each other, in spite of the heterogeneity of the group. The locality of the law that enables its scalable enforcement, by means of a trusted agent called a controller which is associated with individual members of group G.
The law L of a group is a function that returns a ruling for every possible regulated-event that might happen at a given agent. The ruling returned by the law is a possibly empty sequence of primitive operations, which is to be carried out in response to the event in question, at its home. An empty ruling implies that the event in question has no consequences, such an event is effectively ignored. Prolog-like language is used to specify laws. Members of a P-group are referred to as agents so as to represent autonomous actors that can interact with each other, and with their environment. An agent can be an encapsulated software entity, with its own state and thread of control, or it might be a human that interacts with the system via some interface. An agent does not imply either "intelligence" or mobility, although the agents can have these characteristics. Members of a given P-group are viewed as sources of messages and targets for them.
The control-state CSX of a given agent x associates various attributes with this agent. For example, these attributes can be represented as a bag of Prolog-like terms. The attributes are used to structure group G and provide state information about individual agents, thereby allowing law L to make distinctions between different members of the group. The control-state CSx can be acted on by primitive operations, as described below, subject to law L.
The events that are subject to the law L of a policy are referred to as regulated events. Each of the events occurs at an agent, referred to as the home of the event. The following are two examples of event-types. 1. sent(x, m, y) - occurs when agent x sends a message m under law L addressed to agent y. The sender x is considered the home of this event.
2. arrived(x, m, y) - occurs when a message m under law L sent by agent x arrives at agent y. The receiver^ is considered the home of this event.
Operations included in the ruling of law L for a given regulated event e, to be carried out at the home of this event, are called primitive operations. Primitive operators include operations that update the control-state of the home agent and operations on messages. Primitive operations on the control-state of the home agent include: (1) +t, which adds the term t to the control state; (2) -t, which removes a term t from the control-state; (3) tl — 12, which replaces term tl with term t2 in the control-state; (4) incr(t(v),d), which increments the value of the parameter v of a term t with quantity d in the control-state, v and d can be assumed to be integers; and (5) dcr(t(v),d), which decrements the value v of a term t with quantity d in the control-state.
Primitive operations on messages include operation forward (x, m, y) and operation deliver (x, m, y). Operation forward (x, m, y) sends message m to agent y, where x identifies agent x as the sender of the message. The receipt of the message triggers at agent y an arrived (x, m, y) event. Operation deliver (x, m, y) delivers the message m to the home-agent y, where x is the nominal sender of this message. The receipt of the message from the operation deliver at agent y does not trigger any event.
As shown in Fig. 1, Law L is enforced by a set of controllers 12a-12d which are trusted entities that mediate the exchange of messages under policy P between agents 14a-14d. Agents 14a-14d are members of group G. A controller 12a-12d is logically placed between every active member represented by agents 14a-14d and communications medium 16. Controllers 12a-12d have identical copies of law L of policy P, and each of controllers 12a-12d maintains the control-state, CS, of agents 14a-14d under its jurisdiction. This allows the controller Cx assigned to agent x to compute the ruling of law L for every regulated event at agent x, and to carry out this ruling locally.
Controllers 12a-12d are generic, and can interpret and enforce any well-formed law. A controller operates as an independent process, and it can be placed on the same machine as its client, or on another machine, located anywhere in the communications medium 16. Each controller can serve several agents, operating under possibly different laws. This facilitates various optimization techniques, as discussed in Minsky et al.
Policy P is supported by server 18, called the secretary of policy P, and is denoted by Sp Secretary Sp maintains the law L of policy P and the membership of G and it acts as a name server for group G. For example, for agent x to be able to exchange messages under policy P, it needs to engage in a connection protocol 19 with server Sp 18. Connection protocol 19 assigns agent x 14a to controller 12a. Controller 12a is provided with law Lp of policy P and the initial control state of x, CSX. The following scenario relates to a pair of agents x and y that have joined a group G of a policy P. Agent x 14a and agent y 14b are respectively assigned to controller Cx 12a and controller Cy 12b operating under law Lp. Thereafter if agent x 14a wants to send a message m to agent y 14b, agent x sends message m to controller Cx 12a. When message m arrives at controller Cx 12a, it triggers a sent (x, m, y) event. When controller Cx 12a picks up this event, it evaluates the ruling of law Lp for it, with respect to control-state CSX that it maintains, and carries out this ruling. If the ruling calls for the control-state CSX to be updated, such update is carried out directly by controller CX 12a. If the ruling for event sent (x, m, y) calls for message m to be forwarded to agent y, then controller Cx 12a sends message m to controller Cy 12b. If controller Cx 12a does not have the address of controller Cy 12b, controller Cx 12a prompts server Sp 18. When server Sp 18 responds, controller Cx 12a forwards message m to controller Cy 12b and controller Cx 12a caches the address of controller Cy 12b. When message m arrives at controller Cy 12b it triggers an arrived (x, m, y) event. Controller Cy 12b evaluates and carries out the ruling of the law for this event. For example, this ruling can call for a message m to be delivered to agent y 14b, and for the control-state CSy maintained by controller Cy 12b to be modified.
In general, all regulated events that occur nominally at agents 14a-14d actually occur at their respective controller 12a-12d. To avoid race conditions, the events pertaining x 14a are handled sequentially in chronological order of their arrival as follows: controller 12a evaluates the ruling of the law for each event and atomically carries out this ruling, thereby the sequence of operations that constitute the ruling for one event do not interleave with those of any other event occurring at agent x 14a.
For the above-described mechanism to be effective the following assurances are needed: (a) that the exchange of P-messages is mediated by controllers operating under the same policy P, and thus interpreting the same law L of this policy; and (b) that all of the controllers are correctly implemented. If these two conditions are satisfied, then it follows that if agent y receives a P-message from some agent x, this message must have been sent under the same law of policy P. These assurances are provided by the controller-to-controller interaction protocol of LGI, whose essence is described below. Regarding the first of the above concerns, each controller uses an identifier id(P) for the policy it operates under, which comprises the pair (Sp hash(law(P)), address of Sp). In an alternate embodiment one of the identifiers in the pair can be omitted. In order to ensure that a message forwarded by controller Cx under policy P would be handled by Cy under the same policy, Cx appends its id(P) to the message it forwards to Cy. Controller y would accept this as a valid P-message only if id(P) is identical to its own. Conventional cryptographic techniques can be used to ensure that messages are securely transmitted over the network.
Regarding the second assurance described above related to correctness of the controllers, when a user is not concerned with malicious violations, the controller software can be trusted in a manner similar to that of various known tools on the internet, such as the e-mail software or browsers. Alternatively, when malicious violations are a concern, the validity of controllers, and of the host on which they operate, is certified by a certifying authority for controllers, called a "controller-server". These certificates are exchanged between controllers during their first hand-shake.
It is appreciated that the authenticity of controllers depends here on the assumption that their private key is not disclosed. A confidence in this assumption can be enhanced by placing each controller on securely maintained hosts, or by building the controller into conventional physically secure coprocessors which devices are protected by sensing circuitry which erases non-volatile memory before attackers can penetrate far enough to disable the sensors or read memory contents.
Fig. 2 is a schematic diagram of a system for interoperability between different policies 20 in accordance with the teachings of the present invention. The term "interoperability" between a pair of different policies P and Q is defined as the ability of an agent x/P, representing an agent x operating under policy P, to exchange messages with y/Q, representing an agent v operating under policy Q, such that the following properties are satisfied.
• Consensus: An exchange between a pair of policies is possible only if it is authorized by both. • Autonomy: The effect that an exchange between x/P and y/Q may have on the structure and behavior of agents x/P and y/Q is subject to policies P and Q respectively.
• Transparency: Interoperating parties need not to be aware of the details of each other policy.
Controller Cx 22a is placed between agent x/P 24a and communication medium 26. Controller Cx 22a operates under policy P. Controller Cy 22b is placed between agent y/Q 24b and communication medium 26. Controller Cy 22b operates under policy Q. Controller Cx 22a communicates with server Sp 28a. Controller Cy 22b communicates with server Sp' 28b. Server Sp 28a includes the function of secretary as described above for server 18, and is extended to operate as a name server for policies that interoperate with policy P. For example, server Sp, 28a maintains a list of policies P ' to which members of P are allowed to export to and respectively import from subject to law Lp. For each policy P ', server Sp 28a records among other information the address of server Sp 28b. Server Sp 28b has similar functionality as server Sp 28a. Connection protocol 29 connects server Sp 28a and server Sp 28b to respective controller Cx 22a and controller Cy 22b; this protocol is essentially the same as protocol 19 of the prior art realization of LGI (see Fig. 1) with different features that, if a controller Cx 22a is assigned to a member in a policy P, then this controller maintains a list of the policies P ' which inter-operates with P. For every policy P ' in the list, controller Cx 22a records an identifier \ά(P), defined as we have seen before. This information is given to controller 22a by server Sp 28a at the time agent x 24a is assigned to controller Cx 22a. A similar connection protocol 29 is used in controller Cy 22b.
An interoperability primitive operation provides an initialization of an exchange of messages between agent x/P 24a and agent y/Q 24b. The interoperability primitive operation is represented by operation export (x/P, m, y/Q) operating under policy P invoked by agent x to initiate an exchange between agent x/P 24a and agent y/Q 24b operating under policy Q. When the message carrying this exchange arrives at agent y/Q 24b, an imported event is invoked under Q. The imported event is represented by event imported (x/P, m, y/Q). Fig. 3 is a flow diagram of an implementation of a method for providing interoperability between different policies using system 20. Consider an agent x/P 24a operating under policy P, and suppose that some event occurs at its controller Cx 22a) whose ruling, by policy P, is to export a message m to agent y/Q 24b, as shown in block 31. If controller Cx 22a does not already have the address of controller Cy 24b, controller Cx 24a sends a request for the address of controller Cy 24b to server Sp' 28b, in block 32. When server Sp' 28b responds, controller Cx 22a will cache the address of controller Cy 24b.
In block 33, the export of message from controller Cx 24a to controller Cy 24b is performed. A controller-to-controller interaction protocol can be used in this step, which differs from the analogous protocol used by LGI for interaction under the same policy in that the policies under which Cx 24a and Cy 24b operate are not identical, and neither are their identifiers. In block 34, controller Cy 22b evaluates the ruling of its law for its import and carries out its ruling.
In general system 20 satisfies the desired conditions of consensus, autonomy, and transparency, described above. First, the consensus condition stipulated that interoperation between a pair of agents under two different policies should be authorized by both policies. This condition is satisfied because for an agent under policy P to communicate to an agent under a different policy Q, policy P must have a rule that invokes an export operation to policy Q and policy Q must have a rule that responds to the resulting imported event from policy P. Second, the autonomy condition, which stipulates that the effect that an exchange initiated by agent x/P may have on the structure and behavior of agent y/Q, should be subject to policy Q alone, is satisfied since the effect on agent y/Q of an import of a message from elsewhere is determined by the ruling of the law of policy Q concerning "imported" events. Finally, the transparency condition, which stipulates that interoperating parties need not to be aware of the details of each others policy, is satisfied since when an agent y/Q handles a message exported from agent x/P, it has access only to the message itself and to the address of its source, but not to the policy P under which it has been produced.
The following is an example of how the three policies Pi, P2 and Pj described in the background of the invention can be made to interoperate to allow for regulated B2B transactions. After the presentation of the three policies, the manner in which they interoperate using system 20 is illustrated by describing the progression of a single purchase transaction. Policy Pi governs the ability of agents within an enterprise Ei to issue purchase orders. Specifically, Pi requires that for an agent c, representing a client in enterprise E], to issue a purchase order (PO) for price p, it must have a budget assigned to it, with a balance not smaller than p. Once a PO is issued, the agent's budget is reduced accordingly. If the purchase order is declined then the client's budget is to be restored.
The set of Py-messages subject to this policy comprise the following:
• purchaseOrder (specs, p,c), which denotes a purchase order for a merchandise described by specs, and for which the client c is willing to pay a price p.
• supplyOrder (specs, ticket), which represents a positive response to a purchase order for the specified merchandise, where ticket represents the requested merchandise.
• declineOrder (specs, p, reason), which denotes a rejection of a PO for the specified merchandise. This rejection returns any currency for price p offered in the PO, and contains the reason for the rejection.
The control-state of each member in this policy contains a term budget(val), where val is the value of the budget. The law of policy Pi is presented in Table 1, and it consists of three rules. Under this law members are allowed to export to and import from members of policy P , described later. The language used to define laws for LGI is described in detail in Minsky et al. Each rule is followed by an informal explanation in italics.
Table 1
Rl. sent(Xl, purchaseOrder(Specs,Price,Xl),X2):- budget(Val)@CS, Val>Price, do(dcr(budget(Val),Price)). do(export(Xl/Pι,purchaseOrder(Specs,Price,Xl),X2/ Pι,2)).
In Rule Rl purchaseOrder message is exported to the vendor X2 that operates under the inter-enterprise policy P;,2 if Price, the amount XI is willing to pay for the merchandise is less than val.
R2 imported(X2/ P ,supplyOrder(Specs,Ticket),Xl/ Pι) do(deliver(X2,supplyOrder(Specs,Ticket),Xl)).
In Rule R2, a supplyOrder message, imported from /Pi, 2 is delivered.
R3 imported(X2//Pi>2,declineOrder(Specs,Price,Reason),Xl/ Pi):- do(incr(budget(Val),Price)), do(deliver(X2,declineOrder(Specs,Price,Reason),Xl)).
In Rule R3 a declineOrder message, imported from policy Pi, 2, is delivered after the budget is restored by incrementing it with the price of the failed PO.
Policy P2, which governs the response of agents of enterprise E2 to purchase orders, requires that all purchase orders and all responses to them be monitored by a designated agent called "auditor". Unlike policy Pi which allows for interoperability only with policy Py,2 the law of policy P2 allows for interoperability with arbitrary policies to allow for interoperability between groups of policies. The law of policy P2 is displayed in Table 2. In this embodiment the set of messages recognized by policy P2 is the same as for policy Pi. In alternate embodiments the set of messages between policy Py and policy P2 can be different. Table 2
Rl. imported(I/IP,purchaseOrder(Specs,Price,Xl),X2/ P2) do(+order(Specs,I,IP)), do(deliver(X2, purchaseOrder(specs,Price,Xl),auditor)), do(deliver(X2, purchaseOrder(Specs,Price),X2)).
In Rule Rl, when a purchaseOrder is imported by vendor X2, the message is delivered to the intended destination and also to the designated auditor.
R2 sent(X2,M,Xl):-
(M=declineOrder(Specs,Price,Reason)|M=supplyOrder(Specs,Ticket)), order(Specs,I,IP)@CS,do(-order(Specs,I,IP)), do(export(X2/ P2,M,I/IP)), do(deliver(X2,M,auditor)).
In Rule R2, a message sent by the vendor is delivered to the auditor. The message is exported to I, the interactant from which this order originally came, under an interaction policy IP. For example, I can be an object blanket operating under policy P .
Policy Pι,2 , which governs purchasing interactions between agents in enterprise Ei and agents in enterprise E2, represents a blanket agreement between the two enterprises. Specifically, this policy requires that a purchase order be processed by the vendor only if the amount offered by the client does not exceed the remaining balance in the blanket. The group of agents subject to this policy consists of the set of agents from the vendor-enterprise £2 that may serve purchase orders, and a distinguished agent, referred to as the blanket agent that maintains the balance for the purchases of the client- enterprise Ei. The law Ly,2 of policy P;,2 is defined in Table 3. Table 3
Initially: Agent blanket has in its control state a term of the form balancefval), where val denotes the remaining amount of money that the agent of enterprise E] has available to purchases, at a given moment in time.
Rl. imported(Xl/Pι,purchaseOrder(Specs,Price),X2/ Pι,2):- do(forward(X2,purchaseOrder(Specs,Price,Xl), blanket). In Rule Rl, a purchaseOrder message imported by a vendor X2 is forwarded to blanket or approval.
Rl. arrived(X2,purchaseOrder(Specs,Price,Xl , blanket) :- balance(Val)@CS, Val>=Price, do(dcr(balance(Val),Price)), do(order(Specs,Price,Xl,X2)), do(export(blanket/ Pι?2> purchaseOrder(Specs,Price,Xl),X2/ P2)). In Rule R2, if Price, the sum XI is willing to pay for the merchandise, is less than Val the value of the balance, then the purchaseOrder message is exported to X2, the vendor which originally received the request under policy P2.
R3. arrived(X2,purchaseOrder(Specs,Price,Xl),blanket):- balance(balance(Val)@CS,Val<Price, do(export(X2/ Pι,2, declineOrder(Specs,Price,"insuffιcient funds"),Xl/ P ). In rule R3, if the balance is less than the Price then a declineOrder message is exported to XI, the client which originally issued the purchaseOrder.
R4. imported(X2/ P2,declineOrder(Specs,Price,Reason),blanket/ P^):- do(incr(balance(Amount),Price), order(Specs,Price,Xl,X2)@CS, do(-order(Specs,Price,Xl,X2)), do(export(X2/ Pi, 2, declineOrder(Specs,Price,Reason),Xl/ Pi)).
In Rule R4, if the vendor cannot honor the order, the client-enterprise has its blanket increased by Price. Also the message is exported to XI the individual client which issued the request. R5. imported(X2/ P2,supplyOrder(Specs,Ticket),blanket/ P^):- order(Specs,Price,C,X2)@CS, do(-order(Specs,Price,Xl,X2)), do(export(X2/ Pι,2, supply(Specs icket), Xl/ Pi)). In Rule R5, a supplyOrder message is exported to the client XI which issued the order.
Note that policy Pi and policy P2 do not depend on each other in any way. Each of these policies provides for export to, and import from, the interaction policy Pι,2 but the policies have no dependency on the internal structure of PJ .
Referring to Fig. 4A and Fig. 4B, it is illustrated how the above-described policies function together, by means of a step-by-step description of the progression of a single purchasing transaction initiated by a purchase order (PO) sent by agent xi/Pi (i.e., agent x; operating under policy Pi) of an enterprise Ei (the client) to an agent x2/P2 of enterprise E2 (the vendor).
Referring to block 41 of Fig. 4A, a PO sent by agent x/P; to agent x2/P2 is handled under rule Rl of policy Pi. If the budget of agent xi/Pi is smaller than the specified price, then the PO is ignored. If the budget of agent x Pi is greater than or equal to the specified price the following operations are carried out: (a) the budget of agent x/P; is decremented by the specified price; and (b) the PO is exported to agent x2/P;.2.
In block 42, the import of a PO by agent x2/P;,2 (a vendor operating under PJ ) activates the forwarding of this PO to the blanket agent, under policy Py ? (see rule R; of policy Pi, 2)- The agent blanket, which operates under policy Pι,2, and has in its control-state the term balance(V), where V represents the remaining balance under the blanket agreement between the two enterprises. The arrival of a PO, at the blanket agent causes a balance of the blanket to be compared with the price of the PO, as shown in block 43. If the balance of the blanket is bigger than the price of PO, the balance of the blanket is decremented by this price, and PO is exported to the vendor agent x2/P under Rule R2 of policy Pi, 2 , in block 44a. Alternatively, if the balance is smaller than the price, a declineOrder message is exported back to agent xy/Py under Rule R3 of policy Pi, in block 44b.
Fig. 4B describes the treatment of a PO once it is exported to x2/P2. In block 45, the PO is imported by x2/P2, and is immediately delivered to two agents: (a) to the vendor agent x2/P2 itself, for its disposition; and (b) to the agent auditor, designated to maintain the audit trail for all purchase orders received by vendors, and for the responses of the vendors to these orders.
In block 46, agent x2/P2 that received a PO can respond by sending one of two kinds of messages to agent xy/Py that originated the PO: a supplyOrder message, or a declineOrder message. In block 47, the sending of either of these messages triggers two operations under Rule R2 of policy P2: (a) the message is exported to blanket, operating under policy policy Pj,2, and (b) a copy of this message is delivered to the auditor agent, under policy P2.
In block 48, it is determined if the import of the response of agent x2/P2 by the agent blanket, operating under policy Py,2 is a supplyOrder or a declineOrder message. If the response is a supplyOrder message, then this message is automatically exported to the agent xy/Py under Rule R5 of policy Py,2 in block 49a. If the response is a declineOrder message, then the blanket balance is incremented by the price amount it had been previously decremented, and the declineOrder message is exported to the agent xy/Py under Rule R4 of policy Py,2 in block 49b.
In block 50a, the import of a supplyOrder message into agent xy/Py causes this message to be delivered to agent xy/Py under Rule R2 of policy Py. In block 50b, the import of a declineOrder message into xy/Py causes the budget of agent xy/Py to be restored, before the message is delivered to it under Rule R3 of policy Py.
It is understood that the above-described embodiments are illustrative of only a few of the many possible specific embodiments which can represent applications of the principles of the invention. Numerous and varied other arrangements can be readily derived in accordance with these principles by those skilled in the art without departing from the spirit and scope of the invention.

Claims

What is claimed is:
1. A method of providing interoperability between a first agent operating under a first policy and a second agent operating under a second policy comprising the steps of: assigning a first controller to said first agent, said first controller accessing a first list of policies to which said first agent can interoperate; assigning a second controller to said second agent, said second controller accessing a second list of policies to which said second agent can interoperate; exporting a message from said first agent to said second agent by said first controller under a first law for enforcing said first policy, said message including an identifier to said first policy; and importing said message at said second agent under a second law for enforcing said second policy if said identifier to said first policy of said message is in said list of policies to which said second agent can interoperate.
2. The method of claim 1 further comprising the steps of: applying a verifiable authentication to said message before exporting said message, said verifiable authentication indicating said first controller is an authentic controller with a trusted authority; and verifying said verifiable authentication in said step of importing said message at said second agent.
3. The method of claim 2 wherein said verifiable authentication is a public key and a signature.
4. The method of claim 3 wherein said signature includes said message, a hash of said first law and a hash of said second law.
5. The method of claim 1 wherein said first policy and said second policy are defined by a four-tuple of
{M, G, CS, L) where M is a set of messages regulated by policy P; G is a group of agents that exchange messages belonging to ; CS is a mutable set of control states with one said control state per member of group G; and L is a law comprising an enforced set of rules of engagement for regulating the exchange of said set of messages between members of said group G.
6. The method of claim 5 wherein said step of exporting said message from said first agent is performed by a rule of said first law involving an operation export (X/P,m,y/Q) wherein x represents said first agent, y represents said second agent, P represents said first policy and Q represents said second policy.
7. The method of claim 6 wherein said step of importing said message at said second agent is performed by a rule of said second law responding to an event (X/P,m, Y/Q) occurring when said message arrives at said second agent.
8. The method of claim 7 further comprising the step of: evaluating said import event with said second law and said control state of said second agent.
9. The method of claim 1 wherein said first agent is a first business enterprise and said second agent is a second business enterprise.
10. The method of claim 1 further comprising the step of: defining an interaction policy for interaction between said first agent and said second agent wherein said first agent operates under said first policy and said interaction policy and said second agent operates under said second policy and said interaction policy.
11. A method of providing interoperability between a first agent operating under a first policy and a second agent operating under a second policy in a purchase transaction comprising the steps of: handling a purchase order from a first agent assigned to a first controller to a second agent assigned to a second controller under a first policy that if a first agent budget is smaller than a price of said purchase order, said purchase order is ignored and if said first agent budget is greater than said price of said purchase order, said purchase order is exported from said first controller assigned to said first agent to said second controller assigned to said second agent and said first agent budget is decremented by said price of said purchase order; forwarding said purchase order from said second controller to an agent blanket, said agent blanket operating under an interaction policy to determine if said price of said purchase order is less than a budgeted price agreed to in said interaction policy and if said price of said purchase order is less than a balance of said agent blanket; and either issuing a first supply order message at said second agent if said price of said purchase order is less than said balance of said agent blanket and reducing said balance of said agent blanket by said price of said purchase order and sending said second agent said purchase order; or issuing a first decline order message to said second agent if said price of said purchase order is greater than said balance of said blanket agent.
12. The method of claim 11 wherein after said step of issuing a supply order message further comprising the steps of: importing said purchase order under said second policy from said second controller to said second agent; and responding to said purchase order at said second controller assigned to said second agent under said interaction policy with either issuing a second supply order message at said second agent or issuing a decline order message at said second agent.
13. The method of claim 12 wherein after said step of issuing a supply order message comprising the step of: exporting said second supply order message to said first controller of said first agent
14. The method of claim 12 wherein after said step of issuing a decline order message further comprising the step of: incrementing said balance of said agent blanket by said price of said purchase order and exporting said second decline order message to said first agent.
15. The method of claim 12 wherein in said step of importing said purchase order said purchase order is forwarded to an auditor agent.
16. A system for providing interoperability between a first agent operating under a first policy and a second agent operating under a second policy comprising: a first controller assigned to said first agent, said first controller accessing a first list of policies to which said first agent can interoperate; a second controller assigned to said second agent, said second controller accessing a second list of policies to which said second agent can interoperate; means for exporting a message from said first agent to said second agent by said first controller under a first law for enforcing said first policy, said message including an identifier to said first policy; and means for importing said message at said second agent under a second law for enforcing said second policy if said identifier to said first policy of said message is in said list of policies to which said second agent can interoperate.
17. The system of claim 16 further comprising: a verifiable authentication being applied to said message before exporting said message, said verifiable authentication indicating said first controller is an authentic controller with a trusted authority; and means for verifying said verifiable authentication during importing said message at said second agent.
18. The system of claim 17 wherein said verifiable authentication is a public key and a signature.
19. The system of claim 18 wherein said signature includes said message, a hash of said first law and a hash of said second law.
20. The system of claim 16 wherein said first agent is a first business enterprise and said second agent is a second business enterprise.
PCT/US2000/023407 1999-08-27 2000-08-25 System and method providing interoperability between enforced policies WO2001016835A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU69384/00A AU6938400A (en) 1999-08-27 2000-08-25 System and method providing interoperability between enforced policies

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15125599P 1999-08-27 1999-08-27
US60/151,255 1999-08-27

Publications (1)

Publication Number Publication Date
WO2001016835A1 true WO2001016835A1 (en) 2001-03-08

Family

ID=22537954

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/023407 WO2001016835A1 (en) 1999-08-27 2000-08-25 System and method providing interoperability between enforced policies

Country Status (2)

Country Link
AU (1) AU6938400A (en)
WO (1) WO2001016835A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5311438A (en) * 1992-01-31 1994-05-10 Andersen Consulting Integrated manufacturing system
US5903873A (en) * 1996-05-31 1999-05-11 American General Life And Accident Insurance Company System for registering insurance transactions and communicating with a home office
US5996076A (en) * 1997-02-19 1999-11-30 Verifone, Inc. System, method and article of manufacture for secure digital certification of electronic commerce
US6061057A (en) * 1997-03-10 2000-05-09 Quickbuy Inc. Network commercial system using visual link objects

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5311438A (en) * 1992-01-31 1994-05-10 Andersen Consulting Integrated manufacturing system
US5903873A (en) * 1996-05-31 1999-05-11 American General Life And Accident Insurance Company System for registering insurance transactions and communicating with a home office
US5996076A (en) * 1997-02-19 1999-11-30 Verifone, Inc. System, method and article of manufacture for secure digital certification of electronic commerce
US6061057A (en) * 1997-03-10 2000-05-09 Quickbuy Inc. Network commercial system using visual link objects

Also Published As

Publication number Publication date
AU6938400A (en) 2001-03-26

Similar Documents

Publication Publication Date Title
JP3251917B2 (en) Electronic bidding system and electronic bidding method
Wilhelm et al. On the Problem of Trust in Mobile Agent Systems.
Jansen et al. Mobile agent security
US7814025B2 (en) Methods and apparatus for title protocol, authentication, and sharing
EP0912954B1 (en) Personal information security and exchange tool
US8365298B2 (en) Comprehensive security architecture for dynamic, web service based virtual organizations
US20070271618A1 (en) Securing access to a service data object
JPH09251425A (en) Method and system for controlling security of access to system resource in distributed system
KR20060111387A (en) Deliver-upon-request secure electronic message system
US20120089495A1 (en) Secure and mediated access for e-services
CN116250210A (en) Methods, apparatus, and computer readable media for authentication and authorization of networked data transactions
Lang et al. Developing secure distributed systems with CORBA
CN112074861A (en) Block chain based messaging service for time sensitive events
EP1170926A2 (en) Personal information security and exchange tool
Ungureanu et al. Establishing business rules for inter-enterprise electronic commerce
US20040117220A1 (en) Secure system and method for self-management of customer relationship management database
Varadharajan et al. A security architecture for mobile agent based applications
CN115456619B (en) Virtual prepaid card issuing system and method based on blockchain technology
van der Merwe et al. Electronic commerce with secure intelligent trade agents
CN112074862A (en) Storage management based on message feedback
Zapf et al. Security requirements for mobile agents in electronic markets
Hauser Control of information distribution and access
Romao et al. Secure electronic payments based on mobile agents
CN114679473B (en) Financial account management system and method based on distributed digital identity
von Solms Electronic commerce with secure intelligent trade agents

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 10069895

Country of ref document: US

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP