REWERSE WG I2


Home

Members

Software

Documents

Events

Demo of the explanation facility

Introduction

PROTUNE-X - the explanation facility of PROTUNE - is meant to describe and explain PROTUNE policies and the decisions taken during negotiations.  PROTUNE-X has second generation features such as
  • irrelevant information removal
  • attribute-based denotations of semi-structured objects
plus novel features such as proper failure explanations, covering also infinitely failed derivations.

The theoretical framework underlying PROTUNE-X is described in report I2-D4 and in the ECAI 2006 paper.

The demo consists of a set of web pages generated automatically by PROTUNE-X.  Each of the explanation hypertexts of examples 1-6 has been generated in 0.04 sec.  Example 7 - that produces an infinite failure - needed 0.07 sec.  The explanation hypertext can be generated on the clients to reduce the computational load on the server.

The digital library scenario

Three basic rules regulate document downloading:
  1. Public resources can be freely downloaded. 
  2. A subscribed user can download all the publications covered by her subscription(s).
  3. Every publication can be downloaded by paying with a credit card or a fastpay card.
Additionally, in point 2 the user should be authenticated to retrieve her active subscriptions.  In point 3 an ID is required for credit card payments.

John Smith wants do download the file "paper_0123.pdf" using his subscription for computer-related publications.  Therefore, he submits his ID and expects to be authenticated.  However, the digital library system rejects his request.

John opens the why-not explanation page.  By following the [detail] link associated to the statement that there is no authenticated user, John can find out what went wrong.

Why-not explanation demo


Example 1
  Issuer unknown

John's ID is issued by the Open University.  Unfortunately, the server does not know the public key of the Open university, i.e. this CA is not known by the server.  This can be found by following the [detail] links associated to rules 3, 6, and 9, and reading the explanation associated to rule 18.

While explaning rule 3, the condition that paper_0123.pdf should be covered by some of the user's subscriptions has been automatically pruned, because trust negotiation failed for other reasons.  The explanations of why rules 6, 9, and 18 failed have been pruned in a similar way.  To see this, compare these explanations with those of .....rule 6 in Example 3, rule 9 in Example 4, and rule 18 in Example 2.

In the explanation of rule 18, note how the available attributes of a compound object (internally denoted by the "unfriendly" handler c012) are exploited to give a high-level and user-friendly description of the object.

[Start this demo]


Example 2
  The ID's signature verification fails

This time we assume that the issuer is one of the CAs known by the server.  Signature verification failure may happen - say - because of data corruption or tampering.  Follow the [detail] links associated to rules 3, 6, and 9.  You may ignore the first three steps, which are identical to those in Example 1.  Note that the explanation of rule 18 includes aspects that had been pruned in Example 1 because they were irrelevant in that context.

[Start this demo]


Example 3
  Missing credential fields

Next we assume that John's ID is recognized as a valid ID credential.  The latest version of the X.509 standard supports domain-dependent fields.  In open environments it may happen that a supplied credential is missing one of such fields.  In this example, a field called public_key is missing.  Follow the [detail] link associated to rule 2 and see the explanation associated to rule 6.  Note that it includes aspects that had been pruned in Example 1 because they were irrelevant in that context.

[Start this demo]


Example 4
  CA known, but not trusted for IDs

Trust is relative to a task to be accomplished. In this example, the Open University is known by the server, but the IDs signed by the Open University are not accepted.  Follow the [detail] link associated to rules 3 and 6 and see the explanation associated to rule 9.  Note that it includes aspects that had been pruned in Example 1 because they were irrelevant in that context.

Note: the word "obviously" in rule 9 results from a generic verbalization strategy for reflexive relations.

[Start this demo]


Example 5
  Paper not covered by subscription

Next, we assume that John was successfully authenticated.  Unfortunately, paper_0123.pdf is not covered by John's subscription.

This time there is no "deterministic" way of explaining failure:  John has two subscriptions, and paper_0123.pdf is covered by two subscriptions; however these subscriptions are all different, so each of the four choices eventually leads to a failure.  See how this is reported in the explanation associated to rule 3.

If you want to see what happens for a particular subscription, click on the corresponding link.  In this way one may focus on the scenarios that do not match one's expectations.  For example, if John intended to use his basic subscription to computer-related publications, then he might click on [Subscription = basic computer pubs] and find a "deterministic" explanation of why that approach failed.  This kind of explanation refinement can be very useful in more complex examples.

[Start this demo]


Example 6
  Wrong password

The server supports also a traditional authentication mechanism, based on login name and password pairs.  PROTUNE supports this mechanism via unsigned declarations (a kind of web forms).  In this example, John uses this method and types in a wrong password.  Follow the [details] link of rule 3 and see the explanation of rule 7.  Note that the details about the declaration's fields and password checking were pruned in the previous examples, where no declarations had been submitted by John.

[Start this demo]


Example 7
  Infinite failed derivation

Policies are logical axioms, not logic programs.  There may be loops, that should be regarded as equivalences rather than program errors.

Of course, such equivalences may induce infinite failed derivations.  In this example, John has two aliases: jsmith and J. Smith and two rules:
  1. jsmith is authenticated if J. Smith is, and
  2. J. Smith is authenticated if jsmith is.
Consequently, there is an infinite failed attemtp at proving that John is authenticated, cycling through the above two rules forever.  The above kind of rules may easily arise when heterogeneous policies are integrated.

In the presence of inifitely failed derivations, PROTUNE-X produces a finite, cyclic hypertext.  If you first follow the [details] links associated to rule 5, then the links associated to rule 1 and 2, the system informs you that you are in a loop by labeling the next link deja vu!

[Start this demo]


Coordinator unit: Sezione di Informatica - Dip. Di Scienze Fisiche - Universita' di Napoli Federico II