Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal,...
Transcript of Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal,...
![Page 1: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/1.jpg)
university-logo
Specification and Analysis of Electronic Contracts
Gerardo [email protected]
PMA groupDepartment of Informatics,
University of Oslo
Joint work withCristian Prisacariu ([email protected]) and Gordon Pace
University of California at BerkeleyBerkeley – 06 May, 2008
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 1 / 36
![Page 2: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/2.jpg)
university-logo
Contracts and Informatics
1 Conventional contractsTraditional commercial and judicial domain
2 “Programming by contract” or “Design by contract” (e.g., Eiffel)Relation between pre- and post-conditions of routines, method calls,invariants, temporal dependencies, etc
3 In the context of web servicesService-Level Agreement, usually written in an XML-like language (e.g.WSLA)
4 Behavioral interfacesSpecify the sequence of interactions between different participants.The allowed interactions are captured by legal (sets of) traces
5 Contractual protocolsTo specify the interaction between communicating entities
6 “Deontic e-contracts”: representing Obligations, Permissions,Prohibitions, Power, etc
Inspired from a conventional contractWritten directly in a formal specification language
7 “Social contracts”: Multi-agent systems
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 2 / 36
![Page 3: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/3.jpg)
university-logo
Contracts
“A contract is a binding agreement between two or more persons thatis enforceable by law.” [Webster on-line]
This deed of Agreement is made between:1. [name], from now on referred to as Provider and2. the Client.INTRODUCTION3. The Provider is obliged to provide the Internet Services as stipulated in this Agreement.4. DEFINITIONSa) Internet traffic may be measured by both Client and Provider by means of Equipment and
may take the two values high and normal.OPERATIVE PART1. The Client shall not supply false information to the Client Relations Department of theProvider.2. Whenever the Internet Traffic is high then the Client must pay [price] immediately, or theClient must notify the Provider by sending an e-mail specifying that he will pay later.3. If the Client delays the payment as stipulated in 2, after notification he must immediatelylower the Internet traffic to the normal level, and pay later twice (2 ∗ [price]).4. If the Client does not lower the Internet traffic immediately, then the Client will have to pay3 ∗ [price].5. The Client shall, as soon as the Internet Service becomes operative, submit within seven (7)days the Personal Data Form from his account on the Provider’s web page to the ClientRelations Department of the Provider.
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 3 / 36
![Page 4: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/4.jpg)
university-logo
Contracts
“A contract is a binding agreement between two or more persons thatis enforceable by law.” [Webster on-line]
This deed of Agreement is made between:1. [name], from now on referred to as Provider and2. the Client.INTRODUCTION3. The Provider is obliged to provide the Internet Services as stipulated in this Agreement.4. DEFINITIONSa) Internet traffic may be measured by both Client and Provider by means of Equipment and
may take the two values high and normal.OPERATIVE PART1. The Client shall not supply false information to the Client Relations Department of theProvider.2. Whenever the Internet Traffic is high then the Client must pay [price] immediately, or theClient must notify the Provider by sending an e-mail specifying that he will pay later.3. If the Client delays the payment as stipulated in 2, after notification he must immediatelylower the Internet traffic to the normal level, and pay later twice (2 ∗ [price]).4. If the Client does not lower the Internet traffic immediately, then the Client will have to pay3 ∗ [price].5. The Client shall, as soon as the Internet Service becomes operative, submit within seven (7)days the Personal Data Form from his account on the Provider’s web page to the ClientRelations Department of the Provider.
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 3 / 36
![Page 5: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/5.jpg)
university-logo
Contracts
We call the above a conventional contract
An e-contract is a machine-readable contract
Two scenarios:
1 Obtain an e-contract from a conventional contract
Context: legal (e.g. financial) contracts
2 Write the e-contract directly in a formal language
Context: web services, components, OO, etc
Definition
A contract is a document which engages several parties in a transactionand stipulates their (conditional) obligations, rights, and prohibitions, aswell as penalties in case of contract violations.
A better name: ‘deontic’ e-contracts
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 4 / 36
![Page 6: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/6.jpg)
university-logo
Contracts
We call the above a conventional contract
An e-contract is a machine-readable contract
Two scenarios:
1 Obtain an e-contract from a conventional contract
Context: legal (e.g. financial) contracts
2 Write the e-contract directly in a formal language
Context: web services, components, OO, etc
Definition
A contract is a document which engages several parties in a transactionand stipulates their (conditional) obligations, rights, and prohibitions, aswell as penalties in case of contract violations.
A better name: ‘deontic’ e-contracts
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 4 / 36
![Page 7: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/7.jpg)
university-logo
Aim and Motivation
Use deontic e-contracts to ‘rule’ services exchange
1 Give a formal language for specifying/writing contracts2 Analyze contracts “internally”
Detect contradictions/inconsistencies staticallyDetermine the obligations (permissions, prohibitions) of a signatoryDetect superfluous contract clauses
3 Develop a theory of contracts
Contract compositionSubcontractingConformance between a contract and the governing policiesMeta-contracts (policies)
4 Monitor contracts
Run-time system to ensure the contract is respectedIn case of contract violations, act accordingly
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 5 / 36
![Page 8: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/8.jpg)
university-logo
Aim and Motivation
Use deontic e-contracts to ‘rule’ services exchange
1 Give a formal language for specifying/writing contracts2 Analyze contracts “internally”
Detect contradictions/inconsistencies staticallyDetermine the obligations (permissions, prohibitions) of a signatoryDetect superfluous contract clauses
3 Develop a theory of contracts
Contract compositionSubcontractingConformance between a contract and the governing policiesMeta-contracts (policies)
4 Monitor contracts
Run-time system to ensure the contract is respectedIn case of contract violations, act accordingly
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 5 / 36
![Page 9: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/9.jpg)
university-logo
Aim and Motivation
Use deontic e-contracts to ‘rule’ services exchange
1 Give a formal language for specifying/writing contracts2 Analyze contracts “internally”
Detect contradictions/inconsistencies staticallyDetermine the obligations (permissions, prohibitions) of a signatoryDetect superfluous contract clauses
3 Develop a theory of contracts
Contract compositionSubcontractingConformance between a contract and the governing policiesMeta-contracts (policies)
4 Monitor contracts
Run-time system to ensure the contract is respectedIn case of contract violations, act accordingly
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 5 / 36
![Page 10: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/10.jpg)
university-logo
Aim and Motivation
Use deontic e-contracts to ‘rule’ services exchange
1 Give a formal language for specifying/writing contracts2 Analyze contracts “internally”
Detect contradictions/inconsistencies staticallyDetermine the obligations (permissions, prohibitions) of a signatoryDetect superfluous contract clauses
3 Develop a theory of contracts
Contract compositionSubcontractingConformance between a contract and the governing policiesMeta-contracts (policies)
4 Monitor contracts
Run-time system to ensure the contract is respectedIn case of contract violations, act accordingly
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 5 / 36
![Page 11: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/11.jpg)
university-logo
Aim and Motivation
Use deontic e-contracts to ‘rule’ services exchange
1 Give a formal language for specifying/writing contracts2 Analyze contracts “internally”
Detect contradictions/inconsistencies staticallyDetermine the obligations (permissions, prohibitions) of a signatoryDetect superfluous contract clauses
3 Develop a theory of contracts
Contract compositionSubcontractingConformance between a contract and the governing policiesMeta-contracts (policies)
4 Monitor contracts
Run-time system to ensure the contract is respectedIn case of contract violations, act accordingly
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 5 / 36
![Page 12: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/12.jpg)
university-logo
Aim and MotivationCOSoDIS
(1)
(3)
(2) (4)
(6)
(5)
COSoDIS: “Contract-Oriented Software Development for Internet Services”–A Nordunet3 project (http://www.ifi.uio.no/cosodis/)
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 6 / 36
![Page 13: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/13.jpg)
university-logo
A Formal Language for Contracts
A precise and concise syntax and a formal semantics
Expressive enough as to capture natural contract clauses
Restrictive enough to avoid (deontic) paradoxes and be amenable toformal analysis
Model checkingDeductive verification
Allow representation of complex clauses: conditional obligations,permissions, and prohibitions
Allow specification of (nested) contrary-to-duty (CTD) andcontrary-to-prohibition (CTP)
CTD: when an obligation is not fulfilledCTP: when a prohibition is violated
We want to combine
The logical approach (e.g., dynamic, temporal, deontic logic)The automata-like approach (labelled Kripke structures)
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 7 / 36
![Page 14: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/14.jpg)
university-logo
A Formal Language for Contracts
A precise and concise syntax and a formal semantics
Expressive enough as to capture natural contract clauses
Restrictive enough to avoid (deontic) paradoxes and be amenable toformal analysis
Model checkingDeductive verification
Allow representation of complex clauses: conditional obligations,permissions, and prohibitions
Allow specification of (nested) contrary-to-duty (CTD) andcontrary-to-prohibition (CTP)
CTD: when an obligation is not fulfilledCTP: when a prohibition is violated
We want to combine
The logical approach (e.g., dynamic, temporal, deontic logic)The automata-like approach (labelled Kripke structures)
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 7 / 36
![Page 15: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/15.jpg)
university-logo
(Standard) Deontic LogicFew Words
Concerned with moral and normative notionsobligation, permission, prohibition, optionality, power, indifference,immunity, etc
Focus onThe logical consistency of the above notionsThe faithful representation of their intuitive meaning in law, moralsystems, business organisations and security systems
Difficult to avoid puzzles and paradoxesLogical paradoxes, where we can deduce contradictory actions“Practical oddities”, where we can get counterintuitive conclusions
Approachesought-to-do: expressions consider names of actions
“The Internet Provider must send a password to the Client”
ought-to-be: expressions consider state of affairs (results of actions)“The average bandwidth must be more than 20kb/s”
We’ll only consider obligation, permission and prohibition over actions
Assertions define the “state of affairs”
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 8 / 36
![Page 16: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/16.jpg)
university-logo
(Standard) Deontic LogicFew Words
Concerned with moral and normative notionsobligation, permission, prohibition, optionality, power, indifference,immunity, etc
Focus onThe logical consistency of the above notionsThe faithful representation of their intuitive meaning in law, moralsystems, business organisations and security systems
Difficult to avoid puzzles and paradoxesLogical paradoxes, where we can deduce contradictory actions“Practical oddities”, where we can get counterintuitive conclusions
Approachesought-to-do: expressions consider names of actions
“The Internet Provider must send a password to the Client”
ought-to-be: expressions consider state of affairs (results of actions)“The average bandwidth must be more than 20kb/s”
We’ll only consider obligation, permission and prohibition over actions
Assertions define the “state of affairs”
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 8 / 36
![Page 17: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/17.jpg)
university-logo
(Standard) Deontic LogicFew Words
Concerned with moral and normative notionsobligation, permission, prohibition, optionality, power, indifference,immunity, etc
Focus onThe logical consistency of the above notionsThe faithful representation of their intuitive meaning in law, moralsystems, business organisations and security systems
Difficult to avoid puzzles and paradoxesLogical paradoxes, where we can deduce contradictory actions“Practical oddities”, where we can get counterintuitive conclusions
Approachesought-to-do: expressions consider names of actions
“The Internet Provider must send a password to the Client”
ought-to-be: expressions consider state of affairs (results of actions)“The average bandwidth must be more than 20kb/s”
We’ll only consider obligation, permission and prohibition over actions
Assertions define the “state of affairs”
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 8 / 36
![Page 18: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/18.jpg)
university-logo
(Standard) Deontic LogicFew Words
Concerned with moral and normative notionsobligation, permission, prohibition, optionality, power, indifference,immunity, etc
Focus onThe logical consistency of the above notionsThe faithful representation of their intuitive meaning in law, moralsystems, business organisations and security systems
Difficult to avoid puzzles and paradoxesLogical paradoxes, where we can deduce contradictory actions“Practical oddities”, where we can get counterintuitive conclusions
Approachesought-to-do: expressions consider names of actions
“The Internet Provider must send a password to the Client”
ought-to-be: expressions consider state of affairs (results of actions)“The average bandwidth must be more than 20kb/s”
We’ll only consider obligation, permission and prohibition over actions
Assertions define the “state of affairs”
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 8 / 36
![Page 19: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/19.jpg)
university-logo
(Standard) Deontic LogicFew Words
Concerned with moral and normative notionsobligation, permission, prohibition, optionality, power, indifference,immunity, etc
Focus onThe logical consistency of the above notionsThe faithful representation of their intuitive meaning in law, moralsystems, business organisations and security systems
Difficult to avoid puzzles and paradoxesLogical paradoxes, where we can deduce contradictory actions“Practical oddities”, where we can get counterintuitive conclusions
Approachesought-to-do: expressions consider names of actions
“The Internet Provider must send a password to the Client”
ought-to-be: expressions consider state of affairs (results of actions)“The average bandwidth must be more than 20kb/s”
We’ll only consider obligation, permission and prohibition over actions
Assertions define the “state of affairs”
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 8 / 36
![Page 20: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/20.jpg)
university-logo
Outline
1 The Contract Language CL
2 Properties of the Language
3 Verification of Contracts
4 Final Remarks
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 9 / 36
![Page 21: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/21.jpg)
university-logo
Outline
1 The Contract Language CL
2 Properties of the Language
3 Verification of Contracts
4 Final Remarks
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 10 / 36
![Page 22: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/22.jpg)
university-logo
The Contract Specification Language CL
Contract := D ; CC := CO | CP | CF | C ∧ C | [α]C | 〈α〉C | C U C | © C | �CCO := O(α) | CO ⊕ CO
CP := P(α) | CP ⊕ CP
CF := F (α) | CF ∨ [α]CF
O(α), P(α), F (α) specify obligation, permission (rights), andprohibition (forbidden) over actionsα are actions given in the definition part D
+ choice· concatenation (sequencing)
& concurrencyφ? test
∧, ∨, and ⊕ are conjunction, disjunction, and exclusive disjunction
[α] and 〈α〉 are the action parameterized modalities of dynamic logic
U , ©, and � correspond to temporal logic operators
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 11 / 36
![Page 23: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/23.jpg)
university-logo
The Contract Specification Language CL
Contract := D ; CC := CO | CP | CF | C ∧ C | [α]C | 〈α〉C | C U C | © C | �CCO := O(α) | CO ⊕ CO
CP := P(α) | CP ⊕ CP
CF := F (α) | CF ∨ [α]CF
O(α), P(α), F (α) specify obligation, permission (rights), andprohibition (forbidden) over actionsα are actions given in the definition part D
+ choice· concatenation (sequencing)
& concurrencyφ? test
∧, ∨, and ⊕ are conjunction, disjunction, and exclusive disjunction
[α] and 〈α〉 are the action parameterized modalities of dynamic logic
U , ©, and � correspond to temporal logic operators
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 11 / 36
![Page 24: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/24.jpg)
university-logo
The Contract Specification Language CL
Contract := D ; CC := CO | CP | CF | C ∧ C | [α]C | 〈α〉C | C U C | © C | �CCO := O(α) | CO ⊕ CO
CP := P(α) | CP ⊕ CP
CF := F (α) | CF ∨ [α]CF
O(α), P(α), F (α) specify obligation, permission (rights), andprohibition (forbidden) over actionsα are actions given in the definition part D
+ choice· concatenation (sequencing)
& concurrencyφ? test
∧, ∨, and ⊕ are conjunction, disjunction, and exclusive disjunction
[α] and 〈α〉 are the action parameterized modalities of dynamic logic
U , ©, and � correspond to temporal logic operators
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 11 / 36
![Page 25: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/25.jpg)
university-logo
The Contract Specification Language CL
Contract := D ; CC := CO | CP | CF | C ∧ C | [α]C | 〈α〉C | C U C | © C | �CCO := O(α) | CO ⊕ CO
CP := P(α) | CP ⊕ CP
CF := F (α) | CF ∨ [α]CF
O(α), P(α), F (α) specify obligation, permission (rights), andprohibition (forbidden) over actionsα are actions given in the definition part D
+ choice· concatenation (sequencing)
& concurrencyφ? test
∧, ∨, and ⊕ are conjunction, disjunction, and exclusive disjunction
[α] and 〈α〉 are the action parameterized modalities of dynamic logic
U , ©, and � correspond to temporal logic operators
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 11 / 36
![Page 26: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/26.jpg)
university-logo
The Contract Specification Language CL
Contract := D ; CC := CO | CP | CF | C ∧ C | [α]C | 〈α〉C | C U C | © C | �CCO := O(α) | CO ⊕ CO
CP := P(α) | CP ⊕ CP
CF := F (α) | CF ∨ [α]CF
O(α), P(α), F (α) specify obligation, permission (rights), andprohibition (forbidden) over actionsα are actions given in the definition part D
+ choice· concatenation (sequencing)
& concurrencyφ? test
∧, ∨, and ⊕ are conjunction, disjunction, and exclusive disjunction
[α] and 〈α〉 are the action parameterized modalities of dynamic logic
U , ©, and � correspond to temporal logic operators
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 11 / 36
![Page 27: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/27.jpg)
university-logo
ActionsTest and Negation
Tests as actions: φ?
The behaviour of a test is like a guard ; e.g. ϕ? · a if the test succeedsthen action a is performedTests are used to model conditions: [ϕ?]C is the same as ϕ ⇒ C
Action negation α
It represents all immediate traces that take us outside the trace of αInvolves the use of a canonic form of actionsE.g.: consider two atomic actions a and b then a · b is b + a · a
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 12 / 36
![Page 28: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/28.jpg)
university-logo
ActionsTest and Negation
Tests as actions: φ?
The behaviour of a test is like a guard ; e.g. ϕ? · a if the test succeedsthen action a is performedTests are used to model conditions: [ϕ?]C is the same as ϕ ⇒ C
Action negation α
It represents all immediate traces that take us outside the trace of αInvolves the use of a canonic form of actionsE.g.: consider two atomic actions a and b then a · b is b + a · a
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 12 / 36
![Page 29: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/29.jpg)
university-logo
ActionsConcurrent actions
a&b
“The client must pay immediately, or the client must notify the serviceprovider by sending an e-mail specifying that he delays the payment”
O(p)⊕ O(d&n)
O(d&n) ≡ O(d) ∧ O(n)
Action algebra enriched with a conflict relation to representincompatible actions
a = “increase Internet traffic” and b = “decrease Internet traffic”
a #C bO(a) ∧ O(b) gives an inconsistency
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 13 / 36
![Page 30: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/30.jpg)
university-logo
ActionsConcurrent actions
a&b
“The client must pay immediately, or the client must notify the serviceprovider by sending an e-mail specifying that he delays the payment”
O(p)⊕ O(d&n)
O(d&n) ≡ O(d) ∧ O(n)
Action algebra enriched with a conflict relation to representincompatible actions
a = “increase Internet traffic” and b = “decrease Internet traffic”
a #C bO(a) ∧ O(b) gives an inconsistency
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 13 / 36
![Page 31: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/31.jpg)
university-logo
More on the Contract LanguageCTD and CTP
Expressing contrary-to-duty (CTD)
OC(α) = O(α) ∧ [α]C
Expressing contrary-to-prohibition (CTP)
FC(α) = F (α) ∧ [α]C
Example
“[...] the client must immediately lower the Internet traffic to the lowlevel, and pay later twice. If the client does not lower the Internet trafficimmediately, then the client will have to pay three times the price”
In CL: �(OC(l) ∧ [l ]♦(O(p&p)))
where C = ♦O(p&p&p)
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 14 / 36
![Page 32: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/32.jpg)
university-logo
More on the Contract LanguageCTD and CTP
Expressing contrary-to-duty (CTD)
OC(α) = O(α) ∧ [α]C
Expressing contrary-to-prohibition (CTP)
FC(α) = F (α) ∧ [α]C
Example
“[...] the client must immediately lower the Internet traffic to the lowlevel, and pay later twice. If the client does not lower the Internet trafficimmediately, then the client will have to pay three times the price”
In CL: �(OC(l) ∧ [l ]♦(O(p&p)))
where C = ♦O(p&p&p)
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 14 / 36
![Page 33: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/33.jpg)
university-logo
More on the Contract LanguageCTD and CTP
Expressing contrary-to-duty (CTD)
OC(α) = O(α) ∧ [α]C
Expressing contrary-to-prohibition (CTP)
FC(α) = F (α) ∧ [α]C
Example
“[...] the client must immediately lower the Internet traffic to the lowlevel, and pay later twice. If the client does not lower the Internet trafficimmediately, then the client will have to pay three times the price”
In CL: �(OC(l) ∧ [l ]♦(O(p&p)))
where C = ♦O(p&p&p)
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 14 / 36
![Page 34: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/34.jpg)
university-logo
CL SemanticsCµ – A variant of the modal µ-calculus
Translation into a variant of µ-calculus (Cµ)
The syntax of the Cµ logicϕ := P | Z | Pc | > | ¬ϕ | ϕ ∧ ϕ | [γ]ϕ | µZ .ϕ(Z )
Main differences with respect to the classical µ-calculus:
1 Pc is set of propositional constants Oa and Fa, one for each basicaction a
2 Multisets of basic actions: i.e. γ = {a, a, b} is a label
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 15 / 36
![Page 35: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/35.jpg)
university-logo
CL SemanticsCµ – A variant of the modal µ-calculus
Translation into a variant of µ-calculus (Cµ)
The syntax of the Cµ logicϕ := P | Z | Pc | > | ¬ϕ | ϕ ∧ ϕ | [γ]ϕ | µZ .ϕ(Z )
Main differences with respect to the classical µ-calculus:
1 Pc is set of propositional constants Oa and Fa, one for each basicaction a
2 Multisets of basic actions: i.e. γ = {a, a, b} is a label
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 15 / 36
![Page 36: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/36.jpg)
university-logo
CL SemanticsExample: Obligation
Obligation
f T (O(a&b)) = 〈{a, b}〉(Oa ∧ Ob)
{a, b}
O(a&b)
Ob
Oa
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 16 / 36
![Page 37: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/37.jpg)
university-logo
CL SemanticsExample: Obligation
Obligation
f T (O(a&b)) = 〈{a, b}〉(Oa ∧ Ob)
{a, b}
O(a&b)
Ob
Oa
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 16 / 36
![Page 38: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/38.jpg)
university-logo
CL SemanticsOther Semantics
Very recent work:
“The” semantics of the language
Branching semantics
For monitoring purposes
Trace semantics
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 17 / 36
![Page 39: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/39.jpg)
university-logo
Outline
1 The Contract Language CL
2 Properties of the Language
3 Verification of Contracts
4 Final Remarks
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 18 / 36
![Page 40: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/40.jpg)
university-logo
Ross’s paradox
1 It is obligatory that one mails the letter
2 It is obligatory that one mails the letter or one destroys the letter
In Standard Deontic Logic (SDL) these are expressed as:
1 O(p)
2 O(p ∨ q)
Problem: in SDL one can infer that O(p) ⇒ O(p ∨ q)
Avoided in CL –Proof Sketch:
f T (O(a)) = 〈a〉Oa
O(a + b) ≡ O(a)⊕ O(b)f T= 〈a〉Oa ∧ 〈b〉Ob
〈a〉Oa 6⇒ 〈a〉Oa ∧ 〈b〉Ob
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 19 / 36
![Page 41: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/41.jpg)
university-logo
Ross’s paradox
1 It is obligatory that one mails the letter
2 It is obligatory that one mails the letter or one destroys the letter
In Standard Deontic Logic (SDL) these are expressed as:
1 O(p)
2 O(p ∨ q)
Problem: in SDL one can infer that O(p) ⇒ O(p ∨ q)
Avoided in CL –Proof Sketch:
f T (O(a)) = 〈a〉Oa
O(a + b) ≡ O(a)⊕ O(b)f T= 〈a〉Oa ∧ 〈b〉Ob
〈a〉Oa 6⇒ 〈a〉Oa ∧ 〈b〉Ob
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 19 / 36
![Page 42: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/42.jpg)
university-logo
Properties of the contract language
Theorem
The following paradoxes are avoided in CL:
Ross’s paradox
The Free Choice Permission paradox
Sartre’s dilemma
The Good Samaritan paradox
Chisholm’s paradox
The Gentle Murderer paradox
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 20 / 36
![Page 43: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/43.jpg)
university-logo
Properties of the contract language (II)
Theorem
The following hold in CL:
P(α) ≡ ¬F (α)
O(α) ⇒ P(α)
P(a) 6⇒ P(a&b)
F (a) 6⇒ F (a&b)
F (a&b) 6⇒ F (a)
P(a&b) 6⇒ P(a)
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 21 / 36
![Page 44: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/44.jpg)
university-logo
Outline
1 The Contract Language CL
2 Properties of the Language
3 Verification of Contracts
4 Final Remarks
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 22 / 36
![Page 45: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/45.jpg)
university-logo
Model Checking in a Nutshell
A model checker is a software tool that given:
A model M (usually a Kripke model)
A property φ (usually a temporal logic formula)
It decides whether
M |= φ
It returns YES if the property is satisfied,
Otherwise returns NO and provides a counterexample
It is completely automatic!
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 23 / 36
![Page 46: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/46.jpg)
university-logo
Model Checking Contracts
1 Model the conventional contract (in English) as a CL expression
2 Translate the CL specification into Cµ
3 Obtain a Kripke-like model (LTS) from the Cµ formulas
4 Translate the LTS into the input language of NuSMV5 Perform model checking using NuSMV
Check the model is ‘good’Check some properties about the client and the provider
6 In case of a counter-example given by NuSMV, interpret it as a CLclause and repeat the model checking process until the property issatisfied
7 In some cases rephrase the original contract
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 24 / 36
![Page 47: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/47.jpg)
university-logo
Model Checking Contracts
1 Model the conventional contract (in English) as a CL expression
2 Translate the CL specification into Cµ
3 Obtain a Kripke-like model (LTS) from the Cµ formulas
4 Translate the LTS into the input language of NuSMV5 Perform model checking using NuSMV
Check the model is ‘good’Check some properties about the client and the provider
6 In case of a counter-example given by NuSMV, interpret it as a CLclause and repeat the model checking process until the property issatisfied
7 In some cases rephrase the original contract
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 24 / 36
![Page 48: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/48.jpg)
university-logo
Model Checking Contracts
1 Model the conventional contract (in English) as a CL expression
2 Translate the CL specification into Cµ
3 Obtain a Kripke-like model (LTS) from the Cµ formulas
4 Translate the LTS into the input language of NuSMV5 Perform model checking using NuSMV
Check the model is ‘good’Check some properties about the client and the provider
6 In case of a counter-example given by NuSMV, interpret it as a CLclause and repeat the model checking process until the property issatisfied
7 In some cases rephrase the original contract
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 24 / 36
![Page 49: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/49.jpg)
university-logo
Model Checking Contracts
1 Model the conventional contract (in English) as a CL expression
2 Translate the CL specification into Cµ
3 Obtain a Kripke-like model (LTS) from the Cµ formulas
4 Translate the LTS into the input language of NuSMV5 Perform model checking using NuSMV
Check the model is ‘good’Check some properties about the client and the provider
6 In case of a counter-example given by NuSMV, interpret it as a CLclause and repeat the model checking process until the property issatisfied
7 In some cases rephrase the original contract
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 24 / 36
![Page 50: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/50.jpg)
university-logo
Model Checking Contracts
1 Model the conventional contract (in English) as a CL expression
2 Translate the CL specification into Cµ
3 Obtain a Kripke-like model (LTS) from the Cµ formulas
4 Translate the LTS into the input language of NuSMV5 Perform model checking using NuSMV
Check the model is ‘good’Check some properties about the client and the provider
6 In case of a counter-example given by NuSMV, interpret it as a CLclause and repeat the model checking process until the property issatisfied
7 In some cases rephrase the original contract
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 24 / 36
![Page 51: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/51.jpg)
university-logo
Model Checking Contracts
1 Model the conventional contract (in English) as a CL expression
2 Translate the CL specification into Cµ
3 Obtain a Kripke-like model (LTS) from the Cµ formulas
4 Translate the LTS into the input language of NuSMV5 Perform model checking using NuSMV
Check the model is ‘good’Check some properties about the client and the provider
6 In case of a counter-example given by NuSMV, interpret it as a CLclause and repeat the model checking process until the property issatisfied
7 In some cases rephrase the original contract
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 24 / 36
![Page 52: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/52.jpg)
university-logo
Model Checking Contracts
1 Model the conventional contract (in English) as a CL expression
2 Translate the CL specification into Cµ
3 Obtain a Kripke-like model (LTS) from the Cµ formulas
4 Translate the LTS into the input language of NuSMV5 Perform model checking using NuSMV
Check the model is ‘good’Check some properties about the client and the provider
6 In case of a counter-example given by NuSMV, interpret it as a CLclause and repeat the model checking process until the property issatisfied
7 In some cases rephrase the original contract
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 24 / 36
![Page 53: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/53.jpg)
university-logo
Case StudyA Contract Example
1. The Client shall not:a) supply false information to the Client Relations Department of the Provider.2. Whenever the Internet Traffic is high then the Client must pay [price]immediately, or the Client must notify the Provider by sending an e-mailspecifying that he will pay later.3. If the Client delays the payment as stipulated in 2, after notification he mustimmediately lower the Internet traffic to the normal level, and pay later twice(2 ∗ [price]).4. If the Client does not lower the Internet traffic immediately, then the Clientwill have to pay 3 ∗ [price].5. The Client shall, as soon as the Internet Service becomes operative, submitwithin seven (7) days the Personal Data Form from his account on the Provider’sweb page to the Client Relations Department of the Provider.6. Provider may, at its sole discretion, without notice or giving any reason orincurring any liability for doing so:a) Suspend Internet Services immediately if Client is in breach of Clause 1;
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 25 / 36
![Page 54: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/54.jpg)
university-logo
Case StudyA Contract Example
1. The Client shall not:a) supply false information to the Client Relations Department of the Provider.2. Whenever the Internet Traffic is high then the Client must pay [price]immediately, or the Client must notify the Provider by sending an e-mailspecifying that he will pay later.3. If the Client delays the payment as stipulated in 2, after notification he mustimmediately lower the Internet traffic to the normal level, and pay later twice(2 ∗ [price]).4. If the Client does not lower the Internet traffic immediately, then the Clientwill have to pay 3 ∗ [price].5. The Client shall, as soon as the Internet Service becomes operative, submitwithin seven (7) days the Personal Data Form from his account on the Provider’sweb page to the Client Relations Department of the Provider.6. Provider may, at its sole discretion, without notice or giving any reason orincurring any liability for doing so:a) Suspend Internet Services immediately if Client is in breach of Clause 1;
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 25 / 36
![Page 55: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/55.jpg)
university-logo
Case StudyTranslating into CL syntax
1. �F (fi)
2. Whenever the Internet Traffic is high then the Client must pay [price]immediately, or the Client must notify the Provider by sending an e-mailspecifying that he will pay later.3. If the Client delays the payment as stipulated in 2, after notification he mustimmediately lower the Internet traffic to the normal level, and pay later twice(2 ∗ [price]).4. If the Client does not lower the Internet traffic immediately, then the Clientwill have to pay 3 ∗ [price].5. The Client shall, as soon as the Internet Service becomes operative, submitwithin seven (7) days the Personal Data Form from his account on the Provider’sweb page to the Client Relations Department of the Provider.6. Provider may, at its sole discretion, without notice or giving any reason orincurring any liability for doing so:a) Suspend Internet Services immediately if Client is in breach of Clause 1;
7. Provider may, at its sole discretion, without notice or giving any reason orincurring any liability for doing so:a) Suspend Internet Services immediately if Client is in breach of Clause 1;
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 26 / 36
![Page 56: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/56.jpg)
university-logo
Case StudyTranslating into CL syntax
1. �F (fi)
2. Whenever the Internet Traffic is high then the Client must pay [price]immediately, or the Client must notify the Provider by sending an e-mailspecifying that he will pay later.3. If the Client delays the payment as stipulated in 2, after notification he mustimmediately lower the Internet traffic to the normal level, and pay later twice(2 ∗ [price]).4. If the Client does not lower the Internet traffic immediately, then the Clientwill have to pay 3 ∗ [price].5. The Client shall, as soon as the Internet Service becomes operative, submitwithin seven (7) days the Personal Data Form from his account on the Provider’sweb page to the Client Relations Department of the Provider.6. Provider may, at its sole discretion, without notice or giving any reason orincurring any liability for doing so:a) Suspend Internet Services immediately if Client is in breach of Clause 1;
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 26 / 36
![Page 57: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/57.jpg)
university-logo
Case StudyTranslating into CL syntax
1. �FP(s)(fi)
2. Whenever the Internet Traffic is high then the Client must pay [price]immediately, or the Client must notify the Provider by sending an e-mailspecifying that he will pay later.3. If the Client delays the payment as stipulated in 2, after notification he mustimmediately lower the Internet traffic to the normal level, and pay later twice(2 ∗ [price]).4. If the Client does not lower the Internet traffic immediately, then the Clientwill have to pay 3 ∗ [price].5. The Client shall, as soon as the Internet Service becomes operative, submitwithin seven (7) days the Personal Data Form from his account on the Provider’sweb page to the Client Relations Department of the Provider.
6. Provider may, at its sole discretion, without notice or giving any reason orincurring any liability for doing so:a) Suspend Internet Services immediately if Client is in breach of Clause 1;
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 26 / 36
![Page 58: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/58.jpg)
university-logo
Case StudyTranslating into CL syntax
1. �FP(s)(fi)
2. �[h](φ ⇒ O(p + (d&n)))
3. If the Client delays the payment as stipulated in 2, after notification he mustimmediately lower the Internet traffic to the normal level, and pay later twice(2 ∗ [price]).4. If the Client does not lower the Internet traffic immediately, then the Clientwill have to pay 3 ∗ [price].5. The Client shall, as soon as the Internet Service becomes operative, submitwithin seven (7) days the Personal Data Form from his account on the Provider’sweb page to the Client Relations Department of the Provider.
6. Provider may, at its sole discretion, without notice or giving any reason orincurring any liability for doing so:a) Suspend Internet Services immediately if Client is in breach of Clause 1;
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 26 / 36
![Page 59: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/59.jpg)
university-logo
Case StudyTranslating into CL syntax
1. �FP(s)(fi)
2. �[h](φ ⇒ O(p + (d&n)))
3. �([d&n](O(l) ∧ [l ]♦O(p&p)))
4. If the Client does not lower the Internet traffic immediately, then the Clientwill have to pay 3 ∗ [price].5. The Client shall, as soon as the Internet Service becomes operative, submitwithin seven (7) days the Personal Data Form from his account on the Provider’sweb page to the Client Relations Department of the Provider.
6. Provider may, at its sole discretion, without notice or giving any reason orincurring any liability for doing so:a) Suspend Internet Services immediately if Client is in breach of Clause 1;
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 26 / 36
![Page 60: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/60.jpg)
university-logo
Case StudyTranslating into CL syntax
1. �FP(s)(fi)
2. �[h](φ ⇒ O(p + (d&n)))
3. �([d&n](O(l) ∧ [l ]♦O(p&p)))
4. �([d&n · l ]♦O(p&p&p))
5. The Client shall, as soon as the Internet Service becomes operative, submitwithin seven (7) days the Personal Data Form from his account on the Provider’sweb page to the Client Relations Department of the Provider.
6. Provider may, at its sole discretion, without notice or giving any reason orincurring any liability for doing so:a) Suspend Internet Services immediately if Client is in breach of Clause 1;
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 26 / 36
![Page 61: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/61.jpg)
university-logo
Case StudyTranslating into CL syntax
1. �FP(s)(fi)
2. �[h](φ ⇒ O(p + (d&n)))
3. �([d&n](O(l) ∧ [l ]♦O(p&p)))
4. �([d&n · l ]♦O(p&p&p))
5. �([o]O(sfD))
6. Provider may, at its sole discretion, without notice or giving any reason orincurring any liability for doing so:a) Suspend Internet Services immediately if Client is in breach of Clause 1;
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 26 / 36
![Page 62: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/62.jpg)
university-logo
Case StudyHandcrafting the model
φ = the Internet traffic is highfi = client supplies false information
to Client Relations Departmenth = client increases Internet traffic
to high levelp = client pays [price]d = client delays paymentn = client notifies by e-maill = client lowers the Int. traffic
sfD = client sends the PersonalData Form to Client RelationsDepartment
o = provider activates the InternetService (it becomes operative)
s = provider suspends service
Fs¬
Ffi
OlOpOsfD ,
Od On, Opφ,
l−
sfD
o
l
s
fi
{d,n}
fi hp
fi
fifi
fi
fi
else
else
s3
s4s5
s7s6
s8
s1
s2
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 27 / 36
![Page 63: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/63.jpg)
university-logo
Case StudyHandcrafting the model
φ = the Internet traffic is highfi = client supplies false information
to Client Relations Departmenth = client increases Internet traffic
to high levelp = client pays [price]d = client delays paymentn = client notifies by e-maill = client lowers the Int. traffic
sfD = client sends the PersonalData Form to Client RelationsDepartment
o = provider activates the InternetService (it becomes operative)
s = provider suspends service
Fs¬
Ffi
OlOpOsfD ,
Od On, Opφ,
l−
sfD
o
l
s
fi
{d,n}
fi hp
fi
fifi
fi
fi
else
else
s3
s4s5
s7s6
s8
s1
s2
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 27 / 36
![Page 64: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/64.jpg)
university-logo
Case StudyHandcrafting the model
1. �FP(s)(fi)2. �[h](φ ⇒ O(p + (d&n)))3. �([d&n](O(l) ∧ [l ]♦O(p&p)))4. �([d&n · l ]♦O(p&p&p))5. �([o]O(sfD))
Fs¬
Ffi
OlOpOsfD ,
Od On, Opφ,
l−
sfD
o
l
s
fi
{d,n}
fi hp
fi
fifi
fi
fi
else
else
s3
s4s5
s7s6
s8
s1
s2
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 28 / 36
![Page 65: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/65.jpg)
university-logo
Case StudyVerifying a property about client obligations
“It is always the case thatwhenever the Internet traffic ishigh, if the clients paysimmediately, then the client isnot obliged to pay againimmediately afterward”
It fails!
We get a counter-example–Problem: state s4
We modify the original contractto capture the above moreprecisely
Fs¬
Ffi
OlOpOsfD ,
Od On, Opφ,
l−
sfD
o
l
s
fi
{d,n}
fi hp
fi
fifi
fi
fi
else
else
s3
s4s5
s7s6
s8
s1
s2
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 29 / 36
![Page 66: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/66.jpg)
university-logo
Case StudyVerifying a property about client obligations
“It is always the case thatwhenever the Internet traffic ishigh, if the clients paysimmediately, then the client isnot obliged to pay againimmediately afterward”
It fails!
We get a counter-example–Problem: state s4
We modify the original contractto capture the above moreprecisely
Fs¬
Ffi
OlOpOsfD ,
Od On, Opφ,
l−
sfD
o
l
s
fi
{d,n}
fi hp
fi
fifi
fi
fi
else
else
s3
s4s5
s7s6
s8
s1
s2
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 29 / 36
![Page 67: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/67.jpg)
university-logo
Case StudyVerifying a property about client obligations
“It is always the case thatwhenever the Internet traffic ishigh, if the clients paysimmediately, then the client isnot obliged to pay againimmediately afterward”
It fails!
We get a counter-example–Problem: state s4
We modify the original contractto capture the above moreprecisely
Fs¬
Ffi
OlOpOsfD ,
l−
Od On, Opφ,
sfD
o
l
s
fi
{d,n}
fi hp
fi
fifi
fi
fi
else
else
s3
s4s5
s7s6
s8
s1
s2
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 29 / 36
![Page 68: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/68.jpg)
university-logo
Case StudyVerifying a property about client obligations
“It is always the case thatwhenever the Internet traffic ishigh, if the clients paysimmediately, then the client isnot obliged to pay againimmediately afterward”
It fails!
We get a counter-example–Problem: state s4
We modify the original contractto capture the above moreprecisely
Fs¬
Ffi
OlOpOsfD ,
l−
Od On,
sfD
o
l
s
fi
{d,n}
fi h
fi
fifi
fi
fi
else
else
s3
s4s5
s7s6
s8
s1
s2
p
φ
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 29 / 36
![Page 69: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/69.jpg)
university-logo
Case StudyVerifying a property about payment in case of increasing Internet traffic
“It is always the case that
whenever Internet traffic is high, if
the client delays payment and
notifies, and afterward lowers the
Internet traffic, then the client is
forbidden to increase Internet
traffic until he pays twice”
It fails!
Counter-example: From s4 (φholds), after d&n · l , it ispossible to increase Internettraffic in state s7, so neitherF (h) nor donep&p hold
Add to the original contract theclause above!
Fs¬
Ffi
OlOpOsfD ,
l−
Od On,
sfD
o
l
s
fi
{d,n}
fi h
fi
fifi
fi
fi
else
else
s3
s4s5
s7s6
s8
s1
s2
p
φ
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 30 / 36
![Page 70: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/70.jpg)
university-logo
Case StudyVerifying a property about payment in case of increasing Internet traffic
“It is always the case that
whenever Internet traffic is high, if
the client delays payment and
notifies, and afterward lowers the
Internet traffic, then the client is
forbidden to increase Internet
traffic until he pays twice”
It fails!
Counter-example: From s4 (φholds), after d&n · l , it ispossible to increase Internettraffic in state s7, so neitherF (h) nor donep&p hold
Add to the original contract theclause above!
Fs¬
Ffi
OlOpOsfD ,
l−
Od On,
sfD
o
l
s
fi
{d,n}
fi h
fi
fifi
fi
fi
else
else
s3
s4s5
s7s6
s8
s1
s2
p
φ
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 30 / 36
![Page 71: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/71.jpg)
university-logo
Case StudyVerifying a property about payment in case of increasing Internet traffic
“It is always the case that
whenever Internet traffic is high, if
the client delays payment and
notifies, and afterward lowers the
Internet traffic, then the client is
forbidden to increase Internet
traffic until he pays twice”
It fails!
Counter-example: From s4 (φholds), after d&n · l , it ispossible to increase Internettraffic in state s7, so neitherF (h) nor donep&p hold
Add to the original contract theclause above!
Fs¬
Ffi
l−
Od On,
OpOsfD ,Ol
sfD
o
l
s
fi
{d,n}
fi h
fi
fifi
fi
fi
else
else
s3
s4s5
s7s6
s8
s1
s2
p
φ
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 30 / 36
![Page 72: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/72.jpg)
university-logo
Case StudyVerifying a property about payment in case of increasing Internet traffic
“It is always the case that
whenever Internet traffic is high, if
the client delays payment and
notifies, and afterward lowers the
Internet traffic, then the client is
forbidden to increase Internet
traffic until he pays twice”
It fails!
Counter-example: From s4 (φholds), after d&n · l , it ispossible to increase Internettraffic in state s7, so neitherF (h) nor donep&p hold
Add to the original contract theclause above!
Fs¬
Ffi
OlOpOsfD ,
l−
Od On,
sfD
o
l
s
fi
{d,n}
fi h
fi
fifi
fi
fi
s3
s4s5
s7s6
s8
s1
s2
p
φ
{p,p,p}
{p,p}
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 30 / 36
![Page 73: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/73.jpg)
university-logo
Outline
1 The Contract Language CL
2 Properties of the Language
3 Verification of Contracts
4 Final Remarks
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 31 / 36
![Page 74: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/74.jpg)
university-logo
A Language for Deontic e-Contracts
A formal specification language for contracts with semantics based ona variant of µ-calculus
Use of model checking for reasoning about contracts:
1 Model checking to increase confidence in the correctness of the modelwrt the original natural language contract
2 We identify problems in the original natural language contract or itsinterpretation in CL
3 We ensure certain desirable properties hold (and certain undesirableones do not) for the signatories
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 32 / 36
![Page 75: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/75.jpg)
university-logo
A Language for Deontic e-Contracts
A formal specification language for contracts with semantics based ona variant of µ-calculus
Use of model checking for reasoning about contracts:
1 Model checking to increase confidence in the correctness of the modelwrt the original natural language contract
2 We identify problems in the original natural language contract or itsinterpretation in CL
3 We ensure certain desirable properties hold (and certain undesirableones do not) for the signatories
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 32 / 36
![Page 76: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/76.jpg)
university-logo
Current and Further Work
Recent work
Redesign CL (changes going fast!) [C. Prisacariu]
Branching semantics [C. Prisacariu]
Trace semantics (run-time monitoring) [C. Prisacariu & M. Kyas]
Case study (CoCoME) [S. Fenech & G. Pace]
On-going work
Automate the model checking process [...]
Encoding into LTL to check inconsistencies [S. Fenech & G. Pace]
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 33 / 36
![Page 77: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/77.jpg)
university-logo
Current and Further Work
Further work
“Normative” automata
Develop a proof system
Internal vs external operations
Obligation on sequences vs sequence of obligationsKleene star vs Until+ vs ⊕
Add time
Timed µ−calculus, TCTL, . . .? Associated with actions or formulae?Durations, time stamps, beginning and end, dates, . . .?
Negotiation
Maude
Applications (besides SOA)
Component-based developmentFault-tolerant systemsCompensable transactions
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 34 / 36
![Page 78: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/78.jpg)
university-logo
Links and Papers
COSoDIS: “Contract-Oriented Software Development for InternetServices” –A Nordunet3 project(http://www.ifi.uio.no/cosodis/)
FLACOS’07 – 1st Workshop on Formal Languages and Analysis ofContract-Oriented Software (http://www.ifi.uio.no/flacos07/)
Oslo, 9-10 October 2007
C. Prisacariu and G. Schneider. A formal language for electroniccontracts. In FMOODS’07, vol. 4468 of LNCS, pages 174-189,Cyprus. June 2007
Gordon Pace, Cristian Prisacariu, and Gerardo Schneider. Modelchecking contracts -a case study. In ATVA’07, vol. 4762 of LNCS,pages 82-97, Tokyo, Japan. October 2007.
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 35 / 36
![Page 79: Specification and Analysis of Electronic ContractsThe logical approach (e.g., dynamic, temporal, deontic logic) The automata-like approach (labelled Kripke structures) Gerardo Schneider](https://reader035.fdocuments.us/reader035/viewer/2022081619/60ea64bd69da5a21a8382e9d/html5/thumbnails/79.jpg)
university-logo
Thank you!
Gerardo Schneider (UiO) Specification and analysis of e-contracts March 2008 36 / 36