[IETF-IDRM] Fwd: Re: [IDRM] DRM Taxonomy work -- drm framework...

Thomas Hardjono thardjono@mediaone.net
Wed, 23 May 2001 14:33:05 -0400


>Date: Tue, 22 May 2001 23:36:48 -0700
>From: Mark Baugher <mbaugher@cisco.com>
>Subject: Re: [IDRM] DRM Taxonomy work -- drm framework...
>X-Sender: mbaugher@mira-sjc5-6.cisco.com
>To: "Sam X. Sun (@S2000)" <ssun@cnri.reston.va.us>
>Cc: ietf-idrm@lists.elistx.com
>X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
>List-Owner: <mailto:ietf-idrm-help@lists.elistx.com>
>List-Post: <mailto:ietf-idrm@lists.elistx.com>
>List-Subscribe: <mailto:ietf-idrm-request@lists.elistx.com?body=subscribe>
>List-Unsubscribe: <mailto:ietf-idrm-request@lists.elistx.com?body=unsubscribe>
>List-Archive: <http://lists.elistx.com/archives/ietf-idrm>
>List-Help: <http://lists.elistx.com/elists/admin_email.shtml>,
>  <mailto:ietf-idrm-request@lists.elistx.com?body=help>
>
>Hi Sam
>At 02:03 AM 5/23/2001 -0400, Sam X. Sun (@S2000) wrote:
>>Mark,
>>
>>Regarding the handle system, I think there are two sides of DRM that could
>>take advantage of it. First is the metadata and content attribute
>>association, as you mentioned in the DOI application. The other is the
>>identity reference for "content holder" (e.g. consumer identity). What makes
>>handle system unique in this case is that it provides a secured name
>>resolution service (for name attribute binding), and allows ownership to be
>>defined per name (vs. URL, where the name administration belongs to the site
>>manager). This is particularly important for individuals to be able to
>>manage their identity attributes, including their public keys.
>
>I think this addresses a question Michael posed in his recent message.
>
>
>>The point I was trying to make in my earlier message is that we probably
>>need to pay equal attention for identity or trust management as we do for
>>content management. And I want to understand better the nature of the
>>identity used in DRM application before we move further into the framework.
>
>Trust is a complicated topic here.  What are we trusting or whom are we
>trusting with what.  Someone getting a published work may want to trust
>the source of the work is who the person thinks it is and that the work itself
>has not been altered by anyone.  At first blush, this looks like a public-key
>crypto application, but the paper, "Secure Books: Protecting the
>Distribution of Knowledge" (http://www.cl.cam.ac.uk/~rja14/) points out
>that PKC is in many ways unsuitable because the lifetime of a public
>key is too short for copyright works, which may last for 70+ years after
>the author's death, and too short for copyright works, since you may
>not want the author to alter the work after you have accepted and
>verified its integrity.  They have a catalog system approach.
>
>Someone releasing a published work, say, to a consumer may have
>different criteria of trust.  But does the distributor or service provider
>need to know who the person is who is getting the content work?
>If it's encrypted then there will be some authentication.  But what
>gets authenticated and how?  Maybe the software or hardware used
>to access the work gets authenticated and no information gets released
>about the individual at all.  I think this is among the MPEG IPMP 
>Requirements.
>
>Mark
>
>
>>Sam
>>
>>----- Original Message -----
>>From: "Mark Baugher" <mbaugher@cisco.com>
>>To: "Sam X. Sun (@S2000)" <ssun@cnri.reston.va.us>
>>Cc: <ietf-idrm@lists.elistx.com>
>>Sent: Monday, May 21, 2001 1:00 PM
>>Subject: Re: [IDRM] DRM Taxonomy work -- drm framework...
>>
>>
>> > Sam
>> >     I have two thoughts here.  First is that the Handle System makes
>> > it possible to associate metadata with a handle (a directory entry),
>> > and that metadata can include a rights specification like DPRL or
>> > ODRL, which captures the rights relationships you mention in the
>> > first paragraph of your note.  I know you know this; I think DOI does
>> > this.  I expect that I'm missing something.
>> >
>> >    Second, there should probably be an asymmetry between those
>> > who hold rights and those to whom the rights holder grants rights.
>> > Leaving aside copyright law, which varies between countries and
>> > over time, I might consider personal information that I give to a
>> > provider as information that I always have some special rights to
>> > though I may hand it over to a site that, for the sake of argument,
>> > agrees not to share that information with anyone else.  I think that
>> > there is often some entity in the chain that has special claims
>> > (such as legally owning the content) that is distinct from the
>> > current "content holder."
>> >
>> > Mark
>> > At 10:47 AM 5/19/2001 -0400, Sam X. Sun (@S2000) wrote:
>> > >Hi,
>> > >
>> > >I think it's a good application model to classify in end-to-end DRM
>> > >relationships in terms of content provider and distributor, and
>>distributor
>> > >and content consumer. They represent some real world scenarios that DRM
>>will
>> > >have to address. On the other hand, I wonder if we could further model
>>the
>> > >underlying DRM framework in terms of transactions of certain entities
>>(e.g.
>> > >digital content) among other kinds of entities (e.g. content holder), and
>> > >the transaction may be reflected in terms of exchange/update of digital
>> > >rights bound to each content instance acquired by the content holder.
>> > >
>> > >In other words, I wonder whether it's reasonable to categorize the
>>entities
>> > >that DRM framework has to deal with in terms of:
>> > >
>> > >    1. the digital content (per instance)
>> > >    2. the content holder (current or potential)
>> > >
>> > >
>> > >And think of the digital rights as state information of the digital
>>content
>> > >hold by content holder. From this, one may imagine building mechanisms
>> > >within the framework to:
>> > >
>> > >     * Associate rights per digital content acquired by the content
>>holder
>> > >     * Identify content holder, along with its authentication attributes.
>> > >     * Exchange/update digital rights per digital content among content
>> > >holders
>> > >     * Facilitate/monitor/trace legitimate digital contents for their
>>proper
>> > >use
>> > >     * Report illegal content upon showing up within the framework
>>(doable?)
>> > >     etc...
>> > >
>> > >Assumptions here are that everyone can obtain a copy of digital content
>> > >freely, but need to acquire (e.g. via purchase) adequate rights to be
>>able
>> > >to "use" it. Depending on the rights associated to the digital content
>> > >acquired by the content holder, the content holder could act as a
>>publisher,
>> > >a distributor, a retailer, or end consumer. A transaction of digital
>>content
>> > >from a retailer to consumer could be modeled as retailer (with the right)
>>to
>> > >generate a new instance of the digital content, assign it with consumer
>> > >rights, and "give" it to the consumer (along with the consumer rights). A
>> > >consumer may later become a retailer after obtaining the "retail" rights
>>for
>> > >its copy of digital content...
>> > >
>> > >It's a bit off tracking to Mark's message:)... Just want to share some
>> > >thoughts. Any comments?
>> > >
>> > >
>> > >Cheers,
>> > >Sam
>> > >
>> > >
>> > >
>> > >
>> > >----- Original Message -----
>> > >From: "Mark Baugher" <mbaugher@cisco.com>
>> > >To: <ietf-idrm@lists.elistx.com>
>> > >Sent: Thursday, May 17, 2001 6:33 PM
>> > >Subject: [IDRM] DRM Taxonomy work
>> > >
>> > >
>> > > > Hi
>> > > >    We wanted to begin work on developing a draft on requirements for
>> > > > IDRM.  Sam Sun, Thomas Hardjono and I discussed this and we think that
>>a
>> > > > good first step would be to develop a taxonomy, which is a
>>classification
>> > > > of the parts of an end-to-end DRM system from which we can develop a
>> > >common
>> > > > model, or models, and common definitions - so we speak the same
>>language
>> > >to
>> > > > one another.
>> > > >
>> > > >    Our focus in IDRM is with the IP network infrastructure aspects of
>> > > > DRM.  To me, this means that we are less concerned with the syntax or
>> > > > semantics of rights specifications than in the handling and use of
>>rights
>> > > > metadata in end-to-end systems; we are less concerned with the
>>specifics
>> > >of
>> > > > watermarking technology or with technical protection mechanisms than
>>in
>> > >key
>> > > > and license distribution systems; persistent and globally-unique names
>>may
>> > > > not be as much of a concern to IDRM as are trusted repositories of
>>content
>> > > > works and metadata.  So there are things in our taxonomy that are part
>>of
>> > > > end-to-end DRM systems like watermarks, TPM, and rights languages that
>>are
>> > > > not necessarily things that will be a focus of IDRM.
>> > > >
>> > > >    At our last meeting, Thomas and I proposed that there are two
>>distinct
>> > > > sets of relationships in end-to-end DRM.  First, is between content
>> > > > provider and distributor (aka "service provider").  We would use
>>"service
>> > > > provider" if the content were to be delivered to consumers over a IP
>> > > > network but the distributor could be a company that manufactures DVDs
>>or a
>> > > > TV broadcaster that receives files from a TV or film studio.  Trusted
>> > > > repositories for the files and rights metadata, authorization, and
>> > > > authentication are IP infrastructure components that the content
>>provider
>> > > > may need to properly manage this process.  It is unlikely that
>>technical
>> > > > protection mechanisms or digital licenses are needed in this
>> > > > business-to-business transaction.
>> > > >
>> > > >   The second set of relationships is between the service provider and
>>the
>> > > > content consumer.  On the Internet today, it is hard if not impossible
>>to
>> > > > unambiguously identify illegal sources and uses of copyright content
>>works
>> > > > from illegal uses.  Trusted repositories and sources with rights
>>metadata
>> > > > are important to DRM in this relationship.  Authorization,
>>authentication,
>> > > > and technical protection mechanisms may be needed so standard ways to
>>do
>> > > > key and license management will promote inter-operability.   What we
>> > >should
>> > > > not overlook in digital rights-conferral and mechanisms that support
>>it is
>> > > > the flow of information assets from the consumer to the provider for
>>the
>> > > > purposes of authorization.  In this regard, "rights management" should
>> > > > include the rights that consumers have with respect to information
>>that
>> > > > they provide and DRM is about information assets and not only
>>copyright
>> > >works.
>> > > >
>> > > > We want to begin developing our taxonomy and putting flesh to an IDRM
>> > > > model.  This note outlines the general approach that we are taking and
>> > > > we're soliciting any comments that people might have.  Also, if others
>>are
>> > > > interested in working on a draft document for the taxonomy, please let
>>us
>> > >know.
>> > > >
>> > > > Mark
>> > > >
>> >