[IETF-IDRM] RE: [IDRM] Disband or recharter IDRM?
Mark Baugher
mbaugher@cisco.com
Fri, 13 Dec 2002 16:16:36 -0800
So far as technology goes, we can point to each item on Joe's list and say
which organization is doing it or trying to. Number 3, like the other two,
are really engineering tasks that are better suited to the IETF than to an
IRTF group.
I'll tell you what I think would be truly interesting: A DRM system that
transfers rights, protects privacy, and performs clearing functions without
the need for any cryptography whatsoever. Cryptography is not a household
technology today (http://www-2.cs.cmu.edu/~alma/johnny.pdf) and may not be
in the future. Although it is embedded in DVDs, DVD players, and DVD
recorders, anyone can discover how to decipher an encrypted movie who truly
wants to. So what does the cryptography on DVDs accomplish? It keeps
"honest people honest" (http://cryptome.org/wipo-imp99-3.htm) or "lazy
people honest" by making it inconvenient to make unauthorized copies (or
more than one or however many are made under fair use
provisions). Cryptography is more complexity than is needed to keep honest
people honest, and cryptography is not appropriate for cases where the user
who controls the machine is trying to subvert it. It's too much protection
for the netizen and too little protection against the hacker. And it is
expensive in infrastructure and people's time. The complexity is
considerable. PKIs are substantial investments with uncertain
returns. Smart cards can cost $20/user per year and there is no universal
smart card (and probably never will be).
A cryptography-free DRM is probably the most useful technology we could
investigate. The crypto-rich DRM is being developed all over the place.
Mark
At 01:35 PM 12/13/2002 -0500, Thomas Hardjono wrote:
>Joe,
>
>At 12/12/2002||08:54 AM, Joe Polimeni wrote:
>
>>I believe the best thing the group could do is:
>>1. Define the file format (a.k.a. package format) for a DRM protected
>>file. Currently each DRM products has it's own proprietary format.
>>2. Recommend a rights expression language (ORDL or XrML).
>>3. Recommend a key flow.
>
>No. 3 (key flow) is a good idea, I think. As to No. 2, I don't think the
>IETF will be willing to recommend a language. Also, XrML is being
>addressed in Oasis and ODRL within the OMA (I think).
>
>I'm not sure about file formats (No.1). Ceratin content types, such as
>MPEG, do have a standard content format, and the metadata is expressed in
>the MPEG REL.
>
>
>>The group should stay away any ideological issues. DRM will be used in a
>>variety of situations, not just for music or video. Unless we want a
>>single company to set the direction and provide all the tools we need to
>>set standards.
>
>Agreed :)
>
>
>>I also think the group should stay away from the technology for developing
>>the "client." Each individual company should make its own protected
>>client, and the content owner can restrict which client can use the content
>>with certificates.
>
>Agree. I would roughly equate "client" to "Terminal". Earlier in this
>discussion Paul Judge mentioned "architectures" and "secure
>distribution/conditional access". These seem to be a natural IETF work item.
>
>cheers,
>
>thomas
>------
>
>
>
>>Joe
>>
>>----- Forwarded by Joe Polimeni/Fort Lauderdale/IBM on 12/12/2002 08:45 AM
>>-----
>>
>> Paul Lambert
>> <PaulLambert@AirgoNe To: Mark Baugher
>> <mbaugher@cisco.com>
>> tworks.Com> cc:
>> ietf-idrm@lists.elistx.com
>> Subject: RE: [IDRM]
>> Disband or recharter IDRM?
>> 12/11/2002 08:37 PM
>>
>>
>>
>>
>>
>>
>>
>>
>> > Paul
>> > www.irtf.org is the main page from which you can navigate
>> > to the IDRM
>> > page, which is where the RG deliverables are described.
>>
>>Yes, but ..
>>
>>The 'deliverables' are not clear ... for example:
>>
>>"The IDRM Research Group will begin its work by surveying the area of
>>Digital Rights Management (DRM), and develop a coherent taxonomy of
>>problems related to DRM with their inter- relationships."
>>
>>I'm not sure how I would use this result.
>>
>>Picking a smaller clearer deliverable would hopefully get more interest and
>>involvement.
>>
>>Paul
>>
>>
>>
>>
>>
>> > -----Original Message-----
>> > From: Mark Baugher [mailto:mbaugher@cisco.com]
>> > Sent: Wednesday, December 11, 2002 5:26 PM
>> > To: Paul Lambert
>> > Cc: ietf-idrm@lists.elistx.com
>> > Subject: RE: [IDRM] Disband or recharter IDRM?
>> >
>> >
>> > Paul
>> > www.irtf.org is the main page from which you can navigate
>> > to the IDRM
>> > page, which is where the RG deliverables are described.
>> >
>> > Mark
>> > At 05:16 PM 12/11/2002 -0800, Paul Lambert wrote:
>> >
>> > > > Just so we are all on the same page, a stated "business
>> > reason" is not
>> > > > among the criteria used to establish and guide an
>> > Internet Research Task
>> > > > Force (IRTF) Research Group such as IDRM
>> > >
>> > >There needs to be some reason for the community at large to
>> > participate.
>> > >
>> > > > Force (IRTF) Research Group such as IDRM
>> > > > (ftp://ftp.rfc-editor.org/in-notes/rfc2014.txt)
>> > >
>> > >
>> > >Which says:
>> > >
>> > > The products of a Research Group are research
>> > > results that may be disseminated by publication in
>> > scholarly journals
>> > > and conferences, as white papers for the community, as
>> > Informational
>> > > RFCs, and so on. In addition, it is expected that technologies
>> > > developed in a Research Group will be brought to the
>> > IETF as input to
>> > > IETF Working Group(s) for possible standardization.
>> > >
>> > >It does not say 'discussion forum'. What are the specific
>> > work products
>> > >for this group?
>> > >
>> > >
>> > >Paul
>> > >
>> > > > -----Original Message-----
>> > > > From: Mark Baugher [mailto:mbaugher@cisco.com]
>> > > > Sent: Wednesday, December 11, 2002 3:22 PM
>> > > > To: Paul Lambert
>> > > > Cc: ietf-idrm@lists.elistx.com
>> > > > Subject: RE: [IDRM] Disband or recharter IDRM?
>> > > >
>> > > >
>> > > > At 02:57 PM 12/11/2002 -0800, Paul Lambert wrote:
>> > > >
>> > > > > > Please, I do not have a business need for these emails.
>> > > > >
>> > > > >Perhaps no one has a business reason for this committee and
>> > > > it should be
>> > > > >disbanded.
>> > > >
>> > > > Just so we are all on the same page, a stated "business
>> > > > reason" is not
>> > > > among the criteria used to establish and guide an Internet
>> > > > Research Task
>> > > > Force (IRTF) Research Group such as IDRM
>> > > > (ftp://ftp.rfc-editor.org/in-notes/rfc2014.txt)
>> > > >
>> > > > Mark
>> > > >
>> > > >
>> > > > >Business reasons for a specific technology does not
>> > > > guarentee that there
>> > > > >is any reason for an open interoperable standard.
>> > > > >
>> > > > >
>> > > > >Paul
>> > > > >
>> > > > > > -----Original Message-----
>> > > > > > From: Theisen, Isabelle
>> > [mailto:Isabelle.Theisen@unistudios.com]
>> > > > > > Sent: Wednesday, December 11, 2002 2:48 PM
>> > > > > > To: 'Thomas Hardjono'; 'ietf-idrm@lists.elistx.com';
>> > > > > > 'glarose@info-mech.com'; 'mbaugher@cisco.com'
>> > > > > > Subject: RE: [IDRM] Disband or recharter IDRM?
>> > > > > >
>> > > > > >
>> > > > > > Please, I do not have a business need for these emails.
>> > > > > > Please, remove from the list.
>> > > > > >
>> > > > > >
>> > > > > > -----Original Message-----
>> > > > > > From: Thomas Hardjono [mailto:thardjono@yahoo.com]
>> > > > > > Sent: Wednesday, December 11, 2002 2:09 PM
>> > > > > > To: Gord Larose
>> > > > > > Cc: ietf-idrm@lists.elistx.com
>> > > > > > Subject: Re: [IDRM] Disband or recharter IDRM?
>> > > > > >
>> > > > > >
>> > > > > > At 12/11/2002||03:16 PM, Gord Larose wrote:
>> > > > > > >Hi Thomas,
>> > > > > > >Thanks for the feedback and update. At a high level I
>> > > > agree with you
>> > > > > > >completely.
>> > > > > > >
>> > > > > > >However, at a technical level, "Open source DRM" makes my
>> > > > > > brain hurt. It's
>> > > > > > >hard enough hide anything in BINARY inside a PC; but like it
>> > > > > > or not, that's
>> > > > > > >one thing DRM has to do. I should know... the NetActive
>> > > > > > technology I was
>> > > > > > >largely responsible for addresses exactly that problem. That
>> > > > > > technology has
>> > > > > > >never, to my knowledge, been publicly cracked... but I doubt
>> > > > > > that would have
>> > > > > > >been true if we'd published the source !
>> > > > > >
>> > > > > > Yes, I agree: "open source DRM" makes my brain hurt too :)
>> > > > > > However, this
>> > > > > > seems to be the only way to provide an alternative to
>> > proprietary
>> > > > > > technology. In many cases, perhaps the mom-and-pop
>> > > > > > "publisher" does not
>> > > > > > need 100% hack-proof DRM (maybe not even 90% hack-proof), but
>> > > > > > enough to
>> > > > > > discourage non-technical people from trying to break it.
>> > > > > >
>> > > > > >
>> > > > > > >And from a business perspective, Mom & Pop businesses
>> > > > already have
>> > > > > > >inexpensive, low-end protection technologies
>> > available e.g. from
>> > > > > > >third-party software TBYB wrappers, or via, say, Windows
>> > > > > > Media Player DRM.
>> > > > > > >The obstacles are more about complexity, churn, supplier
>> > > > > > viability, trust,
>> > > > > > >and branding, than about cost or availability.
>> > > > > >
>> > > > > > Hmm, I'm not sure I follow here. WMP is only for certain
>> > > > > > types of contents
>> > > > > > (e.g. not books, newspapers, newletters, etc).
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > >So we'd have to be careful about what the values of such a
>> > > > > > system were... if
>> > > > > > >we could figure out how it would work !
>> > > > > > >
>> > > > > > >Here's an entertaining thought: suppose we emphasize TRUST
>> > > > > > and CONTINUITY.
>> > > > > > >Maybe we could even subvert Palladium and the Fritz Chip to
>> > > > > > nobler ends ?
>> > > > > > >i.e. a system that WILL, in some sense, robustly protect
>> > > > > > content, but WILL
>> > > > > > >NOT - as a matter of the supplier's policy - do any of the
>> > > > > > things that
>> > > > > > >consumers and libertarians rightly fear ? And a further
>> > > > benefit of an
>> > > > > > >open-source (that may not be the right term, maybe
>> > > > > > "distributed ownership"
>> > > > > > >is better) model could be the continuing availability of the
>> > > > > > solution e.g.
>> > > > > > >Red Hat may die, but Linux won't.
>> > > > > >
>> > > > > >
>> > > > > > OK, so this is a *very* interesting question. These are
>> > > > the types of
>> > > > > > questions that needs to be discussed in a open forum and
>> > > > > > where pieces of it
>> > > > > > can be standardized (the way many pieces of Linux has been
>> > > > > > standardized).
>> > > > > >
>> > > > > > cheers,
>> > > > > >
>> > > > > > thomas
>> > > > > > ------
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > >I'm not sure how to do this, but maybe we could
>> > figure it out !
>> > > > > > >
>> > > > > > >Cheers,
>> > > > > > > Gord 8-)
>> > > > > > >
>> > > > > > >
>> > > > > > >
>> > > > > > >----- Original Message -----
>> > > > > > >From: "Thomas Hardjono" <thardjono@verisign.com>
>> > > > > > >To: <glarose@info-mech.com>; <ietf-idrm@lists.elistx.com>
>> > > > > > >Sent: Wednesday, December 11, 2002 12:55 PM
>> > > > > > >Subject: Re: [IDRM] Disband or recharter IDRM?
>> > > > > > >
>> > > > > > >
>> > > > > > > >
>> > > > > > > > Gord,
>> > > > > > > >
>> > > > > > > > I agree with most of your comments. Judging from the
>> > > > > > "emotional outcry" we
>> > > > > > > > received at the last IDRM meeting (Salt Lake City IETF,
>> > > > > > end of 2001), DRM
>> > > > > > > > seems to mean different things to different people.
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > At 12/11/2002||09:23 AM, Gord Larose wrote:
>> > > > > > > > >Hello:
>> > > > > > > > > Most of you on the list will not know me, as I came
>> > > > > > in during your
>> > > > > > >period
>> > > > > > > > >of dormancy. I too have been mulling these issues, as
>> > > > > > the DRM company
>> > > > > > >that
>> > > > > > > > >I helped found (NetActive) struggled like most others in
>> > > > > > the space.
>> > > > > > > > >
>> > > > > > > > >I think there are two classes of issues here - the
>> > > > > > social-advocacy ones
>> > > > > > > > >and the technical ones.
>> > > > > > > > >
>> > > > > > > > >The social-advocacy issues are horribly subjective. The
>> > > > > > concerns were
>> > > > > > > > >well expressed in Mark's email, and we could spend
>> > > > > > thousands of words
>> > > > > > > > >debating them. For what it
>> > > > > > > > >is worth, I believe that DRM is not philosophically
>> > > > > > wrong, and further,
>> > > > > > >that
>> > > > > > > > >it is commercially necessary. However, I do not believe
>> > > > > > that the current
>> > > > > > > > >"axis of greed" between Hollywood and Washington
>> > > > serves the best
>> > > > > > >interests
>> > > > > > > > >of American citizens and, as a Canadian, I am very
>> > > > > > concerned about the
>> > > > > > > > >United States' efforts to impose its draconian views
>> > > > of copyright
>> > > > > > > > >enforcement on the rest of the world.
>> > > > > > > > > Good DRM does not have to put Big Brother on your hard
>> > > > > > drive. If it
>> > > > > > >does,
>> > > > > > > > >then the price is too high.
>> > > > > > > >
>> > > > > > > > Right. So one of the notions we put forward in the IETF
>> > > > > > was: is it at all
>> > > > > > > > possible to create "open-source DRM technologies", so
>> > > > that small
>> > > > > > > > mom-and-pop publishers need not pay $$$ for proprietary
>> > > > > > solutions. The
>> > > > > > > > analogy is that with Linux and the Apache webserver,
>> > > > > > which are available
>> > > > > > > > for around $30.
>> > > > > > > > Another useful comparison in the RSA encryption
>> > > > > > algorithm, which is good
>> > > > > > > > technology, well understood, standardized and now finally
>> > > > > > over the patent
>> > > > > > > > hurdle.
>> > > > > > > >
>> > > > > > > > I realize that some folks take the (radical) position of
>> > > > > > being against any
>> > > > > > > > development of DRM technology whatsoever. The best way
>> > > > > > to ensure Big
>> > > > > > > > Brother does not happen is to go against any work
>> > > > > > relating to DRM. The
>> > > > > > > > reality is that DRM Technology is here to stay
>> > > > > > (proprietary), whether we
>> > > > > > > > like it or not. It will ship inside PCs and in consumer
>> > > > > > electronics
>> > > > > > > > devices. I think such a position actually helps the Big
>> > > > > > Brother syndrome,
>> > > > > > > > as it does not provide an option to the general public as
>> > > > > > to alternative
>> > > > > > > > sources of technology.
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > >On a philosophical level then, I say there is a need for
>> > > > > > smart people to
>> > > > > > > > >build workable DRM that citizens can live with.
>> > > > > > > > >
>> > > > > > > > >The point issue of this technical group's mandate is
>> > > > > > much clearer IMO.
>> > > > > > >The
>> > > > > > > > >core
>> > > > > > > > >technology challenges for DRM are terminal node
>> > > > > > challenges, not network
>> > > > > > > > >challenges. Sure, a network is usually involved, but DRM
>> > > > > > is nothing
>> > > > > > >special
>> > > > > > > > >for the network. DRM's basic network needs are nothing
>> > > > > > harder than
>> > > > > > > > >http/https over tcp/ip. And the terminal mode challenges
>> > > > > > are largely
>> > > > > > >about
>> > > > > > > > >things like tamper-resistance, which are proprietary
>> > > > and not very
>> > > > > > >amenable
>> > > > > > > > >to
>> > > > > > > > >standardization. It's not something where an IETF group
>> > > > > > adds much value.
>> > > > > > > >
>> > > > > > > > Right. This is where the word "DRM" is I think a
>> > > > > > misnomer for the IETF
>> > > > > > > > efforts. You are absolutely right, that DRM is indeed
>> > > > > > "terminal node
>> > > > > > > > challenges" (ie. development of rights-enforcing
>> > > > > > terminals), which is not
>> > > > > > > > the traditional area of work for the IETF.
>> > > > > > > >
>> > > > > > > > However, there some network issues that is part of what I
>> > > > > > call the "DRM
>> > > > > > > > macrocosm", which included functions relating to
>> > > > > > look-ups, secure network
>> > > > > > > > storage, transaction clearinghouse, etc. These would
>> > > > appear to be
>> > > > > > >suitable
>> > > > > > > > for work items in the IETF.
>> > > > > > > >
>> > > > > > > > Thus, one possible change to IDRM is a new name that is
>> > > > > > less likely to be
>> > > > > > > > controversial.
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > >So where does that leave the group ? Seems to me the
>> > > > > > options include:
>> > > > > > > > >1) disband
>> > > > > > > > >2) generalize the focus to a multidisciplinary one,
>> > > > > > along the lines of
>> > > > > > > > >http://www.bcdforum.org . (Though I have to confess
>> > > > I find that
>> > > > > > >organization
>> > > > > > > > >lacking substance.)
>> > > > > > > > >3) Find specific technical problems that are obstacles
>> > > > > > to good (i.e.
>> > > > > > > > >effective but not Orwellian) DRM, which are going
>> > > > > > begging, and in scope,
>> > > > > > > > >and work on solutions.
>> > > > > > > > >
>> > > > > > > > >I don't have a top-of-mind suggestion for #3, but it
>> > > > > > sounds like the most
>> > > > > > > > >fun!
>> > > > > > > >
>> > > > > > > > Yes, the keyword is "fun". Perhaps others on the list
>> > > > > > may have specific
>> > > > > > > > suggestions?
>> > > > > > > >
>> > > > > > > > cheers,
>> > > > > > > >
>> > > > > > > > thomas
>> > > > > > > > ------
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > >Other thoughts ???
>> > > > > > > > >
>> > > > > > > > >Best Regards,
>> > > > > > > > > Gord Larose
>> > > > > > > > >
>> > > > > > > > >----- Original Message -----
>> > > > > > > > >From: "Mark Baugher" <mbaugher@cisco.com>
>> > > > > > > > >To: <ietf-idrm@lists.elistx.com>
>> > > > > > > > >Cc: <thardjono@yahoo.com>; "Vern Paxson" <vern@icir.org>
>> > > > > > > > >Sent: Tuesday, December 10, 2002 6:43 PM
>> > > > > > > > >Subject: [IDRM] Disband or recharter IDRM?
>> > > > > > > > >
>> > > > > > > > > > IDRM has obviously been dormant for about a year.
>> > > > > > > > > >SNIP<
>> > > > > > > >
>> > > > > >
>> > > >
>> >
>>
>>
>>
>>_______________________________________________
>>ietf-idrm mailing list
>>ietf-idrm@idrm.org
>>http://www.pairlist.net/mailman/listinfo/ietf-idrm
>
>
>_______________________________________________
>ietf-idrm mailing list
>ietf-idrm@idrm.org
>http://www.pairlist.net/mailman/listinfo/ietf-idrm