[IETF-IDRM] RE: [IDRM] Disband or recharter IDRM?

Gord Larose glarose@info-mech.com
Mon, 16 Dec 2002 12:59:01 -0500


Mark:
 I'm not sure why you see cryptography as the bad guy here.

Cryptography is just a tool in the tool-kit. And it's a good tool, if you
use it properly.  You don't need to drag in PKI, personal certs,
smart-cards, and all that sort of baggage, for it to play a useful role. For
example, one system I designed uses elGamal encryption to prevent server
spoofing.  This is completely invisible to the user (i.e. adds no complexity
that matters externally) and since elGamal is in the public domain, could be
implemented locally with no IP headaches, no thrid-party authorities etc.

I do agree that, at least in open systems, cryptography is not sufficient as
"the" security solution. (If anyone needs more convincing on that point, I
have a Web page on the subject at
 http://www.info-mech.com/drm_cryptography.html . )

Stepping back from the technology for a moment, what do you see as the
desirable VALUES of  the system under discussion ?

I think end-user simplicity is the one you're getting at. Maybe we can
brainstorm some of the others to see if we agree on our hypothetical
"definition of success."

Cheers,
   Gord 8-)

P.S. It seems like a consumer smart-card DRM solution may be emerging from
industry, which is probably of interest to this group:
http://www.eet.com/sys/news/OEG20021213S0034


----- Original Message -----
From: "Mark Baugher" <mbaugher@cisco.com>
To: "Thomas Hardjono" <thardjono@verisign.com>
Cc: "Joe Polimeni" <jpolimen@us.ibm.com>; <ietf-idrm@idrm.org>
Sent: Friday, December 13, 2002 7:16 PM
Subject: Re: [IETF-IDRM] RE: [IDRM] Disband or recharter IDRM?


> So far as technology goes, we can point to each item on Joe's list and say
> which organization is doing it or trying to.  Number 3, like the other
two,
> are really engineering tasks that are better suited to the IETF than to an
> IRTF group.
>
> I'll tell you what I think would be truly interesting:  A DRM system that
> transfers rights, protects privacy, and performs clearing functions
without
> the need for any cryptography whatsoever.  Cryptography is not a household
> technology today (http://www-2.cs.cmu.edu/~alma/johnny.pdf) and may not be
> in the future.  Although it is embedded in DVDs, DVD players, and DVD
> recorders, anyone can discover how to decipher an encrypted movie who
truly
> wants to.  So what does the cryptography on DVDs accomplish?  It keeps
> "honest people honest" (http://cryptome.org/wipo-imp99-3.htm) or "lazy
> people honest" by making it inconvenient to make unauthorized copies (or
> more than one or however many are made under fair use
> provisions).  Cryptography is more complexity than is needed to keep
honest
> people honest, and cryptography is not appropriate for cases where the
user
> who controls the machine is trying to subvert it.  It's too much
protection
> for the netizen and too little protection against the hacker. And it is
> expensive in infrastructure and people's time. The complexity is
> considerable.  PKIs are substantial investments with uncertain
> returns.  Smart cards can cost $20/user per year and there is no universal
> smart card (and probably never will be).
>
> A cryptography-free DRM is probably the most useful technology we could
> investigate.  The crypto-rich DRM is being developed all over the place.
>
> Mark
>
>
>SNIP<