[IETF-IDRM] Re: [IDRM] Will the DMCA make our work more difficult?

[Nicko van Someren]

Mark Baugher wrote:
...
> If we're going to investigate technical protection systems such as
> HDCP, CPRM, or some vendor's implementation of an IPMP tool,
> then this is a problem for us.  I never imagined IDRM will want to
> do that.  Individual participants of the RG may want to do so, but
> not under the auspices of IDRM.

Mark,
	Your own slides from London say that we must carry out this
sort of investigation.  You say things like "understand the landscape"
and "evolve the internet infrastructure".  How on earth can we do
these without exposing issues surrounding what's already there?  If,
for instance, XrML or XMCL had accidentally chosen to sign the wrong
parts of their message structures then the act of standing up and
saying so at an IDRM meeting could, based on the action against Prof.
Felton and USENIX, leave the IETF as liable at the person presenting.

>                              I don't expect anyone to craft a
> technical protection measure that gets embedded in some home
> computing device that is invulnerable to compromise (e.g., lose one or
> more secret keys). 

Nor do I, but is it not a goal to come up with a sound framework
into which others can insert their systems?  If so, do we not need
to understand the systems that might be fitted in?  If we find a
fundamental flaw in those third party's systems must we not say so,
so that those flaws are not perpetuated in whatever the IETF turn
into an RFC?

> So I don't see the point of engaging in this
> kind of work.

In security it does not matter if the flaw lies in the framework or
in the implementation, either way it weakens the system.  I understand
that IDRM aims are oriented towards frameworks at this stage but you
said we need to "Identify useful component technologies" and I don't
see any reliable way of doing this without pointing out the useLESS
ones.

	Nicko