[IETF-IDRM] RE: [IDRM] Disband or recharter IDRM?

Mark Baugher mbaugher@cisco.com
Mon, 16 Dec 2002 21:37:37 -0800 

hi Gordon,

At 12:59 PM 12/16/2002 -0500, Gord Larose wrote:
>Mark:
>  I'm not sure why you see cryptography as the bad guy here.

I don't mean to call it "the bad guy."  But I think that it is not always 
needed for internet entertainment applications.  Besides that, practically 
every DRM service that may need cryptography is under development or 
planned by some industry group.


>Cryptography is just a tool in the tool-kit. And it's a good tool, if you
>use it properly.  You don't need to drag in PKI, personal certs,
>smart-cards, and all that sort of baggage, for it to play a useful role. For
>example, one system I designed uses elGamal encryption to prevent server
>spoofing.  This is completely invisible to the user (i.e. adds no complexity
>that matters externally) and since elGamal is in the public domain, could be
>implemented locally with no IP headaches, no thrid-party authorities etc.

I think RSA encryption is also in the public domain and more widely 
used.  ElGamal encryption supports a subliminal channel but doubles the 
size of the plaintext.  Right?


>I do agree that, at least in open systems, cryptography is not sufficient as
>"the" security solution. (If anyone needs more convincing on that point, I
>have a Web page on the subject at
>  http://www.info-mech.com/drm_cryptography.html . )

I agree with practically everything you write on this page (I wished you 
had used a less divisive example than WWII - (why not use the communists 
since hardly anyone cares about them anymore?).


>Stepping back from the technology for a moment, what do you see as the
>desirable VALUES of  the system under discussion ?

What do you mean by "VALUES" here?

>I think end-user simplicity is the one you're getting at. Maybe we can
>brainstorm some of the others to see if we agree on our hypothetical
>"definition of success."

If a party does not have a vested interest in protecting a secret in a 
device it controls, then I don't think cryptography is appropriate.  So one 
value, if I'm using the word properly, is that we need a DRM where each 
party has a vested interest to use content works in an authorized way.

Mark


>Cheers,
>    Gord 8-)
>
>P.S. It seems like a consumer smart-card DRM solution may be emerging from
>industry, which is probably of interest to this group:
>http://www.eet.com/sys/news/OEG20021213S0034
>
>
>----- Original Message -----
>From: "Mark Baugher" <mbaugher@cisco.com>
>To: "Thomas Hardjono" <thardjono@verisign.com>
>Cc: "Joe Polimeni" <jpolimen@us.ibm.com>; <ietf-idrm@idrm.org>
>Sent: Friday, December 13, 2002 7:16 PM
>Subject: Re: [IETF-IDRM] RE: [IDRM] Disband or recharter IDRM?
>
>
> > So far as technology goes, we can point to each item on Joe's list and say
> > which organization is doing it or trying to.  Number 3, like the other
>two,
> > are really engineering tasks that are better suited to the IETF than to an
> > IRTF group.
> >
> > I'll tell you what I think would be truly interesting:  A DRM system that
> > transfers rights, protects privacy, and performs clearing functions
>without
> > the need for any cryptography whatsoever.  Cryptography is not a household
> > technology today (http://www-2.cs.cmu.edu/~alma/johnny.pdf) and may not be
> > in the future.  Although it is embedded in DVDs, DVD players, and DVD
> > recorders, anyone can discover how to decipher an encrypted movie who
>truly
> > wants to.  So what does the cryptography on DVDs accomplish?  It keeps
> > "honest people honest" (http://cryptome.org/wipo-imp99-3.htm) or "lazy
> > people honest" by making it inconvenient to make unauthorized copies (or
> > more than one or however many are made under fair use
> > provisions).  Cryptography is more complexity than is needed to keep
>honest
> > people honest, and cryptography is not appropriate for cases where the
>user
> > who controls the machine is trying to subvert it.  It's too much
>protection
> > for the netizen and too little protection against the hacker. And it is
> > expensive in infrastructure and people's time. The complexity is
> > considerable.  PKIs are substantial investments with uncertain
> > returns.  Smart cards can cost $20/user per year and there is no universal
> > smart card (and probably never will be).
> >
> > A cryptography-free DRM is probably the most useful technology we could
> > investigate.  The crypto-rich DRM is being developed all over the place.
> >
> > Mark
> >
> >
> >SNIP<
>
>
>_______________________________________________
>ietf-idrm mailing list
>ietf-idrm@idrm.org
>http://www.pairlist.net/mailman/listinfo/ietf-idrm