Mailing List Archive

Daniel Carrera <dcarrera@math.umd.edu> writes:

> If so, how would people feel about releasing either the GNU crypto
> library or GPGME under the LGPL?

What makes you think that Libgcrypt is GPL? Except for a few modules
(rndunix, rndw32), which are GPL, Libgcrypt is LGPL.

moritz
--
((gpg-key-id . "6F984199")
(email . "moritz@duesseldorf.ccc.de")
(webpage . "http://duesseldorf.ccc.de/~moritz/"))

On Sun, Nov 09, 2003 at 11:10:00AM -0500, Daniel Carrera wrote:
> I occurred to me that we could mitigate this problem somewhat if
> OpenOffice could address some of the problems that DRM is supposed to
> solve, but without trapping people.
>
> Some of the features that DRM is meant to bring is authentication, and the
> ability to select exactly who can read the document. These are things
> that GPG can do far more securely than anything MS is likely to cookup.

I don't want to open up a can of worms here, but I think that this is
probably not what the intention behind DRM is. DRM is supposed to do
authentication, but the kind that allows one central power to decide who can
read a document, listen to a music file, watch a movie etc. DRM is not
forced upon the users of MS Windows because it solves problems for the
users, but because it solves problems for content distributors in
restricting access to the digital information.

There is about zero need for DRM within the users of a computer, in fact, it
causes great inconveniences to them. It does however give a lot of power on
who is allowed to do what with his computer into the hands of those content
distributors, which will then be able to charge for this "service".

This is why any DRM solution will be tightly integrated with business
solutions to give those content distributors the technology in the hand to
restrict access to the data they provide (Sony did this with it's OpenMG
system, for example, which is a plague for the customers). And because of
that, unless you are entering that arena, I don't think that any feature you
can add to OpenOffice will rival or have an affect on what's going on in the
DRM world.

Now, MS and others probably claim that DRM is meant to bring authentication
to the user for the users advantage - that would just be part of the normal
propaganda in order to sweet the poison that the user is supposed to
swallow. You might be able to make points in the propaganda battle by being
able to provide a solution for users that does the part of DRM that actually
gives advantage to users: Protecting the privacy of the content they write
(if that's one of the advantages a DRM system gives you, which I am not sure
of). If you mix this with an information campaign, it might be effective,
and certainly ensures that at this front free software is not seen at a
disadvantage. However, this would mostly be effective as a defense, I
guess.

This is not meant to stop you from developing new features to good free
software, especially features that improve the privacy and integrity
of the user's data! It just seemed to me that your perspective on DRM
is a bit at odd with what I consider DRM to be about, so here are my 2cent.

Have fun,
Marcus

--
`Rhubarb is no Egyptian god.' GNU http://www.gnu.org marcus@gnu.org
Marcus Brinkmann The Hurd http://www.gnu.org/software/hurd/
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de/

On Sun, Nov 09, 2003 at 06:06:07PM +0100, Marcus Brinkmann wrote:

> On Sun, Nov 09, 2003 at 11:10:00AM -0500, Daniel Carrera wrote:
> > I occurred to me that we could mitigate this problem somewhat if
> > OpenOffice could address some of the problems that DRM is supposed to
> > solve, but without trapping people.
> >
> > Some of the features that DRM is meant to bring is authentication, and the
> > ability to select exactly who can read the document. These are things
> > that GPG can do far more securely than anything MS is likely to cookup.
>
> I don't want to open up a can of worms here, but I think that this is
> probably not what the intention behind DRM is. DRM is supposed to do
> authentication, but the kind that allows one central power to decide who can
> read a document, listen to a music file, watch a movie etc. DRM is not
> forced upon the users of MS Windows because it solves problems for the
> users, but because it solves problems for content distributors in
> restricting access to the digital information.

Yes, all the DRM features that get press are like that. But AFAIK, MS Office 2003
is offering a different set of DRM features, whereby a document author can control
who reads it. This is a DRM feature for MS Office document authors, not Holywood.

MS Office 2003 also offers self-updating documents, and documents that can be read
but not copied or emailed. The first feature is something I'm not sure I'd be
willing to include in OpenOffice, and the latter is not really possible as long as
people can carry photographic cameras.

Am I wrong?


> There is about zero need for DRM within the users of a computer, in fact, it
> causes great inconveniences to them. It does however give a lot of power on
> who is allowed to do what with his computer into the hands of those content
> distributors, which will then be able to charge for this "service".

Exactly. MS Office 2003 has features for MSO users who are content distributors.


> And because of that, unless you are entering that arena, I don't think that any
> feature you can add to OpenOffice will rival or have an affect on what's going
> on in the DRM world.

Well, I was thinking that in some cases PGP might solve some of the problems that
MS claims will be solved by DRM. For instance, authenticity of the document.
Authenticity has little to do with the usual connotation of the term "DRM", but it
is (AFAIK) something that MS claims will be a feature of DRM.


> Now, MS and others probably claim that DRM is meant to bring authentication
> to the user for the users advantage - that would just be part of the normal
> propaganda in order to sweet the poison that the user is supposed to
> swallow.

So you are saying that MS Office 2003 does NOT have any authentication features
that the user can make user of?


> You might be able to make points in the propaganda battle by being
> able to provide a solution for users that does the part of DRM that actually
> gives advantage to users: Protecting the privacy of the content they write

Exactly. That's my line of thinking.


> This is not meant to stop you from developing new features to good free
> software, especially features that improve the privacy and integrity
> of the user's data! It just seemed to me that your perspective on DRM
> is a bit at odd with what I consider DRM to be about, so here are my 2cent.

I am not knowledgeable of DRM. I just read the article I pointed out.

I just conversed with the OOo people and it turns out that authenticatin is planned
for version 2.0 (due in a year or so):

http://tools.openoffice.org/releases/q-concept.html#3.3.2.Digital%20Signatures|outline

Nothing has been written yet. I will push for GnuPG compatibility if such a thing
is possible. I could be that the simplest way to provide authenticatin is to just
write a regular .sxw file and run gpg on it. It sure sounds simpler to me.

Thank you for the responses.

Cheers,
--
Daniel Carrera | Aleph-0 bottles of beer on the wall, Aleph-0 bottles
PhD student. | of beer. Take one down, pass it around, Aleph-0
Math Dept. | bottles of beer on he wall...
UMD, | http://mathworld.wolfram.com/Aleph-0.html

On Sun, Nov 09, 2003 at 04:03:16PM -0500, Daniel Carrera wrote:
> Yes, all the DRM features that get press are like that. But AFAIK, MS Office 2003
> is offering a different set of DRM features, whereby a document author can control
> who reads it. This is a DRM feature for MS Office document authors, not Holywood.

Ah, I see. I can see how some companies for example would want that (and
other people who can be talked into thinking that this would really stop the
determined ;)

> MS Office 2003 also offers self-updating documents, and documents that can be read
> but not copied or emailed. The first feature is something I'm not sure I'd be
> willing to include in OpenOffice, and the latter is not really possible as long as
> people can carry photographic cameras.

I also think that both won't really work in a free software environment.
Maybe if you had some cryptographic hardware lock in each PC, and require
the presence of it.

> > And because of that, unless you are entering that arena, I don't think that any
> > feature you can add to OpenOffice will rival or have an affect on what's going
> > on in the DRM world.
>
> Well, I was thinking that in some cases PGP might solve some of the problems that
> MS claims will be solved by DRM. For instance, authenticity of the document.
> Authenticity has little to do with the usual connotation of the term "DRM", but it
> is (AFAIK) something that MS claims will be a feature of DRM.

Right. It's important to stress the difference I think. In fact,
authentication is just digital signatures, and digital signatures is a
concept that stands all by itself. Of course, convenient use of encryption,
decryption, signing and verification in Open Office, let's say in an equivalent
way to how you do it with mail in a mail client, would be great.

> > Now, MS and others probably claim that DRM is meant to bring authentication
> > to the user for the users advantage - that would just be part of the normal
> > propaganda in order to sweet the poison that the user is supposed to
> > swallow.
>
> So you are saying that MS Office 2003 does NOT have any authentication features
> that the user can make user of?

No, I don't really know the latest whistles and bells in MS products. But
if it has it, it probably is either a fall-out of the broader concept of
locking in the users, or I am not sure why you raised the issue of DRM at
all :) I can imagine that there is a high enough demand of such features by
corporate enterprises in their in-house distribution of documents (and
exchange of documents with other companies) that they would consider adding
such feature.

> > This is not meant to stop you from developing new features to good free
> > software, especially features that improve the privacy and integrity
> > of the user's data! It just seemed to me that your perspective on DRM
> > is a bit at odd with what I consider DRM to be about, so here are my 2cent.
>
> I am not knowledgeable of DRM. I just read the article I pointed out.

I am not an expert either. Maybe it's a good idea to just talk about
individual concepts like authentication, verification and encryption, at
least as long you stay with OpenPGP and its feature set. Having transparent
OpenPGP support in OpenOffice would be interesting. It's probably a bit
difficult to handle sensitive documents correctly - some things might
actually be difficult to achieve (there shouldn't be bits and pieces of
sensitive data in temp files, nor should it be swapped out to disk, etc),
but it's definitely theoretically possible.

> I just conversed with the OOo people and it turns out that authenticatin is planned
> for version 2.0 (due in a year or so):
>
> http://tools.openoffice.org/releases/q-concept.html#3.3.2.Digital%20Signatures|outline

It actually makes a good point about signatures being a replacement for the
need to prevent modification of a document (any modification will render the
existing signature invalid).

> Nothing has been written yet. I will push for GnuPG compatibility if such a thing
> is possible.

It talks about some XML standard for encryption, but I don't know what that.
There seems to be a W3C XML encryption working group. There is also an XML
Signature working group. If that's the goal, then we are talking about a
new format here, but the underlying encryption technology will probably be
something like X.509 (which gpg 2.0 will support - it's already available in
the separate gpgsm package), but I imagine other schemes will be possible as
well.

> I could be that the simplest way to provide authenticatin is to just
> write a regular .sxw file and run gpg on it. It sure sounds simpler to me.

It's very simple, although not for everybody (command line tool, and you
still have to learn everything about public key cryptography a user should
know, and how to manage your keys etc) plus it isn't very flexible (the XML
standard talks about signing/encrypting parts of an XML document for example
which could be a very powerful GUI feature).

Thanks,
Marcus


--
`Rhubarb is no Egyptian god.' GNU http://www.gnu.org marcus@gnu.org
Marcus Brinkmann The Hurd http://www.gnu.org/software/hurd/
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de/

On Mon, 10 Nov 2003 01:42:56 +0100, Marcus Brinkmann said:

> There seems to be a W3C XML encryption working group. There is also an XML
> Signature working group. If that's the goal, then we are talking about a
> new format here, but the underlying encryption technology will probably be
> something like X.509 (which gpg 2.0 will support - it's already available in

IIRC, they are indeed developing an entirely new protocol. Given that
OpenPGP still has minor flaws after 5 years of being issued as a
proposed standard and even 12 years of general experience with PGP, I
severely doubt that this XML effort will lead to anything. X.509/CMS
has even a longer history and is only by now actually usable.

Werner

--
Werner Koch <wk@gnupg.org>
The GnuPG Experts http://g10code.com
Free Software Foundation Europe http://fsfeurope.org