John,
I think you are spot on.
To be concrete, in the end, policy enforcement in both
DRM and Access Control scenarios (and indeed many others) come down to the
question "Can A do B to C", the answer to which can be "yes", "no", or "yes,
so long these conditions are satisfied." A technical framework cast in these
terms seems to serve both situations very well.
Bob
-----Original Message-----
From: John Erickson
[mailto:john_erickson@hplb.hpl.hp.com]
Sent: Wednesday, June
12, 2002 1:21 PM
To: rights@lists.oasis-open.org
Subject: DRM and Access
Control (was: [rights] Clarification...)
James MacLean writes:
> I would agree that digital rights management is
completely
> different than access control. DRM is about
enforcing
> copyright and licensing agreements. Access
control is about
> implementing an organization's security and
privacy
> policy....
JSE: I disagree, in the sense that ultimately both are
about policy expression and enforcement; if there are differences, they lie
within the semantics of expression.
At its core, DRM provides a particular kind of
fined-grained usage control
(UCON) which is indeed a type of access control --- in
fact, access control
controlled by the originator (ORCON) over arbitrary
behaviors acting on the
component objects of a work. And DRM certainly doesn't
need to be about payment, although this has been the fixation --- fee-based
authorization is but one application of DRM's end-user enforcement facilities.
Authorization policies can just as well be based upon the principal's affinity
with e.g. an organization, etc.
DRM for deployed content, and privacy --- defined as
the management of private data --- can be seen as symmetrical opposites. Their
similarity lies with they fact they are both about the policy-based management
of the use of information. The different is in the direction of dissemination
--- image a world where users were empowered with DRM-like originator control,
where their disseminating (personal) repository could establish a trusted
relationship with the requesting service repository, where they could control
the use of their personal information by that target and distribute revocation
lists --- in other words, affect controls on their personal data at the same
level and using the same underlying technologies that content providers
utilize now or will shortly.
| John S. Erickson, Ph.D.
| Hewlett-Packard Laboratories
| PO Box 1158, Norwich, Vermont USA
05055
| 802-649-1683 (vox) 802-371-9796 (cell) 802-649-1695
(fax)
|
john_erickson@hpl.hp.com
AIM/YIM/MSN: olyerickson
----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the
subscription
manager:
<http://lists.oasis-open.org/ob/adm.pl>