RE: DRM and Access Control (was: [rights] Clarification...)

[JMaclean@affinitex.com]

On the surface DRM and Access Control are similar.  However, the domains in which they operate are considerably different.  In Access Control, we are dealing with management of corporate or shared assets by an organisation. It is not done at arms length such as the case of a library or online music service.  The originator of a document is not the owner and does control the access rights associated to it.  

 

In the case of healthcare, the idea that the access controlled by the originator is unmanageable. Who owns lab test results? Is it the patient, doctor, lab, provider, or payer?   Regardless of who owns the data, federal and state laws and regulations must be considered over and above the organisational or an individual's policy.

 

James

 

 -----Original Message-----
From: Bob Atkinson [mailto:bobatk@Exchange.Microsoft.com]
Sent: June 12, 2002 4:31 PM
To: John Erickson; rights@lists.oasis-open.org
Subject: RE: DRM and Access Control (was: [rights] Clarification...)

John,

 

I think you are spot on.

 

To be concrete, in the end, policy enforcement in both DRM and Access Control scenarios (and indeed many others) come down to the question "Can A do B to C", the answer to which can be "yes", "no", or "yes, so long these conditions are satisfied." A technical framework cast in these terms seems to serve both situations very well.

 

      Bob

 

 

-----Original Message-----
From: John Erickson [mailto:john_erickson@hplb.hpl.hp.com]
Sent: Wednesday, June 12, 2002 1:21 PM
To: rights@lists.oasis-open.org
Subject: DRM and Access Control (was: [rights] Clarification...)

 

James MacLean writes:

> I would agree that digital rights management is completely

> different than access control. DRM is about enforcing

> copyright and licensing agreements. Access control is about

> implementing an organization's security and privacy

> policy....

 

JSE: I disagree, in the sense that ultimately both are about policy expression and enforcement; if there are differences, they lie within the semantics of expression.

 

At its core, DRM provides a particular kind of fined-grained usage control

(UCON) which is indeed a type of access control --- in fact, access control

controlled by the originator (ORCON) over arbitrary behaviors acting on the

component objects of a work. And DRM certainly doesn't need to be about payment, although this has been the fixation --- fee-based authorization is but one application of DRM's end-user enforcement facilities. Authorization policies can just as well be based upon the principal's affinity with e.g. an organization, etc.

 

DRM for deployed content, and privacy --- defined as the management of private data --- can be seen as symmetrical opposites. Their similarity lies with they fact they are both about the policy-based management of the use of information. The different is in the direction of dissemination --- image a world where users were empowered with DRM-like originator control, where their disseminating (personal) repository could establish a trusted relationship with the requesting service repository, where they could control the use of their personal information by that target and distribute revocation lists --- in other words, affect controls on their personal data at the same level and using the same underlying technologies that content providers utilize now or will shortly.

 

| John S. Erickson, Ph.D.

| Hewlett-Packard Laboratories

| PO Box 1158, Norwich, Vermont USA 05055

| 802-649-1683 (vox) 802-371-9796 (cell) 802-649-1695 (fax)

| john_erickson@hpl.hp.com         AIM/YIM/MSN: olyerickson

 

 

----------------------------------------------------------------

To subscribe or unsubscribe from this elist use the subscription

manager: <http://lists.oasis-open.org/ob/adm.pl>