RE: [rights] Clarification...

rights message

I would agree that digital rights management is completely different than access control. DRM is about enforcing copyright and licensing agreements. Access control is about implementing an organization's security and privacy policy.

I have been struggling for weeks now it find some distinction. First of all, consider that unless some work is explicitly in the public domain, the act of publication creates an implied copyright. Therefore, with rare exceptions all content on the WWW, for example, is legally a "digital work." Now if I charge a subscription to access some data, limit access to people who have joined my club, limit access to customers who have bought a widget from me, employees who work for me or restrict access for any other motive, I do not see the distinction. Essentially it boils down to money.

Maybe somebody else can help me here, but the similarity of concepts, the form of the language, the stated requiremets leave me at a loss as how to draw a line. Are we going to say that the distinction arises from the mental state of the person creating the policy (license)? This seems unworkable to me.

Another point made much of in the ContentGuard patents is the notion that the usage rights are "attached" to the digital work. I understand what it means to attach a handle to a door, but what the word "attached" means in this context escapes me. Does it mean they are on the same system? in the same file? that the right "names" the work? that they cryptographically bound together? that the rights move around the network with the work?

The last seems like a possible distinction, but merely an implementation optimization. It seems hard to credit that if I were to send the rights (policies) in a different message from the work (content) that I would be doing access control, whereas if I sent them in the same message I am doing DRM. Makes me think of the Kosher practice of never letting the milk touch the meat.

It appears to me that access control and DRM are simply two historically distinct (and actually very similar) ways of looking at the same problem.

I am going to submit the XACML usecases and requirements to the Requirements SC. Perhaps someone will be able to tell me which requirements do not apply and why.