Thoughts on the W3C DRM Workshop
John Erickson, Revision 07 Feb 01

To me, the biggest lessons were the following:

    1. Everyone thinks that they want INTEROPERABILITY, but few people agree on what the term means.
    2. The RIGHTS LANGUAGE concept is "hot," but few people really know what they mean when they say that they want one. the simple fact that they want *one* is a testament to this.
    3. The need for TRUST INFRASTRUCTURE is recognized, but what should it look like? And what authoritities will manage that trust?
    4. There are some very interesting RELATED ACTIVITIES in the W3C and elsewhere that may contribute, but coordination is necessary
	5. Finally, some thoughts on the PROPER FORUM(s) for NEXT STEPS to occur

1. INTEROPERABILITY

It is clear that a shared architectural model or abstract framework is required, if only for people to fully understand the depth and breadth of the rights management arena. The two position papers by HP and the paper by Renato Innella were by far the "deepest" in this regard, in the sense that they each considered a layered, abstract model that consisting of policy expression, transmission, interpretation/enforcement, and thus introduced *multiple* levels of well-defined interoperability.

Unfortunately, I feel that these framework papers went "over the heads" of most participants. When asked, most participants defined "interoperability" as what we have called "format-level interoperability" --- the ability of a DRM mechanism to  successfully interpret a package from an alien mechanism. Few speakers discussed other levels of interoperability, and when they did they referred to this as "simulated interoperability" (a term apparently borrowed from the AAP/Anderson Consulting report on eBooks and DRM).

Intel's presentation of their MPEG-21 "Digital Item Declaration Model" proposal suggests another pathway to interoperablity, which is consistent with our call for a higher-level framework. It is important for W3C to be engaged in that activity, while working toward a framework context. 

Later in this discussion I will suggest that the W3C's role should be to work to define a generalized architectural model.

2. RIGHTS LANGUAGES

First, it is clear that user domains (e.g. "eBook trading," "sub-rights trading," "streaming music," etc.) each require sets of RIGHTS PRIMITIVES that those domains wish do useful things with. Although people often conceptualize and refer to these primitives as "rights languages," I believe that what they are *really* referring to are "rights data dictionaries." I say this because the interested parties generally want the declared vocabulary primitives to be bound to some some human-readable definition (or "semantic").

Secondly, I believe that most of the Workshop participants are not ready to engage in the kind of "language" definitions that we are thinking about, beyond defining the primitives. In our current thinking, rights interoperability mirrors the three suggested levels of data interoperability, including: syntax, objects, and semantics. Base-level syntax (XML) and vocabulary primitives populate the bottom layer; complex schema definitions for a variety of useful objects for RIGHTS MESSAGING occurs in the middle layer; the semantics of using these objects in various RIGHTS APPLICATIONS are defined in the top layer, including tying primitive language elements used for enforcement to specific HW or SW components.

Thus there will seperate and detactable schema for expressing primatives; for combining those primatives with other language elements to serialize "rights objects" in various rights messages; and for declaring bindings in applications.

3. TRUST INFRASTRUCTURE

I won't go into much depth concerning the treatment of trust at the Workshop, other than to summarize a few concerns that came to mind:

    a. What will "it" look like?
    b. Who should manage trust?
    c. How will trust be "interoperable?
    d. What are the social/legal issues (e.g. liability)?
    e. How to deal with trusted components (HW/SW)?

Most participants believe that not only must there be a trust infrastructure upon which applications (commerce and otherwise) will be built; they imagine that there will actually be *several*, providing different value-added trust services. The trust concerns expressed tended to be more practical --- for example, who will run these authoritative trust services? Private companies? Governments? Industry organizations (e.g. publishers associations, authors' collectives)?

If there are multiple, parallel trust infrastructures, who will create and manage the "directories" that will enable interoperation? Or will these "trust backbones" take a form where this is unnessessary --- where the semantics of the certifications are obvious?

Regardless of how it is built, there is concern over liability --- who is liable for a failed "chain of trust?"

Finally, it is likely that there will need to be a stack of standards to express and communicate levels of trust of software components. It is possible that that the means of expressing and communicating this may be accommodated by CC/PP, but a domain-specific vocabulary for this application will need to be defined.

4. RELATED ACTIVITIES

Rights management covers a broad technical space, so obviously there are several consortia hosting activities that will influence the field. The following is a short "shopping list":

    a. MPEG-4 Part 2: IPMP (Intellectual Property Management and Protection)
    b. MPEG-21 (Digital Item Description)
    c. W3C: XML-signatures, XML-encryption, XML-protocol
    d. W3C: RDF, DAML and other "Semantic Web" projects
    e. OeB/EBX: Previous EBX work on trust infrastructure, current "Rights & Rules WG"

None of these activities solves the rights management interoperability and standardization problem, but each *suggests* a piece of the solution. For example, MPEG-4 IPMP may come close to standardizing DRM APIs, but doesn't treat many other aspects of the problem (such as rights vocabularies, rights messaging, etc). In particular, *none* of these deals with what we think of as the ESSENTIAL first step for the Web: the simple expression and communication of IPR information and policies.

As the Erickson and Innella position papers pointed out, the role of the W3C can be to recommend a framework or generalized architecture model that stitches this world together. It is the responsibility of those who think this way to provide leadership, to recommend more specifically how this can be done.

I've not mentioned privacy here, although it was an important topic of discussion throughout the two days. 

5. PROPER FORUMS and NEXT STEPS

I believe that the W3C is the best *existing* forum to define a forward-looking Framework as I've suggest, but I'm concerned that this may not be as clear to the broader W3C. Rights management presents a broad set of problems, and a "Web-is-Everything and Everything-is-Web" view, if present, would surely generate conflicts in process and politics. Note that the same could be said of MPEG processes and politics (for example); such is the nature of the digital, networked environment. 

I envision (or would like to see) the W3C engaging in the creation of a "Rights Management Framework," with work split between a small number of specialized WG's, and a larger number of formal links to "related" efforts: within W3C, MPEG, IETF, Industry. The Framework WG would in part be responsible for mapping the relevance of these related efforts into the Framework and recommending integration best practice; the "specialized" WG's --- possibly just one, but surely several --- would address individual missing pieces. 

Renata Innella has suggested the following specific set of activities. Under the "DRM Activity" he sees:
  - A DRM Interest Group for liasons to other bodies
  - A Metadata Framework (note this is _not_ specific to DRM but a general framework for trusted metadata. It would     encompass - and have one solution - for P3P, CC/PP and include Digital Signatures and an advanced version of RDF) and fully support:
  - A DRM Language WG (to work in *conjunction* with MPEG)

I would like to see something stronger than an "interest group" resolving the interoperability issues. For example, we would prefer specific *activity* focused on mapping out a "Rights Management Framework" or "Interoperability Reference Model," that would provide the context for other efforts (esp. the Metadata Framework and Rights Languages). An immediate outcome of having such a Framework or Model would be to  eliminate disagreement and misunderstanding on the scope of a "rights expression language" --- while some will see this as essentially a set of rights primitives with agreed-upon semantics (e.g. a rights data dictionary mapped onto an XSD), others will see this as including object definitions. 

Both interpretations are correct, but at different levels.


| John S. Erickson, Ph.D.
| Hewlett-Packard Laboratories
| PO Box 1158, Norwich, Vermont USA 05055
| 802-649-1683 (vox) 802-371-9796 (cell) 802-649-1695 (fax)
| john_erickson@hpl.hp.com