RE: Summary Report published from Rob Koenen on 2001-05-02 (www-drm@w3.org from May 2001)

From: Rob Koenen <rkoenen@intertrust.com>
Date: Wed, 2 May 2001 12:32:07 -0700
To: "'Rigo Wenning'" <rigo@w3.org>, DRM-Public-List <www-drm@w3.org>
Cc: Daniel Weitzner <djweitzner@w3.org>
Message-ID: <720AE932C238D411B4D100C04F10DA6B02DEB372@exchange.epr.com>
Rigo, all,

Thanks for publishing the report. Although I have some comments,
I think it reflects a good job in accurately conveying what was
discussed over the twoworkshop days.

The one thing that is really missing in my view (and I am echoing 
Norman's comments) is the summary that we did in the end. I really
think that list belongs in this summary, with appropriate
qualifications (it was the result of a braindump after two days
of intensive discussions).

Please add that summary.

Then, I am anxious to learn about W3C's next steps.


Detailed comments follow below.

> W3C will now take these recommendations and discuss it 
> internally before making any formal decisions.

Any view on the time schedule for this?

> There were a considerable amount of voices requiring, that a 
> system should work offline as online. 

This is not a "should", this is the very definition of DRM:
persistent governance. 

> DRM should be about the 
> "digital management of rights" not the "management of digital 
> rights". 

Was this the conclusion? We did discuss the 'digital mangement
of rights' versus the 'management of digital rights' yes.

> 
> Privacy 
> DRM is also processing personal information. It needs to 
> treat consumer as a "first-class" object. That is, a 
> consumer's profile have access usage conditions, and other 
> (user-) rights linked to it. 


Consumers need to be able to express and manage their rights
and interests, and DRM can help them do just that.


> To learn about DRM issues use "simulated interoperability". 

No, this was postulated as a potential solution (though I do
not understand well how it can be)


> Architecture 
> Interoperability is a key DRM requirement (see discussion below) 
> A digital Rights Language is seen as a good first step for 
> DRM standardisation (see discussion below). 

"... a good first step for interoperability, but not nearly enough"

> Security 
> DRM needs a Trust Infrastructure (see discussion below). 

Yes, true, but the real issue was that *Standardized*
DRM needs a Standardized Trust Infrastructure, which makes it
such a challenge. 


> Multimedia 
> MPEG is addressing DRM needs and should work closely with W3C. 

Good header :-)
But the statement strikes me as funny. "MPEG should work closely
with W3C"? This can be read in a number of ways. "W3C should work
closely with MPEG" is something I have heard as well. Please make 
this comclusion more balanced, so that it doesn't (unintentionally)
sound like a requirement on MPEG alone.


> Identifiers 
> The identification of content is a critical requirement for 
[...]
> Currently there is no single system that can provide all 
> needed features for all sectors. 

(Note that MPEG has begun to address this issue in the 
 Digital Item Idnetification and Description)


> DRM Interoperability
> It is clear that a shared architectural model or abstract 
> framework is required, if only for people to fully understand 
> the depth and breadth of the rights management arena. A 
> number of position papers explored this in depth; they 
> considered a layered, abstract model that consisting of 
> policy expression, transmission, interpretation/enforcement, 
> and thus introduced "multiple" levels of well-defined 
> interoperability.

But we did not agree on a framework. We just know it has
many layers.

> MPEG's presentation of their MPEG-21 "Digital Item 
> Declaration Model" proposal suggests another pathway to 
> interoperability, which is consistent a call for a 

word missing ("with") ?

> higher-level framework. It is important for W3C to be engaged 
> in that activity, while working toward a framework context.

Note that the Declaration work in itself is not about DRM.
MPEG-21 *is* though.


> Trust Infrastructure
> To summarize a few concerns about Trust infrastructures from 
> the Workshop:
> 
> What will "it" look like? 
> Who should manage trust? 
> How will trust be "interoperable? 
> What are the social/legal issues (eg liability)? 
> How to deal with trusted components (hardware/software)? 
> Most participants believe that not only must there be a trust 
> infrastructure upon which applications (commerce and 
> otherwise) will be built; they imagine that there will 
> actually be several, providing different value-added trust 
> services. The trust concerns expressed tended to be more 
> practical - for example, who will run these authoritative 
> trust services? Private companies? Governments? Industry 
> organizations (.g publishers associations, authors' collectives, etc)?
> If there are multiple, parallel trust infrastructures, who 
> will create and manage the "directories" that will enable 
> interoperation? Or will these "trust backbones" take a form 
> where this is unnecessary - where the semantics of the 
> certifications are obvious? Regardless of how it is built, 
> there is concern over liability - who is liable for a failed 
> "chain of trust?"

Good points, well captured.
Also, note that trust isn't automatically transitive or even 
reflexive.

> [...] Trust-structures 
> are actually such a big task, that they should be considered 
> outside a DRM-Activity. 

Said who? I think (said) no DRM standardization will work without
regard for this issue.


> MPEG-4: IPMP (Intellectual Property Management and Protection) 
> MPEG-7 Multimedia Description Schemes 

MPEG-7 MDS is only one of several MPEG-7 parts, and there
are DRM implications also at MPEG-7's Systems layer.

> MPEG-21 Digital Item Identification and Description 

MPEG-21 DIID is only one of several MPEG-21 parts. Notably,
the Rights Language and Data Dictionary will be imortant too.

> *suggests* a piece of the solution. For example, MPEG-4 IPMP 
> may come close to standardizing DRM APIs, but doesn't treat 
> many other aspects of the problem (such as rights 
> vocabularies, rights messaging, etc). 

True about MPEG-4, much less true when taking into account 
the complete set of MPEG activities, designed to complement
each other.
(Rights messaging *is* actually addressed in MPEG-4 IPMP now)



> Next Steps
> There were opinions voicing, that the W3C is the best 
> existing forum to define a forward-looking Framework. There 
> was also concern that this may not be as clear to the broader 
> W3C. Rights management presents a broad set of problems. , 
> and a "Web-is-Everything and Everything-is-the-Web" view, if 
> present, would surely generate conflicts in process and 
> politics. Note that the same could be said of MPEG processes 
> and politics (for example); 

I am unclear as to what "the same" exactly refers to.
MPEG has cetainly recognized that the MPEG-21 vision goes beyond
MPEG alone.


> The specialized WG's - possibly just one, but surely several 
(a somewhat contradictory statement)

> - would address individual missing pieces, such as a rights 
> expression language - while some will see this as essentially 
> a set of rights primitives with agreed-upon semantics (eg a 
> rights data dictionary mapped onto an XML Schema), others 
> will see this as including object definitions. Both 
> interpretations are correct, but at different levels.

I thnk this is taking one specific element and putting it sort
of down as the conclusion of the workshop - see my first comment
above.

Best Regards to all who made it to the end of this mail,
Rob
Received on Wednesday, 2 May 2001 15:34:30 UTC