License? GPL vs LGPL.

Marcus Brinkmann Marcus.Brinkmann at ruhr-uni-bochum.de
Mon Nov 10 01:42:56 CET 2003 

On Sun, Nov 09, 2003 at 04:03:16PM -0500, Daniel Carrera wrote:
> Yes, all the DRM features that get press are like that.  But AFAIK, MS Office 2003 
> is offering a different set of DRM features, whereby a document author can control 
> who reads it.  This is a DRM feature for MS Office document authors, not Holywood.

Ah, I see.  I can see how some companies for example would want that (and
other people who can be talked into thinking that this would really stop the
determined ;)
 
> MS Office 2003 also offers self-updating documents, and documents that can be read 
> but not copied or emailed.  The first feature is something I'm not sure I'd be 
> willing to include in OpenOffice, and the latter is not really possible as long as 
> people can carry photographic cameras.

I also think that both won't really work in a free software environment.
Maybe if you had some cryptographic hardware lock in each PC, and require
the presence of it.
 
> > And because of that, unless you are entering that arena, I don't think that any 
> > feature you can add to OpenOffice will rival or have an affect on what's going 
> > on in the DRM world.
> 
> Well, I was thinking that in some cases PGP might solve some of the problems that 
> MS claims will be solved by DRM.  For instance, authenticity of the document.  
> Authenticity has little to do with the usual connotation of the term "DRM", but it 
> is (AFAIK) something that MS claims will be a feature of DRM.

Right.  It's important to stress the difference I think.  In fact,
authentication is just digital signatures, and digital signatures is a
concept that stands all by itself.  Of course, convenient use of encryption,
decryption, signing and verification in Open Office, let's say in an equivalent
way to how you do it with mail in a mail client, would be great.
 
> > Now, MS and others probably claim that DRM is meant to bring authentication
> > to the user for the users advantage - that would just be part of the normal
> > propaganda in order to sweet the poison that the user is supposed to
> > swallow.
> 
> So you are saying that MS Office 2003 does NOT have any authentication features 
> that the user can make user of?

No, I don't really know the latest whistles and bells in MS products.  But
if it has it, it probably is either a fall-out of the broader concept of
locking in the users, or I am not sure why you raised the issue of DRM at
all :)  I can imagine that there is a high enough demand of such features by
corporate enterprises in their in-house distribution of documents (and
exchange of documents with other companies) that they would consider adding
such feature.

> > This is not meant to stop you from developing new features to good free
> > software, especially features that improve the privacy and integrity
> > of the user's data!  It just seemed to me that your perspective on DRM
> > is a bit at odd with what I consider DRM to be about, so here are my 2cent.
> 
> I am not knowledgeable of DRM.  I just read the article I pointed out.

I am not an expert either.  Maybe it's a good idea to just talk about
individual concepts like authentication, verification and encryption, at
least as long you stay with OpenPGP and its feature set.  Having transparent
OpenPGP support in OpenOffice would be interesting.  It's probably a bit
difficult to handle sensitive documents correctly - some things might
actually be difficult to achieve (there shouldn't be bits and pieces of
sensitive data in temp files, nor should it be swapped out to disk, etc),
but it's definitely theoretically possible.

> I just conversed with the OOo people and it turns out that authenticatin is planned 
> for version 2.0 (due in a year or so):
> 
> http://tools.openoffice.org/releases/q-concept.html#3.3.2.Digital%20Signatures|outline

It actually makes a good point about signatures being a replacement for the
need to prevent modification of a document (any modification will render the
existing signature invalid).

> Nothing has been written yet.  I will push for GnuPG compatibility if such a thing 
> is possible.

It talks about some XML standard for encryption, but I don't know what that.
There seems to be a W3C XML encryption working group.  There is also an XML
Signature working group.  If that's the goal, then we are talking about a
new format here, but the underlying encryption technology will probably be
something like X.509 (which gpg 2.0 will support - it's already available in
the separate gpgsm package), but I imagine other schemes will be possible as
well.

>  I could be that the simplest way to provide authenticatin is to just 
> write a regular .sxw file and run gpg on it.  It sure sounds simpler to me.

It's very simple, although not for everybody (command line tool, and you
still have to learn everything about public key cryptography a user should
know, and how to manage your keys etc) plus it isn't very flexible (the XML
standard talks about signing/encrypting parts of an XML document for example
which could be a very powerful GUI feature).

Thanks,
Marcus


-- 
`Rhubarb is no Egyptian god.' GNU      http://www.gnu.org    marcus at gnu.org
Marcus Brinkmann              The Hurd http://www.gnu.org/software/hurd/
Marcus.Brinkmann at ruhr-uni-bochum.de
http://www.marcus-brinkmann.de/

More information about the Gcrypt-devel mailing list