Sunday, October 24, 2010

DRM to TPM

I have a pretty general idea of Digital Rights Management, and after learning about TPM (Technological Protection Measures) I have learned that TPM is just one aspect that fits under the DRM umbrella. One of the biggest things we talked about in class was the difference between authentication and authorization, two major components of TPM. The two are different, but work together to provide access. Authentication answers the question of "who" and authorization answers the question of "what may the authorized person do?"

The authentication process works with IP addresses - libraries and publishers keep a list of "ok" IP addresses (those that are approved to access the database). When a person logs in to say, UW Libraries and their databases, the username and password matches up with a list of approved users and then they are assigned an IP address. The user information that matches up with the preapproved list of users is called an LDAP server (or lightweight directory access protocol). For a place like UW-Madison, thousands of students are added to and taken off this list each year, in addition to thousands of "guest access" passes that can be easily created.

The authorization process gets down to specifics. David Millman's article "Authentication and Authorization" addresses this process well: "The authorization decision is, in other words, given someone's identity, what may they do? What information may they see; what may they create or destroy; what may they change?" We've already started to see tighter authorization requirements on our own campus, and they're predicted to be further restricted in coming years. Currently, there are a handful of databases where the user must be in a specific library to gain access, and certain departments already have additional login information required beyond the regular UW-Net ID and password. A question was raised regarding the Wisconsin Institutes for Discovery in which a relationship between the public and private sector is formed to perform biomedical research - what kind of authorization will be required for these researchers? Especially with the private sector researchers? This will not only be an interesting challenge with authorization, but in licensing as well.

Below are my messy reading notes on a few of the readings:

“Every Library’s Nightmare?”

- “TPM are configurations of hardware and software used to control access to, or use of, a digital work by restricting particular uses such as saving or printing.

- Hard restrictions: secure – container TPM where there is a physical limitation built into the hardware.

- ISSUES: user dissatisfaction, generate interoperability issues; block archival activities; increased staffing to handle these issues.

- Soft restrictions: discourage use, but not impossible to get around. Now almost accepted as part of e-resources (just the way things are). These change our expectations from vendors.

- Occurs in resources that are 1. Digital and 2. Licensed.

- These restrictions would be impossible on paper copies

- Soft restriction types: 1. Extent of use 2. Restriction by Frustration (often done with awkward chunking) 3. Obfuscation (poorly designed interfaces that do not properly show the capabilities) 4. Interface Omission (tasks only possible through browser or computer commands, left out of the interface) 5. Restriction by Decomposition (breaks down into files, makes it hard to save or e-mail) 6. Restriction by Warning (proclaims limitations and “misuse may result in...” language.

- Hard restriction types: 1. No copying or pasting of text 2. Secure container TPM (ex: only posting low resolution images)

“Technologies Employed to Control Access to or Use of Digital Cultural Collections”

- Digitized works are often harder to control and restrict access to, so that’s where TPM comes in (sits under the umbrella of DRM – “a broader set of concerns and practices associated with managing rights from both a licensor and a licensee perspective.”

- Usage controls manipulate the resource itself (same as a hard restriction?)

- Libraries are more likely than archives/museums to employ a system that restricts or controls access/use.

- Common systems are: authentication and authorization; IP range restrictions; network based ID systems

“Authentication and Authorization”

- Authentication: validating an assertion of identity (identity code and password)

- Other examples include:

1. 1. Shared secrets (like a shared password) 2. Public key encryption 3. Smart cards (not sure if I’ve ever seen this before, or if this method is even used anymore) 4. Biometric (personal physical characteristics) 5. Digital Signatures

- Authorization: access control or access management, or permitted to perform some kind of operation on a computer system.

- Divided into three categories: 1. “whether a subject may retrieve an object” 2. “whether a subject may create, change, or destroy an object; 3. The extent that the person can change the authorization rules.



Posted by at

1 comment:

  1. AnonymousNovember 10, 2010 at 4:05 AM

    Hello, I came to your blog and have been reading along your posts. I decided I will leave my first comment. I have enjoyed reading your blog. Nice blog. I will keep visiting this blog very often…

    DRM Protection

    ReplyDelete

Subscribe to: Post Comments (Atom)