[Linux-aus] Microsoft Office 2003 lock-in via DRM
lesbell at lesbell.com.au
Tue Sep 9 10:04:01 UTC 2003
Arjen Lentz <arjen at mysql.com> wrote:
A friend of mine suggested the following a few weeks ago, and it seems
quite elegant: add some GPG hooks into OpenOffice (for instance),
similar to what's already been done in various e-mail programs.
That shouldn't be too difficult, and it should be acceptable in the
corporate world, as most Windows applications have hooks or add-ins for
PGP. The alternative would be something like S/MIME - the basic difference
is that PGP/GPG is based upon a web of trust, whereas S/MIME relies upon a
Certifying Authority. (Personally, I use S/MIME because that's what's built
into Lotus Notes [don't anyone say it!] but even Notes has a PGP add-in
available at a small cost).
When saving a file, you'd be able to sign documents with your own
private key, as well as select which recipients are able to load it
(encrypt the pwd with their public key).
When loading a protected file, check whether any local private key is
Perhaps this adaptation: encrypt the file with a one-time key, using
blowfish, AES, or whatever, then add multiple copies of the one-time key,
each encrypted with an intended recipient's public key, and then sign the
whole lot with your public key. No password on the document itself;
recipients need only provide the password that unlocks their private key,
and they can decrypt the file.
Granted, it's not as elaborate as MS' DRM - particularly the ability to
allow specific options similar to PDF. But simplicity is an asset, too.
This would work anywhere, on any system. Very open.
Experienced infosec professionals all seem to agree that simplicity is a
tremendous virtue, especially those who have been involved with large PKI
projects. And some will say that encryption should be the security control
of last resort, on account of the complexities.
I'd really like to the see the FOSS community take the initiative in
implementing an interoperable rights management system, especially one that
is fair and open. An extension to the OASIS document standards would be a
Thing of Beauty and a Joy Forever, imho.
(A parenthetical question: does anyone know what the Jolly Blue Giant has
been doing in this area? A few years ago, IBM released its own DRM
technology, including such things as cryptolopes (cryptographic envelopes -
see http://www.research.ibm.com/ncc/rightsmgt.html) but all of that seems
to have fallen by the wayside. I wonder if IBM could bring some of its
poorly-selling technology to the party?).
--- Les Bell, RHCE, CISSP
More information about the linux-aus