[29] in WWW Security List Archive
Re: GSS API...
daemon@ATHENA.MIT.EDU (Roger Masse's the named)
Tue Aug 16 18:40:58 1994
To: Jeff Hostetler <jeff@spyglass.com>
cc: John Ludeman <johnl@microsoft.com>, www-security@ns1.rutgers.edu
In-reply-to: Your message of "Tue, 16 Aug 94 10:24:19 MDT."
<9408161524.AA24538@fido.spyglass.com>
Date: Tue, 16 Aug 94 15:31:40 -0400
From: "Roger Masse's the named" <rmasse@CNRI.Reston.VA.US>
>Jeff Hostetler writes
>[Ignoring for now the DLL implementation details,] a transaction
>might go something like this:
>1) client to http server:
> get url
>2) server response:
> 402 payment required
> Authorization-Accept: visa ... c=US, v=$4.50
> Authorization-Accept: amex ... c=US, v=$4.50
>3) If the user wanted to pay, the client would contact a 'payment
> service provider' and arrange for payment via the 'visa'
> protocol (or the 'amex' protocol). As part of the
> transaction the client would be given an authorization
> token.
>4) client to http server:
> get url
> Authorization-From: visa ...
>5) At this point the http server would ask the 'payment service
> provider' if it issued the token. If it did, the http
> server sends the requested document to the client. If
I assume the server sends an encrypted copy of the requested
document to the client to avoid unauthorized access to the
document via a sniffing attack?
> not, it repeats the response in step 2.
I like this approach, simple separation of tasks. However isn't
this only solving the easy problem? The tip of the Iceburg?
How do you protect the rights of the copyright holder enough to
convince publishers to begin to use this method for dispursing intellectual
property? There is more protection with hardcopy books. Sure I
can give my bought-and-paid-for copy to someone else, but then I no
longer have it. Or I could painstakingly rip appart the binding
and copy the book for someone, but this is cumbersome... and time consuming
and often the effort is not worth the value of the copy of the book.
Put the book in electronic form, however, and copying is a snap
once the client has decrypted their prize.
The $100,000 dollar question...
What do we build that would have sufficient security to convince
the majority of potential service providers that we have made
it sufficiently difficult for someone with copyright infringment
intent, who has (as per Jeff's algorithm) bought-and-paid-for
a legitimate electronic copy, from distributing illegal copies?
Regards,
Roger E. Masse, Systems Engineer
Corporation for National Research Initiatives
1895 Preston White Drive, Suite 100
Reston, Virginia, USA 22091
Internet: rmasse@CNRI.Reston.VA.US
