[sword-devel] drm

Kahunapule Michael P. Johnson sword-devel@crosswire.org
Wed Apr 21 02:37:14 MST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 11:37 21-04-04, Michael A. Peters wrote:
>I'm sure this has been asked before, but are there any plans to add 
>some
>kind of a drm mechanism so that "locked" modules can be purchased?

I don't think Crosswire wants to do that, but maybe providing tools so 
that others can sell modules with proper publisher permission might be 
OK, if you wanted to do that.

>I don't know about windows, but one way to do it in Linux that would 
>be
>pretty safe is a key based upon the users gpg - sword could
>automatically request a license file from vendor based upon users gpg
>public key, and get a license file that is only usable with that 
>users
>gpg private key.

OK, so I generate a new gpg key pair just for that purpose, get the 
license string, then post both for my hacker buddies?

Seriously, most people don't have a gpg key. Only a very small 
minority of people care enough about authentication and/or privacy to 
learn how to use PGP or Gnu Privacy Guard. These programs are not user 
friendly enough to enter the main stream. I only have one person who 
sends me OpenPGP encrypted email regularly, and to whom I send OpenPGP 
encrypted email regularly. He is highly motivated to use this 
unfriendly encryption, because of some of his tales about people who 
preach the Gospel to Muslims could get some of his friends killed if 
it leaked to the wrong hands. Even my GPG signature on this email 
probably won't verify, because this mailing list does weird things to 
line breaks and white space.

I think that it would be about as secure, really, to just tie the 
personal unlock key to the customer's name + some unique identifier, 
like maybe an email and/or postal address. (Names aren't necessarily 
unique, all by themselves. Try looking up Michael Johnson or Jim Smith 
in any major city's telephone book.) If you wanted to be obnoxious, 
you could tie the key to the machine instead of the customer, but you 
don't, do you? Anyway, the seller could keep a record of identifying 
information associated with a sale to know who to suspect in case his 
or her code gets published. Even then, what if they are a victim, too?

It is hard to do DRM well with open source projects. Actually, it is 
impossible, without dedicated, tamper-resistant hardware. You can do 
point of sale control fairly well, though. The real question is "Can 
you do it well enough to convince major Bible publishers to trust the 
implementation?" To get an idea of what it takes to gain that trust, 
take a look at what Bible study software vendors who sell major 
copyrighted translations require.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: http://eBible.org/mpj/gpg.htm

iD8DBQFAhd5RRI/gxxfXR7sRAn8qAJ97ijZvRoMT1OK5ZgY0QnF5qDILRgCfXMkc
5r92DNe1RWvQp0Na0E4b1PA=
=qrJT
-----END PGP SIGNATURE-----




More information about the sword-devel mailing list