[Paper Overview] [DRM-Workshop Homepage]

Workshop on Digital Rights Management

22-23 January 2001, INRIA, Sophia Antipolis, France

Position Paper

Jonathan D. Hahn
Director of Internet Technology, Versaware, Inc.
Executive Chairman, EBX Working Group
Chair, OeBF Systems Working Group
+972 52 383-212

Table of Contents

1. Background

Versaware Inc., www.versaware.com, is the world leader in ePublishing and the creation and distribution of eBooks for a growing number of platforms. Founded in 1997, Versaware offers a complete end-to-end solution for today’s leading publishers, including: McGraw-Hill, Pearson, Addison Wesley Longman, John Wiley & Sons, Simon & Schuster Interactive, Taylor & Francis and others.

The Electronic Book Exchange (EBX) Working Group is an organization of companies, organizations, and individuals developing a standard for protecting copyright in electronic books and for distributing electronic books among publishers, distributors, retailers, libraries, and consumers. The draft EBX specification accommodates a variety of content formats for electronic books, including Open eBook Publication Structure and Adobe® Portable Document Format (PDF).

The purpose of the Open eBook Forum (OeBF) is to create and maintain standards and promote the successful adoption of electronic books. The Open eBook Forum (OeBF) is an association of hardware and software companies, publishers, authors and users of electronic books and related organizations whose goals are:

  1. to establish common specifications for electronic book systems, applications and products that will benefit creators of content, makers of reading systems and, most importantly, consumers, helping to catalyze the adoption of electronic books
  2. to encourage the broad acceptance of these specifications on a worldwide basis among members of the Forum, related industries and the public, and
  3. to increase awareness and acceptance of the emerging electronic publishing industry, thereby promoting the growth of the ePublishing industry.

Representatives of the Open eBook Forum (OeBF - http://www.openebook.org/) and the Electronic Book Exchange Working Group (EBX - http://www.ebxwg.org/) met in Denver, Colorado, during the week of December 4, 2000, and jointly developed a plan to combine the efforts of both organizations.

The unified organization will be a focal point for standards activities related to electronic publishing and hopes to provide a home for all industry participants and parties interested in the development and adoption of electronic publishing standards.

The unified organization will be run in accordance with the governance principles and procedures of the OeBF and expects to take advantage of the substantial work completed to date by the EBX Working Group to accelerate delivery of standards for digital rights management.

The plan addresses the issues surrounding the combination and contemplates completing integration of the organizations on February 1, 2001. Both the OeBF board of directors and the EBX Executive Committee have approved this plan without dissent and have appointed a joint transition team to work out details of the unification.

2. Digital Rights Management

2.1. Framework

In order to implement any standardized scheme for the management of rights in a digital environment, it is first necessary to develop a common ontology that facilitates discussion of complex issues by parties with widely divergent vantage points and vocabularies.

The Framework developed by members of the Open eBook Forum includes a Reference Model that integrates specified Domains, Element Types (Roles, Objects, Interactions and Functions, and Authorities), and Perspectives in to a Conceptual Matrix onto which may be mapped any business model relevant to electronic publishing at the present time and for the conceivable future.

This Reference Model is bolstered by a series of Stakeholder Profiles spanning the industry and examining each link in the value chain as well as a concise yet comprehensive glossary of salient terminology.

Once the Framework is acceptably defined, the proper direction is determined by gathering Stakeholder Requirements.

2.2. Requirements

The art of gathering Stakeholder requirements has been refined considerably over the past two years. When requirements were gathered at the inception of SDMI, over two hundred fifty stakeholder representatives were gathered together for open debates. In the year 2000, EBX Working Group members canvassed their personal contacts, while the AAP commissioned a study by Andersen Consulting leading to a series of three published studies.

This year, the Requirements Working Group of the OeBF will be building a sophisticated database of Requirements for Digital Publishing, including Digital Rights Management. The database will be used by other Working Groups as a metric for success in serving the needs of the stakeholder constituency.

2.3. Components

  • There are many elements to the distribution, protection and control of electronic content. Each component has issues and requirements that must be carefully considered in order to produce a viable, interoperable chain of services and providers that will achieve a complete ePublishing system.

    2.3.1. Content Publication Structure

    The adage that "Content is King" can be interpreted accurately in a variety of ways. Certainly a common view of content in terms of basic structure is essential to any scheme that will be found acceptable by the open market. The OEB Publication Structure has been widely accepted by the electronic publishing industry as the primary B2B content distribution format. Nevertheless, most eBooks are currently compiled into a proprietary format before distribution to the consumer. Content Identification

    Many groups have done seminal work on content identification. The EBX Working Group has examined many options, from the traditional ISBN to newer innovative schemes such as DOI. The OeBF has a SIG dedicated to the investigation of identifier systems most suited for use in various aspects of electronic publishing. Content Integrity

    Content integrity is a fundamental prerequisite to a functioning DRM system in any industry. Content Granularity

    Content Granularity enables a number of business models otherwise impractical, but made possible by the nature of digital content. Metadata

    Metadata may afford the greatest opportunity for added value in the publishing industry since the invention of the book jacket.

    2.3.2. Rights Rights Expression (Semantics and Encoding)

    The rights of content owners must be specified unambiguously and in terms that may be readily understood by a variety of participants in the value chain. The EBX Specification describes mechanisms for encoding rights in XML based fragments called Vouchers. These Vouchers may travel independently of protected content. It is also possible to create a set of fulfillment instructions (commonly called "tickets", but similar in many respects to electronic gift certificates) that authenticate credit and authorize access to content upon the completion of final delivery instructions.

    It is also possible to embed rights expressions and content together within the same package.

    Rights must be expressed in a defined syntax. The EBX Working Group has investigated the use of specified subsets of XrML and ODRL based upon a minimalized vocabulary devised by the EBX Working Group Technical Committee. Rights Granularity

    DRM is differentiated from piracy protection by a more granular approach to rights. There is, of course, the management of granularized content; free access to the first chapter of a book, the first thirty seconds of a song or even the first ten minutes of a feature film delivered over broadband. In addition, there is the granularity of rights themselves, such as view without print, as well as the right to reproduce specific content types, such as the ability to reproduce (extract or clear copy) text but not illustrative media components. Rights Management

    It is critical that the distribution and transfer protocols and the format of Vouchers and Credentials be standardized to ensure interoperability between publishers, distributors, booksellers, libraries, and consumers.

    EBX defines a protocol for transferring e-books from one entity to another. This transfer protocol, the EBXTP, contains requirements for the sequencing and content of data transfer between entities. It does not specify an underlying transport protocol, but instead demands that the transport protocol reliably exchange data as required by the transfer protocol.

    The transaction model in EBXTP involves two distinct domains of trust: protocol engine and voucher engine. The protocol engine runs on the unprotected central processor of client and server computers, sends and receives EBXTP commands, parses the commands, and performs the commands. The voucher engine runs on a, possibly, physically protected processor of the client and server computers, authenticates other voucher engines, sends and receives EBX vouchers and credentials, stores vouchers in protected memory, and performs voucher and content key operations.

    In a consumer computer like an e-book reading device, the protocol engine runs on the main processor and memory and the entire voucher engine runs on a smart card. In a commercial computer like a publisher, bookseller or library Web server, the main processor and memory are assumed to be physically protected from consumers and therefore, most of the voucher engine runs on the main processor. Only the actual private key operations of the voucher engine in a commercial server are performed by a smart card.

    Protocol engines, while generally considered "trustworthy", are not sufficiently trusted to handle voucher operations. From the perspective of a voucher engine, protocol engines exist simply to transfer vouchers between voucher engines. (Of course, from the perspective of the consumer, protocol engines primarily exist to transfer e-book content and the voucher exchange is just some copyright "stuff".)

    These separate domains of trust are important concepts when analyzing and implementing EBX/HTTP. Put bluntly, since the protocol engine runs on an unprotected processor, it cannot be trusted to do anything with encrypted vouchers except transfer them. The voucher engine should always be coded to assume the protocol engine is vulnerable to malicious failures.

    2.3.3. Trust

    Publishers and other copyright holders want to know the level of protection provided to their digital content when it is distributed electronically. Furthermore, recognizing that higher levels of protection often come at the expense of other desirable properties, they want the ability to set different levels of protection for different titles.

    The technology provides some protections, but social processes including deterrence, detection, and legal enforcement as well as insurance-based compensation for parties that fall victim to cracks in the system are integral to the overall protection of digital rights. In balancing the contributions achieved through these various approaches, EBX provides assurance to all parties–publishers, authors, insurers and law enforcement–that adequate precautions have been taken to protect the intellectual rights of authors and publishers.

    In the open EBX architecture, a number of distributed components including servers and end-user readers from multiple vendors cooperate to enforce digital rights. These components provide persistent copyright protection via secure authentication, secure transfer and controlled exposure of the vended content according to both the rules defined for the system as a whole and the rights associated with each particular digital title. The fundamental rule enforced by every component is to deny any right unless explicitly granted. Consequently, associated with each digital content title is a set of permissions that grant particular rights under specified conditions. Included in the specified rights are rules defining the assurances required before control over a particular digital title can be transferred from one component to another.

    2.4. Integration

    Proper integration is possibly the most critical aspect of the process. It is necessary to examine several aspects of the individual relationships between various components of the overall system in order for the rights to be managed effectively.

    2.4.1 Environment

    The environment must be defined according to all of the perspectives described in the accepted framework. In the OeBF Framework for an ePublishing Ecology three perspectives are defined: social, legal and technical.

    Environments created by combinations of hardware and software are often the deciding factors, since DRM solutions are usually designed and implemented by technology providers. Industry groups that include other industry stakeholders provide a valuable service by introducing the fundamental requirements of content owners as well as various social and legal institutions such as libraries, government agencies and organizations dedicated to special interest groups such as those with various disabilities.

  • 2.4.2 Architecture

    Although it is the basic responsibility of a standards organization to construct a reference architecture, it is also necessary to create a mechanism that allows for innovation and future growth of the industry in light of unforeseen technological developments. This concept is embodied in the guiding principle adopted by several organizations with which the author has been associated; a specification shall not preclude any technological solution that provides the requisite functionality demanded by the industry stakeholders.

    Components must be constructed in a modular manner and integrated into a flexible architecture so that the specification may survive, and even thrive upon new technology as it is introduced into the marketplace.

    2.4.3 Interoperability

  • Interoperability is probably the primary motivating factor that drives industry stakeholders to participate in standards efforts. Most technology providers concentrate their efforts on a single component of the architecture. There are also many examples of content providers that limit themselves to a subset of the perspectives described by the prevailing ecology such as those that provide illustrations for books or music for video productions.

    Components must be specified in ways that allow for interoperability both horizontally, as described above, and vertically, so that participants along the value chain can communicate and distribute content as well as rights definitions in a transparent and efficient manner.

  • 2.4.4 Service

    The integration process must insure that the final specification responds to the requirements of the critical stakeholders. While the individual components may be designed with a bias toward current technological realities, the integrated product must remain serviceable in the evolving world of social and legal perspectives as well as technological change.

    Thus, integration includes an iterative process, responding to change at a pace commensurate with industry and market factors.

    Integration must account for evolving business models as well as evolving standards tangential to the specification at hand such as standards for metadata and identifiers.

    Finally, it is the responsibility of those charged with integrating the components to react expeditiously in the face of revolutionary changes, new business models, and paradigm shifts induced by technological innovations.

    2.5 Adoption

    The goal of any standards organization is adoption of its specifications. Adoption occurs when a predetermined percentage of platforms support the specifications. Driving platform support will be content owners that embrace the specifications as the preferred means of expressing and distributing their intellectual property.