Meeting Report
Security Forum:
Workshop on Security Design Patterns
Application to Digital Rights Management Test Scenario
Cannes, France - Wednesday, October 16 2002
Objective of Meeting
This meeting was open to all attendees to the Cannes conference. It followed on from
the tutorial on Design Patterns given on Tuesday evening.
Bob Blakley (Chief Scientist, Security and Privacy, IBM Tivoli Software) lead a Design
Patterns Application Workshop, in which we
applied our existing security design patterns to a defined set of Digital
Rights Management test scenarios, to ascertain if they are sufficient to
define the security requirements for those test scenarios, and if not to
identify the gaps that we need to fill.
The outcome will verify if we have a sufficient set of Security Design Patterns as to
close on publication of Version 1 of our Security Design Patterns technical guide.
Summary
Discussion
Bob Blakley ran this workshop, which was attended by 9 members.
Bob set out the problem statement in the following terms:
- The Record Label should pay the artist for use of his music
- The Music Retailer should pay the Record Label for every sale to the buyer
- The Buyer should be able to listen to music only if he has paid
Bob created a set of slides recording the process of working through this test
scenario, using the same sequence of slides as he used to illustrate the email example in
his Design Patterns tutorial the previous Tuesday evening. He explained that members
of the design patterns workgroup of the Security Forum had helped him develop the tutorial
and this workshop, through discussion in 3 teleconferences leading up to this Cannes
meeting. The major steps involved are:
- Step 1: Identify the Resources and Actors
- Step 2: Identify the Protected System Boundaries
- Step 3: Define the policy
- Step 4: Define the Secure Communications channels
Questions that arose were:
- Is the CD a secure communication, or is it a resource, or is it both?
If it's a resource it reflects the transaction between the retailer and the buyer
If it's a SC it reflects the transaction between the record label and the buyer.
- Is it possible to enforce the policy "buyer listens only if retailer has been
paid" without a guard on the player?
We have not found a way to do this
- Preliminary conclusions:
This method tends to produce the kinds of solutions we would produce, so this is some
validation of the method
DRM appears to require DRM-enabled players - if copying is easy and cheap
Problem with digital to analogue conversion - not all listeners are the buyer, and once
it's analogue it's free.
Outputs
In his concluding observations, Bob declared that the key outcome of this workshop has
confirmed what he and most others expected. This would seem to verify that the design
patterns approach works well and that our existing set of security design patterns is
sufficient to implement a basic security design for an information system.
Next Steps
On behalf of the Security Forum's design patterns workgroup, Bob will lead work to
revise definitions for all our existing security design patterns, and generate explanatory
text to complete draft 1 of our Security Design Patterns technical guide.
When this final draft is available, it will be presented for formal review leading to
publication.
Links
Refer to the design patterns tutorial slide presentation
for background information.
|
