[sword-devel] drm
Kahunapule Michael P. Johnson
sword-devel@crosswire.org
Wed Apr 21 02:37:14 MST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 11:37 21-04-04, Michael A. Peters wrote:
>I'm sure this has been asked before, but are there any plans to add
>some
>kind of a drm mechanism so that "locked" modules can be purchased?
I don't think Crosswire wants to do that, but maybe providing tools so
that others can sell modules with proper publisher permission might be
OK, if you wanted to do that.
>I don't know about windows, but one way to do it in Linux that would
>be
>pretty safe is a key based upon the users gpg - sword could
>automatically request a license file from vendor based upon users gpg
>public key, and get a license file that is only usable with that
>users
>gpg private key.
OK, so I generate a new gpg key pair just for that purpose, get the
license string, then post both for my hacker buddies?
Seriously, most people don't have a gpg key. Only a very small
minority of people care enough about authentication and/or privacy to
learn how to use PGP or Gnu Privacy Guard. These programs are not user
friendly enough to enter the main stream. I only have one person who
sends me OpenPGP encrypted email regularly, and to whom I send OpenPGP
encrypted email regularly. He is highly motivated to use this
unfriendly encryption, because of some of his tales about people who
preach the Gospel to Muslims could get some of his friends killed if
it leaked to the wrong hands. Even my GPG signature on this email
probably won't verify, because this mailing list does weird things to
line breaks and white space.
I think that it would be about as secure, really, to just tie the
personal unlock key to the customer's name + some unique identifier,
like maybe an email and/or postal address. (Names aren't necessarily
unique, all by themselves. Try looking up Michael Johnson or Jim Smith
in any major city's telephone book.) If you wanted to be obnoxious,
you could tie the key to the machine instead of the customer, but you
don't, do you? Anyway, the seller could keep a record of identifying
information associated with a sale to know who to suspect in case his
or her code gets published. Even then, what if they are a victim, too?
It is hard to do DRM well with open source projects. Actually, it is
impossible, without dedicated, tamper-resistant hardware. You can do
point of sale control fairly well, though. The real question is "Can
you do it well enough to convince major Bible publishers to trust the
implementation?" To get an idea of what it takes to gain that trust,
take a look at what Bible study software vendors who sell major
copyrighted translations require.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: http://eBible.org/mpj/gpg.htm
iD8DBQFAhd5RRI/gxxfXR7sRAn8qAJ97ijZvRoMT1OK5ZgY0QnF5qDILRgCfXMkc
5r92DNe1RWvQp0Na0E4b1PA=
=qrJT
-----END PGP SIGNATURE-----
More information about the sword-devel
mailing list