Encryption and Limited Data Sharing on the Web

Jonathan Abbey <broccol@arlut.utexas.edu>
Date: Fri, 28 Jan 1994 12:14:54 -0600
From: Jonathan Abbey <broccol@arlut.utexas.edu>
Message-id: <199401281814.MAA27687@csdsun1.arlut.utexas.edu>
To: adrian@ora.com, strata@fenchurch.MIT.EDU
Cc: oll@ora.com, phillips@cs.ubc.ca, robm@ncsa.uiuc.edu, www-talk@www0.cern.ch
Subject: Encryption and Limited Data Sharing on the Web
Content-Length: 3208
> O'Reilly and Associates is doing some work on decryption in Mosaic (and other
> browsers), but not the server part.  Our goal, however, is probably different
> from some other people's, and may be something to think about (or it may be
> irrelevant - I'm not sure).  
> We want to license books, so we want people to be able to purchase keys to
> view the books.  But we don't want unencrypted versions of the books to get
> out of the browser.
> [...]
> Adrian Nye

This is an interesting development, indeed.  It has been obvious to me for
a good while that this sort of thing is an inevitable development.  As long
as the browser is still able to connect to other sources, and as long as
there is no impediment to connecting to non-encrypted servers (and saving
data gained therby), I welcome this.

A lot of interesting questions arise out of this, though..

Are you going to publish your technique for this kind of authentication?  It
would be unfortunate for each information provider to have to develop their
own standard (and browser) for this kind of thing.  Does your authentication
security depend on secrecy?  Do you believe that such secrecy could be
maintained indefinitely?

Are you going to allow printing of data gained from your encrypted servers?
What about cut and paste via X selections / Mac / Windows cut and paste?
What about emailing documents?  Portions of documents?  Document URL's?

Will receivers of the data be able to keep a local encrypted copy so that
they retain access to the data if and when you cease to make the information
available on the net?

Do your keys expire?  Who is responsible for handling such expiration, the
client or the server?

Would a user be able to republish your data if someone accessed their
server with a key that O'Reilly had verified with a digital signature?

Will you be developing a way whereby I could email a URL along with a key
that I paid for so that a friend can view one of your URL's on a single-time
or multiple-access basis?  Will such single-time loans be part of your
standard license?

Would you pay a royalty to someone who published your URL in one of
their documents?

I think that it is important to try and design things so that you maintain
the kind of transferrability that your paper books have, and that you maintain
the ability to freely transfer information that makes the net worth having.
I am troubled by the prospect of an information economy in which the
recipient has less rights of ownership over a document than he or she
does over a paper copy that he or she bought.

This is a very big and very important step for the Internet, it's important to
set precedents to make this as open as possible, I think..

Adrian, with your permission, I'd like to repost your message to
comp.infosystems, comp.infosystems.www, comp.org.eff.talk and
talk.politics.crypto.  I think these issues need public discussion.

Jonathan Abbey				               broccol@arlut.utexas.edu
Applied Research Laboratories                 The University of Texas at Austin