ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Series of minor questions about OpenPGP 4

2009-02-02 07:17:01
from [Ian G] [Permanent Link] 

On 1/2/09 21:55, Daniel Kahn Gillmor wrote:


Hrm, thinking about this now, i'm not sure why it would necessarily need
to be machine-readable.  I think i was thinking that there would be ways
to mechanize your interpretations of various signatures based on the
policy decisions.

This would require some good work sorting out common policies that could
then be referred to by URL, sort of like how Creative Commons has sorted
out some common licensing arrangements which can be identified by URL:

  http://creativecommons.org/licenses/by-sa/3.0

uniquely identifies a well-known license, and people are building tools
to automatically assemble indexes of content that's been licensed that way.
Yes, that works because the tech supports the document, which is primary and the rest is secondary.
However if you look at it from the OpenPGP context, the tech now has to support more things; a signature, a document and a "CPS" or statement of legal semantics. This starts to get complex. For example, if a signature over a document has a complicated meaning, dependent on a CPS, and the CPS disappears from view after a few years, the tech will have trouble explaining it to the reader.
For a view of how this was addressed in machine-readable financial contracts, have a look at the Ricardian Contract. It basically re-combined the three elements back into one document. Any "CPS" was within the document or left unsaid, as were all the keys, and the clear-text OpenPGP signature was used. We called this the rule of one document. 



If a group did the same type of work for certification policies that CC
has done in regard to content licensing, then you could begin to build
similar sorts of tools to interpret human-centered policy preferences
through the web of trust.

This is a more ambitious project, though, and you're right to question
the need for every policy to be machine-interpretable.
It's also about other disciplines, so one should be careful to bring in the elements of those disciplines that can be trusted to understand and help the project. One of the reasons CC succeeds is that it was done by lawyers from universities copying a thing called open source. One of the reasons CPSs "failed" or turned out to do something other than what "we expected" was that they weren't done that way. 


iang
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: "newbie" questions: GPG a.k.a. GnuPG versus PGP corporation's products ... ; et cetera, John Clizbe
Next by Date:  Re: Do we need to secure our keyservers against kind of DoS Attacks, Christoph Anton Mitterer
Previous by Thread:  Re: Series of minor questions about OpenPGP 4, Daniel Kahn Gillmor
Next by Thread:  Re: Series of minor questions about OpenPGP 4, Jon Callas
Indexes:  [Date] [Thread] [Top] [All Lists]