Re: draft-ietf-ltans-dssc-00 comments

["todd glassey" <tglassey@xxxxxxxxxxxxx>]

Oops typo - sorry...

----- Original Message ----- 
From: "todd glassey" <tglassey@xxxxxxxxxxxxx>
To: "Susanne Okunick" <susanne.okunick@xxxxxxxxxxxxxxxxx>
Cc: <ietf-ltans@xxxxxxx>; <thomas.kunz@xxxxxxxxxxxxxxxxx>
Sent: Monday, September 10, 2007 10:09 AM
Subject: Re: draft-ietf-ltans-dssc-00 comments


> Susanne ...
> ----- Original Message ----- 
> From: "Susanne Okunick" <susanne.okunick@xxxxxxxxxxxxxxxxx>
> To: "todd glassey" <tglassey@xxxxxxxxxxxxx>
> Cc: <ietf-ltans@xxxxxxx>; <thomas.kunz@xxxxxxxxxxxxxxxxx>
> Sent: Monday, September 10, 2007 8:31 AM
> Subject: Re: draft-ietf-ltans-dssc-00 comments
>
>
> > > Susanne
> > > that doesn't make sense from either EU Laws or those of the US as well. 
> > > Sorry if this is a like a bucket of very cold water in the face, but its 
> > > time to wake up and smell the coffee... Any long term document storage 
> > > and management protocol MUST take into account any and all laws which 
> > > would constrain the operations and formulation of the proofing models it 
> > > (said protocol) produces.
> >
> > You are right.
>
> Thanks!
>
> > > And within that global requirement, all evidence-standards pretty much 
> > > require a 'full chain of custody' to be proven and without that, their 
> > > content will not be admissible in the US Courts and any Court's the US 
> > > has Joint Judicial MRA's with(Mutual Recognition Agreements).  As such 
> > > the entire chain of custody and each signing and resigning needs to be 
> > > resolved and proven or there is an imperfect history for the LTANS 
> > > protected file.
> > > While this may seem like its not something that is important the 
> > > 'setting aside of this requirement' will in the US Make LTANS unusable 
> > > since the Court's wont accept it as a reliable method of storing 
> > > information. That means the ETSI TSA recommendation is PROBABLY also in 
> > > jeopardy since it clearly violates the intent and scope of those same 
> > > laws as well...
> >
> > The requirement 'full chain of custody' does not contradict LTANS/our 
> > draft.
>
> But its not the focus or only form that the LTANS system can be used in - 
> creating wiggle room for introducing problems to the trust model and its 
> portability... The idea is to create ' trusted records which are 
> ultimately portable"...
>
> The LTANS system is supposed to provide the "Trust Anchor" for those 
> records...
>
> >  E. g. ERS does not prohibit to keep policies, protocols or whatever 
> > needed for the complete evidence as required in the respective country.
>
> No but it doesnt differentiate between hierarchical trust models and 
> flattened-out ones. I.e. ones compressed so only the most recent 
> trust-event is visible externally. .. and why this is important is that if 
> the document is routinely 'flattened' out - that is 'made such that there 
> is only one operable layer of policy and history' visible, then that chain 
> of custody is eliminated even if there is some history provided internally 
> to the file. Each 'stage' and each certification(IMHO)  MUST be 
> reproduceable over the storage lifetime of the LTANS-stored Object.
>
> > Actually ERS allows the integration of such data.
>
> yes butit gets converted to payload as opposed to keeping it as operable 
> policy.
>
> > The same is true for our draft: All policies additionally may kept by an 
> > archive service and presented to court.
>
> As to multiple proofs, the key issue is whether they are presented as an 
> integrated part of the document/signature proofing blob or as an external 
> 'assurance' tool. My concern is that the Court's

are VERY clear now on what makes ESI (Electronicly Stored Information) 
admissible and there is a whole new set of qualifications for each end-use 
type of data. LTANS type data is not included in this and that also is 
something that we would want to address and perhaps get Judge Grimm himself 
to sign off on the use of LTANS Data for admissibility before the Courts per 
se... Let me think about the best way to do that.


> > > The funniest part is that this WG wants to take the word (and the 
> > > consensus) of technical people who have NO EXPERIENCE in pursuing legal 
> > > recourse for IP issues or the complexity and pain of that process, which 
> > > is typical for the IETF... "We know everything" &  "Our consensus is 
> > > always right".
> >
> > If you have some constructive improvement suggestions concerning our 
> > draft, we will be grateful.
>
> Suzzane - as a positive suggestion - and one which I have already on 
> numerous occaisions suggested to that IETF for its technical solutions for 
> any protocols that are to provide evidence in a court of law or other 
> mediation type forum, that for those initiatives, in addition to their 
> being vetted by Security and Network Guru's which is what is done here in 
> the IETF, that they in addition are vetted by the Audit Community that 
> will be forced to use them as well.
>
> > Perhaps it makes sense, to put the general discussion about LTANS in an 
> > own thread.
>
> I think that might be a good idea. Especially since specific use models 
> for LTANS will need to be developed and handed to that Audit Community to 
> get them to sign off on LTAN's use.
>
> > Susanne and Thomas