REVIEW ITEM DISPOSITION (RID): RED BOOK RID INITIATION FORM AGENCY RID NUMBER: NASA/JSC 1 SUBMITTING ORGANIZATION (Agency, Center): ------------------------------------------------------------------ REVIEWER'S NAME: Craig Biggerstaff CODE: E-MAIL ADDRESS: craig.biggerstaff@nasa.gov TELEPHONE: ------------------------------------------------------------------ DOCUMENT NUMBER: CCSDS 650.0-P-2.1 Pink Book, Issue 2.1 DOCUMENT NAME: OAIS Reference Model DATE ISSUED: October 2020 PAGE NUMBER: F-1 PARAGRAPH NUMBER: Annex F RID SHORT TITLE: Only one set of access rights per data object ------------------------------------------------------------------ DESCRIPTION OF REQUESTED CHANGE: (Use From: "..." To "..." format) After: "...Any restrictions which the original rights holder places on what the archive preserves should also be respected over time and adequate security measures should be put in place to ensure that." add the following sentence: "Note that the definition of an Information Package implies that the Access Rights Information for that package applies to the entire Content Data Object. The delineation of data into Content Data Objects for archiving should take that into account." ------------------------------------------------------------------ CATEGORY OF REQUESTED CHANGE: Technical Fact ___ Recommended _X_ Editorial ___ NOTES: TECHNICAL FACT: Major technical change of sufficient magnitude as to render the Recommendation inaccurate and unacceptable if not corrected. (Supporting analysis/rationale is essential.) RECOMMENDED: Change of a nature that would, if incorporated, produce a marked improvement in document quality and acceptance. EDITORIAL: Typographical or other factual error needing correction. (This type of change will be made without feedback to submitter.) ------------------------------------------------------------------ SUPPORTING ANALYSIS: Access control enforcement will be greatly simplified. ------------------------------------------------------------------ DISPOSITION:
To give the full context this is the Security Annex where we look at each of the Mandatory Responsibilities: – Obtain sufficient control of the information provided to the level needed to ensure Long Term Preservation. • Sufficient control includes control of the bits, and would imply adequate security processes for personnel and systems. Security considerations for any agreements with rights holders which may be necessary should be covered by normal business processes. Any restrictions which the original rights holder places on what the archive preserves should also be respected over time and adequate security measures should be put in place to ensure that. The change would be to append "Note that the definition of an Information Package implies that the Access Rights Information for that package applies to the entire Content Data Object. The delineation of data into Content Data Objects for archiving should take that into account." to this.
Not all Information Packages are derived from Content Information e.g. an SIP. It might be clear to make the following change: From: "Any restrictions which the original rights holder places on what the archive preserves should also be respected over time and adequate security measures should be put in place to ensure that." To: "Any restrictions which the original rights holder places on what the archive preserves should also be respected over time and adequate security measures should be put in place to ensure that. Note that this implies that Information Packages derived from Content Information should respect the access rights associated with that Content Information."
I agree with David's suggested change to respond to the RID.
My concern was that Information Packages could be assembled from multiple content items having a variety of access rights, and in that case one of those access rights would prevail (in effect overwriting the others' original access rights information). In my limited understanding of OAIS terminology, I think this (assembling Information Packages from multiple Content Information) would be described as a Transformation. Feel free to amend the text however you think best. If the Working Group agrees that David Giaretta's proposed text covers the above scenario, I am content.
(In reply to craig.biggerstaff from comment #4) > My concern was that Information Packages could be assembled from multiple > content items having a variety of access rights, and in that case one of > those access rights would prevail (in effect overwriting the others' > original access rights information). In my limited understanding of OAIS > terminology, I think this (assembling Information Packages from multiple > Content Information) would be described as a Transformation. > > Feel free to amend the text however you think best. If the Working Group > agrees that David Giaretta's proposed text covers the above scenario, I am > content. A Transformation is defined by OAIS as: A Digital Migration in which there is an alteration to the Content Information or PDI of an Archival Information Package. Therefore it applies to AIPs rather than Information Packages in general. However you make some good points. So how about: "Any restrictions which the original rights holder places on what the archive preserves should also be respected over time and adequate security measures should be put in place no matter what preservation activities have been adopted, including Transformations. Note that this implies that Information Packages derived from Content Information should respect the access rights associated with that Content Information; where Information from multiple Content Information Objects have been combined then the archive should be able to justify the access rights to be applied, for example taking a union of the restrictions in order to respect the restrictions placed on all the components."
I like that. It captures the concern exactly. Thank you.
Just a couple tweaks, I would eliminate "Note that this implies" since it doesn't necessarily imply that for me. So I just said what to do with derived IPs. Also eliminated the "for example ... a union of ...". I think it gives a wrong impression that a union of access rights is the most appropriate thing to do when in many cases it isn't. Info from individual may be restricted, but when combined into statistics may not be. Intel may be restricted at a certain level, but when combined may result in even more classified info. So overall I would suggest: "• Sufficient control includes control of the bits, and would imply adequate security processes for personnel and systems. Security considerations for any agreements with rights holders which may be necessary should be covered by normal business processes. Any restrictions which the original rights holder places on what the archive preserves should also be respected over time and adequate security measures should be put in place no matter what preservation activities have been adopted, including Transformations. Any Information Packages derived from Content Information should respect the access rights associated with that Content Information; where Information from multiple Content Information Objects have been combined then the archive should be able to justify the access rights to be applied."
(In reply to John Garrett from comment #7) > Just a couple tweaks, I would eliminate "Note that this implies" since it > doesn't necessarily imply that for me. So I just said what to do with > derived IPs. > > Also eliminated the "for example ... a union of ...". I think it gives a > wrong impression that a union of access rights is the most appropriate thing > to do when in many cases it isn't. Info from individual may be restricted, > but when combined into statistics may not be. Intel may be restricted at a > certain level, but when combined may result in even more classified info. > > So overall I would suggest: > > "• Sufficient control includes control of the bits, and would imply > adequate > security processes for personnel and systems. Security considerations for > any agreements with rights holders which may be necessary should be covered > by normal business processes. Any restrictions which the original rights > holder places on what the archive preserves should also be respected over > time and adequate security measures should be put in place no matter what > preservation activities have been adopted, including Transformations. Any > Information Packages derived from Content Information should respect the > access rights associated with that Content Information; where Information > from multiple Content Information Objects have been combined then the > archive should be able to justify the access rights to be applied." OK for me
Ok for me
MOIMS-DAI20210323 agreed http://review.oais.info/show_bug.cgi?id=325#c7
REOPENED for ISO review - had been accepted after CESG changes made so not in ISO submission.
CCSDS MOIMS-DAI 20240130: Agreed to make the change.