[Moims-rac] Authenticity - additional findings

Mark Conrad mark.conrad at nara.gov
Thu Oct 11 16:01:14 EDT 2007 

Hello,
 
I have completed part of my assignment. Here are the definitions that I propose that we use for the terms identified during our meeting on October 1 and in prior meetings.
 
Adapted from ISO 15489-1:  Authenticity Authentic information is information that can be proven a) to be what it purports to be b) to have been created or sent by the person purported to have created or sent it, and c) to have been created or sent at the time purported. To ensure the authenticity of information, organizations should implement and document policies and procedures which control the creation, receipt, transmission, maintenance and disposition of information to ensure that information creators are authorized and identified and that information is protected against unauthorized addition, deletion, alteration, use and concealment.  Reliability Reliable information is information whose contents can be trusted as a full and accurate representation of the transactions, activities or facts to which they attest and can be depended upon in the course of subsequent transactions or activities. Information should be created at the time of the transaction or incident to which they relate, or soon afterwards, by individuals who have direct knowledge of the facts or by instruments routinely used within the business to conduct the transaction.  Integrity The integrity of information refers to its being complete and unaltered.  It is necessary that information be protected against unauthorized alteration. Information management policies and procedures should specify what additions or annotations may be made to information after it is created, under what circumstances additions or annotations may be authorized, and who is authorized to make them. Any authorized annotation, addition or deletion to information should be explicitly indicated and traceable.  Useability Useable information is information that can be located, retrieved, presented and interpreted. It should be capable of subsequent presentation as directly connected to the business activity or transaction that produced it. The contextual linkages of information should carry the information needed for an understanding of the transactions that created and used them. It should be possible to identify information within the context of broader business activities and functions. The links between information that document a sequence of activities should be maintained.   NESTOR definition Trustworthiness  The capacity of a system to operate in accordance with its objectives and specifications (that is, it does exactly what it claims to do). The trustworthiness of a digital repository can be tested and assessed on the basis of a criteria catalogue.  SAA A Glossary of Archival and Records Terminology definitions: Authentication       n., ~ 1. The process of verifying that a thing is what it purports to be, that it is acceptable as genuine or original. * 2. Computing · The process of establishing a user's identity.  Authenticate  v. ~ 3. To verify that a thing is what it purports to be. * 4. Computing · To establish an individual's identity.  Once we reach consensus on what definitions to use, I will complete my analysis of the document to see what changes will have to be made to the working document to make it self-consistent.
 
 
Mark

>>> mark.conrad at nara.gov 9/28/2007 4:35 PM >>>

Hello,
 
I think I now have a little better idea of why TRAC does not address authenticity as we might like it to. The OAIS Reference Model barely addresses issues of authenticity.
 
>From the Reference Model for an Open Archival Information System (OAIS), CCSDS 650.0-B-1, BLUE BOOK, January 2002 (http://public.ccsds.org/publications/archive/650x0b1.pdf):
 
"A conforming OAIS archive shall fulfill the responsibilities listed in 3.1. Subsection 3.2
provides examples of the mechanisms that may be used to discharge the responsibilities
identified in 3.1. These mechanisms are not required for conformance."
(pg 1-3) (pg 12 of the pdf)

Section 3.1 says:
 
"Follow documented policies and procedures which ensure that the information is
preserved against all reasonable contingencies, and which enable the information to
be disseminated as AUTHENTICATED COPIES OF THE ORIGINAL, or as traceable to the original."(emphasis added)
(pg 3-1) (pg 33 of the pdf)
 
Section 3.2 does not include an example of a mechanism to "enable the information to
be disseminated as authenticated copies of the original, or as traceable to the original."
 
Section 5.1.3 does not directly address reproducing authentic copies of a digital object, but it does discuss not changing the essential message of the information content.
 
The glossary in Section 1.7.2 does not define authenticated copy, authentic, authenticity, reliability, usability, integrity, or trustworthy(iness). Perhaps some members of this group who also participated in the development of the TDR and TRAC documents can talk about the progression from this one reference in the OAIS Reference Model to the frequent use of these terms in the TRAC.
 
Don't get me wrong. As an archivist I am very interested in having a trustworthy digital repository that can reproduce authentic copies of electronic information (particularly records). I am just curious as to how we assess conformance to the OAIS by assessing the authenticity of a repository's holdings since this topic is barely mentioned in the OAIS Reference Model.
 
Per our discussion at last Monday's meeting, I have examined the definitions of authenticity, reliability, usability, and integrity in ISO 15489-1. I do not believe that adopting these definitions as they exist will work for our purposes. The definitions are all "records-centric." Again, as an archivist I have no problem with this, but if the document we are working on is to be relevant beyond the traditional archival community these definitions would have to be modified.
***************************************************************
7.2 Characteristics of a record
 
7.2.1 General 
 
A record should correctly reflect what was communicated or decided and what action was taken. It should be able to support the needs of the business to which it relates and be used for accountability purposes.
 
As well as content, the record should contain, or be persistently linked to, or associated with, the metadata necessary to document a transaction, as follows:
 
a) the structure of a record, that is, its format and the relationships between the elements comprising the record, should remain intact;
 
b) the business context in which the record was created, received and used should be apparent in the record (including the business process of which the transaction is part, the date and time of the transaction and the participants in the transaction);
 
c) the links between documents, held separately but combining to make up a record, should be present. 
 
Records management policies, procedures and practices should lead to authoritative records which have the characteristics given in 7.2.2 to 7.2.5. 
 
7.2.2 Authenticity
 
An authentic record is one that can be proven
 
a) to be what it purports to be
 
b) to have been created or sent by the person purported to have created or sent it, and
 
c) to have been created or sent at the time purported.
 
To ensure the authenticity of records, organizations should implement and document policies and procedures which control the creation, receipt, transmission, maintenance and disposition of records to ensure that records creators are authorized and identified and that records are protected against unauthorized addition, deletion, alteration, use and concealment.
 

7.2.3 Reliability
 
A reliable record is one whose contents can be trusted as a full and accurate representation of the transactions, activities or facts to which they attest and can be depended upon in the course of subsequent transactions or activities. Records should be created at the time of the transaction or incident to which they relate, or soon afterwards, by individuals who have direct knowledge of the facts or by instruments routinely used within the business to conduct the transaction.
 

7.2.4 Integrity
 
The integrity of a record refers to its being complete and unaltered. 
 
It is necessary that a record be protected against unauthorized alteration. Records management policies and procedures should specify what additions or annotations may be made to a record after it is created, under what circumstances additions or annotations may be authorized, and who is authorized to make them. Any authorized annotation, addition or deletion to a record should be explicitly indicated and traceable.
 

7.2.5 Usability
 
A useable record is one that can be located, retrieved, presented and interpreted. It should be capable of subsequent presentation as directly connected to the business activity or transaction that produced it. The contextual linkages of records should carry the information needed for an understanding of the transactions that created and used them. It should be possible to identify a record within the context of broader business activities and functions. The links between records that document a sequence of activities should be maintained.
************************************************************
I believe that many of the underlying principles of these definitions could be used in developing definitions for the document we are working on, but they should not be used as they are currently written.
 
Mark
 
 
 

 
 
Mark Conrad
Electronic Records Archives (ERA)
NHER 
The National Archives and Records Administration
Building 494 Second Floor
310 State Route 956
Rocket Center, WV  26726
 
Phone: 304-726-7820
Fax: 304-726-7361
Email: mark.conrad at nara.gov 
ERA Website: http://www.archives.gov/era/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ccsds.org/pipermail/moims-rac/attachments/20071011/d1881eb2/attachment-0001.htm

More information about the Moims-rac mailing list