[Esip-preserve] On Earth Science Data File Uniqueness

[Curt Tilmes]

On 02/14/2011 04:46 PM, Lynnes, Christopher S. (GSFC-6102) wrote:
> However, based on the early argument of the inadequacy of UUIDs
> alone to answer where File A = File B (bitwise) suggests that any
> recommendation should be that both UUID and digital signature must
> be used together, yes?

Well, let's go back to the OAIS RM.

We are really talking about (defining our recommendations for) the
"Preservation Description Information" that is always bundled with the
"Content Information" of the object.  The two together make up an
"Information Package".

"Preservation Description Information" is made up of 4 things:
1. Provenance
2. Context
3. Reference -- This includes identifiers we can use to identify the
object and distinguish it from other objects.
4. Fixity -- "provides a wrapper, or protective shield, that protects
the Content Information from undocumented alteration".

UUID without digital signature give you a good Reference, but not
Fixity.  Digital Signature gives you Fixity, but not a good identifier
(in the case of duplicate content).

We want all of the above, so yes, we should eventually make
recommendations for all of them.  As Ruth points out, the Identifiers
paper had its hands full just working on "Reference", much less
address the other things.

We've concentrated on 1-3 above, but we could (should?) make a tech
note or other recommendation addressing Fixity specifically.  There
are a bunch of schemes (MD5, SHA-*, etc).  We could do an assessment
study similar to the identifiers and document/recommend best practices
for Fixity.

There is a bunch of government (NIST/FIPS/FAR) info about digital
signatures, but most address the use of the algorithm for
cryptographic uses, rather than a fixity use.  Even though MD5 has
been broken (it has a small class of published attack methods) for
cryptographic use, I think it still works well for fixity (It's what
we use).

Curt