Re: Request to add parameters to createSession (bug 17660) from Joe Steele on 2012-10-16 (public-html-media@w3.org from October 2012)

From: Joe Steele <steele@adobe.com>
Date: Tue, 16 Oct 2012 09:36:53 -0700
To: Steven Robertson <strobe@google.com>
CC: "<public-html-media@w3.org>" <public-html-media@w3.org>
Message-ID: <7BBABE27-712B-422A-85F9-F3F3B3819FDA@adobe.com>
Although the specific use case I cited was for authentication, this could be used by an application to include any additional information for the key system to use in subsequent key requests while not relying on TLS channel security.

I have some specific reasons for not wanting to rely on TLS for this usage:
1. Establishing a TLS channel requires several back and forth messages, while a protocol that relies on known keys can be more succinct. This is a significant network scaling concern when you are talking about delivering millions of licenses (for example an Olympic event).
2. High-availability TLS endpoints are more expensive than the same server without TLS.
3. Relying on TLS requires that the root for the servers certificates be trusted on the client end. You have to purchase those certificates from one of a relatively small group of trusted vendors in order to be immediately compatible across a wide range of browsers, which introduces additional cost. Relying on an independent PKI infrastructure (while more difficult to setup) allows for some additional scaling benefits.
4. Relying on the browsers trusted roots leaves the user (and the key system) vulnerable to TLS-proxy attacks (http://www.thoughtcrime.org/software/sslsniff/). Having a more limited set of trusted roots limits the effectiveness of these attacks.

I believe this change will make authors lives easier by allowing them to build high availability video applications while not limiting them to a single mechanism (TLS) for maintaining user confidentiality. This will also encourage them to write their UI in HTML as opposed to relying on browser specific behaviors/configuration for securing their information gathering.

I don't believe this would encourage any more fragmentation than will exist naturally. I believe a reasonable default behavior for clearKey would be to include the additional parameters in a JSON envelope along with the key request as you have indicated you are doing.

Joe Steele
steele@adobe.com<mailto:steele@adobe.com>

On Oct 15, 2012, at 4:19 PM, Steven Robertson wrote:

This seems like it would encourage fragmentation across key systems,
which would compromise the usability of the spec for authors.

I'm not sure I understand the reason authentication or other side
channel information couldn't be obtained through more standard means
(e.g. credentialed XHR or query parameters). Further, it seems that
this would not afford any additional protection against client-side
manipulation or forgery. The only effective difference between passing
information in the proposed manner and passing via standard means
appears to be that the former is proprietary to a particular key
system. Is there another motivation for this change which I'm not
seeing?

Our current prototypes have thus far been successful in remaining
format- and key-system-agnostic except in the places where such
parameters are directly required. We do this by wrapping all license
requests and responses in a JSON envelope on an HTTPS request that
provides a consistent, cross-environment, cross-key-system approach to
common tasks such as credential verification, descriptive error
signaling, and request retry. This has greatly simplified our
application infrastructure and license server interface. I would very
much like to maintain that simplicity, and I suspect that the proposed
change would lead us away from that.

On Mon, Oct 15, 2012 at 1:40 PM, Joe Steele <steele@adobe.com<mailto:steele@adobe.com>> wrote:
I reopened this bug a few weeks ago because I would like to see a mechanism
for passing application level parameters down into the CDM when the key
session is created.

As I said on on of the recent calls, my reasoning is that some CDMs may
transmit authentication/authorization data in-band (that is via CDM-specific
mechanisms).

An example of this would be:

<script>
 function handleKeyNeeded(event) {
   var video = event.target;
   var initData = event.initData;
   var appData = { username: "foo", token: "A53DF98700ABFE11",
sessionNonce: "DJKGDH+!9861XxbODY1287x===" };

   if (!video.keys)
     video.keys = MediaKeys("com.example.somesystem");
   if (!video.keys)
     throw "Could not create MediaKeys";

   var keySession = mediaKeys.createSession(mimeType, initData, appData);
   if (!keySession)
     throw "Could not create key session";

   keySession.onkeymessage="handleMessage(event)";
 }

 function handleMessage(event) {
   var keySession = event.target;
   var message = event.message;

   var xmlhttp = new XMLHttpRequest();
   xmlhttp.open("POST", "http://.../getkey", false);
   xmlhttp.send(message);
   var key = new Uint8Array(xmlhttp.response);
   keySession.addKey(key);
 }
</script>

<video src="foo.dash" autoplay onneedkey="handleKeyNeeded(event)"
onkeymessage="handleMessage(event)"></video>


The appData parameter would be optional and NULL by default. CDM's which do
not handle this parameter could simply ignore it if passed.
This is a use-case which would be used by at least one content protection
mechanism today, possibly more than one.


Joe Steele
steele@adobe.com<mailto:steele@adobe.com>
Received on Tuesday, 16 October 2012 16:37:20 UTC