RE: Key distribution from John Simmons on 2013-05-10 (public-html-media@w3.org from May 2013)

From: John Simmons <johnsim@microsoft.com>
Date: Fri, 10 May 2013 19:14:30 +0000
To: Mark Watson <watsonm@netflix.com>, Casey Callaghan <caseyc37@gmail.com>
CC: "<public-html-media@w3.org>" <public-html-media@w3.org>
Message-ID: <e01c60c6403e4fcca9ff239161823d7e@BY2PR03MB042.namprd03.prod.outlook.com>
In addition to Mark's comments, it is also important to note that many services permit the use of "persistent" licenses, which are stored on the device - or embedded in the content itself - so that the user does not need to be online to consume the content.

John

________________________________
John C. Simmons | Media Platform Architect | Microsoft Corporation | direct 425-707-2911  | mobile 425-269-5759

From: Mark Watson [mailto:watsonm@netflix.com]
Sent: Friday, May 10, 2013 7:25 AM
To: Casey Callaghan
Cc: <public-html-media@w3.org>
Subject: Re: Key distribution

[Moving to public-html-media]

Sent from my iPhone

On May 10, 2013, at 6:21 AM, Casey Callaghan <caseyc37@gmail.com<mailto:caseyc37@gmail.com>> wrote:
Having a look over the documentation on EME (encrypted media extensions), I find the following:

> The user should not be restricted from accessing content for which legal rights have been obtained.
(source: https://dvcs.w3.org/hg/webtv/raw-file/tip/mpreq/cpreq.html)
I also find the following statement in the First Working Public Draft (https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media-fpwd.html):

> Support simple decryption without the need for DRM servers, etc.
This is a necessary corollary of the previously quoted statement; if servers are needed to view legally purchased content (even if only to obtain decryption keys), then the legally purchased content will be unavailable if and while said servers are down.
However, as soon as secure decryption is discussed, I find that a DRM server begins to form a vital part of the process. I have no doubt that many content providers will accept only the most secure decryption methods for their content; this leads to well-known problems should the content provider's servers ever go offline.
This can be mitigated, to some degree, with multiply redundant servers or cloud computing. However, these solutions may be expensive and are unlikely to be kept running when it would be unprofitable to do so (for example, when the sales of a given piece of media have ended; possibly after an interval after that ending). This could also be impractical for smaller content providers, without large budgets.
Therefore, in order to resolve this, I would like to propose for consideration the following idea (based on the serverless encryption scheme for Bitcoin):
- that, when a user purchases legal access to a given piece of media, a message (signed with the content provider's private key) must be sent to all clients informing them of this purchase;
- that all clients may (and are indeed encouraged to) keep a record of all such messages from all providers;
- that any client, in possession of both the signed message from the content provider (verified by means of the content provider's public key) giving a given user legal permission to view certain media, and the data required to decrypt that media (either the CDM or the key obtained from the same content provider), may provide either the CDM, or the key, or both to the user on authorised request.
- that any client which does so must inform the content provider's server and all other clients of such access, if the key is limited in any way.
In this way, a DRM server going offline does not prevent a user from viewing content to which they purchased a valid license before the server went offline. This appears to be a necessary consequence of the stated aims of this standard.

You are making an assumption that the legal rights purchased are perpetual and independent of the continued operation of the service from which they are purchased.

This may not be true in all cases and indeed may never be true for exactly the reasons you give above.

For example, in the case of Netflix, the legal right to watch the content extends for only 8 hours or until the Netflix client application is closed, whichever is sooner. After that the right must be requested again and this is only possible if Netflix servers are still operating and you are still a subscriber.

I would agree that the mechanism above is an interesting concept for perpetual, service-independent rights, but support for this case is not one of our requirements (as discussed in the bug titled 'EME depends on servers with a finite life' - I don't have the number to hand).

...Mark

Casey
Received on Friday, 10 May 2013 19:16:19 UTC