W3C home > Mailing lists > Public > public-html@w3.org > February 2012

Re: Encrypting content stored on untrusted CDNs

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 29 Feb 2012 06:57:48 +0000 (UTC)
To: Kornel LesiƄski <kornel@geekhood.net>, Mark Watson <watsonm@netflix.com>
cc: "public-html@w3.org" <public-html@w3.org>, "Tab Atkins Jr." <jackalmage@gmail.com>
Message-ID: <Pine.LNX.4.64.1202290621400.10359@ps20323.dreamhostps.com>
On Wed, 29 Feb 2012, Kornel LesiĆ~Dski wrote:
> On Tue, 28 Feb 2012 23:09:58 -0000, Ian Hickson <ian@hixie.ch> wrote:
> >
> >   navigator.addKeyForURL('http://cdn.example.net/video123', mykey);
> >   myVideo.src = 'http://cdn.example.net/video123';
> >   myVideo.autoplay = true;
> > 
> > The scoping for such a feature would be hard to specify though.
> 
> How about defining a new scheme which includes the key in the URL?
> 
> Example modeled on "password" part of HTTP URLs:
> 
>    myVideo.src = 'http+aes://' + escape(mykey) + ':@cdn.example.net/video123';
> 
> Although not so pretty, it would readily work in all places where URLs 
> do, including HTML markup.

I can't see any problem with this off the top of my head. It neatly solves 
the problem for every content type, not just HTML, which is great for 
dealing with the manifest cases Mark mentioned.

Would we want to also support this over https? I suppose it's possible 
that we'd have a situation where we trusted a CDN to know the URL that a 
user was requesting but still wanted to protect the user from his network 
peers knowing what URL he was getting...

Anyone want to write a spec for this?


On Wed, 29 Feb 2012, Mark Watson wrote:
> On Feb 28, 2012, at 4:31 PM, Ian Hickson wrote:
> >>
> >> There are container format-specific specifications for this, for 
> >> example the Common Encryption specification for the ISO file format 
> >> (mp4).
> > 
> > What does this provide that's better than just whole-file encryption?
> 
> All of the index, framing and timing information is in the clear.

That seems like a net negative. The use case here is protecting private 
content from potentially hostile hosting intermediaries. I don't see why 
we'd want to let them see framing and timing information, the list of 
tracks, and other such information.


> Only the media samples themselves are encrypted. This means a great deal 
> of client logic: streaming, buffering etc. can be done before 
> decryption, supporting an architecture where decryption, decoding and 
> rendering are provided by the device or separate software module.

AES streaming encryption can be done trivially, there's no need to 
special-case the media case here, IMHO. There's especially no particular 
reason why decoding and decryption should happen together.


> Another advantage is that a number of different content protection 
> systems support this encryption format (or soon will).

I don't see how that is relevant.


> >> There may be more than one key associated with a given resource.
> > 
> > Can you elaborate on that?
> 
> This is feature of the file format. Some people imagine using that for 
> key rotation. I guess a single file could have been assembled from 
> multiple components with different keys (by a tool which did not have 
> the keys).
> 
> In the case of adaptive streaming, the different resources may have 
> different keys.
> 
> If the above sounds incomplete/weak that's just because I don't myself 
> have a strong use-case for multiple keys for one file - but it's a 
> feature of the Common Encryption format.

We don't need an encryption format to handle this use case. It's more 
simply handled for all media types by simply passing the entire stream 
through AES-CTR.


> > It's when you're trying to prevent the user from getting to the 
> > content that it stops making any kind of sense.
> 
> Yes, I understand this does not make any sense to you. But it does to 
> others. It's a pre-requisite for services like Netflix to use HTML5 
> instead of plugins.

Having a plugin system for DRM would mean you were not doing something 
"instead of plugins". It would just be doing it with different plugins.

There is no value to the user for you to use HTML rather than Flash if 
you're still going to require a proprietary plugin. The value of an open 
standard is that anyone can write an interoperable user agent without 
needing to coordinate with anyone else, and get full access to all the 
content on the Web. DRM completely undermines this. It compromises the 
very purpose of having a standard.


> This list is not the place to argue the ethics of that.

It _absolutely_ is. If you want this group to do something, then this 
group's list is the _only_ relevant place to discuss whether it is ethical 
or not.


> W3C needs to decide whether to work on making that a possibility, or 
> whether HTML5 is simply not going to be a suitable technology for our 
> segment of the industry, which would be a shame.

No, Mark. The shame is that people's rights are being taken away by 
paranoid content producers who don't trust their users, and that there are 
any software engineers willing to do this for them. And shame is 
absolutely the right word for this.

It is morally wrong to deprive users the ability to time-shift or 
format-shift content they have paid for.

It is morally wrong to deprive users the ability to reuse content they 
have paid for purposes of parody.

It is morally wrong to deprive users the ability to criticise content 
they have paid for.

DRM doesn't stop copyright violations, and is unnecessary for the purposes 
of selling media (indeed it seems to actually reduce total sales). The 
music industry figured this out a few years ago. Your industry will figure 
it out eventually too.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 29 February 2012 06:58:18 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:39:30 UTC