W3C home > Mailing lists > Public > public-html@w3.org > February 2012

Re: Encrypted Media proposal (was RE: ISSUE-179: av_param - Chairs Solicit Alternate Proposals or Counter-Proposals)

From: Mark Watson <watsonm@netflix.com>
Date: Wed, 29 Feb 2012 21:40:20 +0000
To: Henri Sivonen <hsivonen@iki.fi>
CC: Kornel Lesiński <kornel@geekhood.net>, "HTML WG (public-html@w3.org)" <public-html@w3.org>, Adrian Bateman <adrianba@microsoft.com>, David Dorwin <ddorwin@google.com>
Message-ID: <F470DC4B-09A6-4376-8520-03B2162C4EF2@netflix.com>

On Feb 29, 2012, at 12:41 AM, Henri Sivonen wrote:

> On Tue, Feb 28, 2012 at 1:27 AM, Mark Watson <watsonm@netflix.com> wrote:
>> It's not as clear as it could be, but the intention is that all three of the following are possible, depending on the CDM:
>> 
>> (1) The CDM returns the decrypted frame to the browser
>> (2) The CDM handles decryption and decoding and returns the decoded (raw pixels) frame to the browser
>> (3) The CDM handles decryption, decoding and rendering and (possibly) returns some kind of reference to the decoded frame to the browser
> 
> Cases 1 and 2 don't treat the browser as an adversary while case 3
> does.

Actually, case 1 and 2 do too.

In case 1 the browser is not trusted with the keys, but only with the decrypted encoded media.
In case 2 the browser is not trusted with the decrypted encoded media but only with the decoded media.


> Is Netflix willing to target movies to CDMs that are of type 1
> or 2?

Please see my other mail for a description of why this is not a question that I can answer alone and out of a specific context.

But I can say that equivalents of (3) are widely used today, (2) might be acceptable in some scenarios and (1) probably not for Netflix (this does not mean that others might not find that mode useful).

> Does the answer to this question depend on whether the browser
> is Open Source?

It's the CDM's job to protect whatever form of the material needs protecting, so in that sense, no, it doesn't really depend on the browser.

Having said that, option (2) might be considered higher risk with a browser which the user could easily modify (e.g. to expose the frames in canvas) vs one where this was not straightforward. Option (3) is more egalitarian in this sense.

> If a CDM of type 1 or 2 is delivered as a
> separate-from-browser component on an operating system that allows the
> installation of non-system-bundled browser engines, do you expect
> there to be a mechanism for the CDM to check who is calling into it?

I did not expect there to be such a mechanism. As noted above, if the browser to which the frames are being returned is known, then you can say more about the security properties than if it is unknown.

> What kind of mechanism?
> 
> -- 
> Henri Sivonen
> hsivonen@iki.fi
> http://hsivonen.iki.fi/
> 
Received on Wednesday, 29 February 2012 21:40:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:46 GMT