Re: [MEDIA_PIPELINE_TF] Common content security requirements

In principle I agree with the idea of decoupling the "common" bits from the DRM solution, but there are big challenges here.

Regarding the below comment, it may be quite difficult to get there based on the robustness requirements for various DRMs. If the browser is performing the decryption, that means it has the key in its possession. Unless the browser is able to obscure the key in memory and prevent debugging or other similar attacks to acquire the key, the DRM vendors likely won't allow this approach.

Dave

David Mays | sr. software architect | 15.217 | one comcast center | philadelphia, pa. 19103 | 215.286.3395 w | 215.847.9631 m
----------------------------------------------------------------------------------------------------------------------------------------

From: Mark Watson <watsonm@netflix.com<mailto:watsonm@netflix.com>>
Date: Thu, 1 Sep 2011 00:10:56 -0700
To: Clarke Stevens <C.Stevens@CableLabs.com<mailto:C.Stevens@CableLabs.com>>
Cc: "juhani.huttunen@nokia.com<mailto:juhani.huttunen@nokia.com>" <juhani.huttunen@nokia.com<mailto:juhani.huttunen@nokia.com>>, Bob Lund <B.Lund@CableLabs.com<mailto:B.Lund@CableLabs.com>>, "public-web-and-tv@w3.org<mailto:public-web-and-tv@w3.org>" <public-web-and-tv@w3.org<mailto:public-web-and-tv@w3.org>>
Subject: Re: [MEDIA_PIPELINE_TF] Common content security requirements
Resent-From: <public-web-and-tv@w3.org<mailto:public-web-and-tv@w3.org>>
Resent-Date: Thu, 1 Sep 2011 07:11:29 +0000

And finally, as presented at the Web&TV workshop, I think it's of value if we can decouple as much functionality as possible from the 'closed' DRM realm. Specifically, encryption can be dealt with in a common way (in particular, MPEG have a new standard for this) and authentication and authorization can and should be dealt with by the application, not the DRM.