Re: [EME] Updated proposal for secure proof of key release

Hi Mark,

The more I think about key release, the more I think it should not be
included in the spec.

Key management, policies, message protocol & structure, and key-system or
CDM-specific details have been intentionally left out of the spec. As an
example, even the key replacement algorithm is not specified. Key systems
are free to define protocols that include a variety of messages as long as
they fit within the defined APIs (primarily update() and keymessage).
Heartbeat, license renewal, key rotation, etc. can all be implemented
within the existing framework but are not included in the spec.

The key release proposal does not require altering the existing APIs or the
defined algorithms. It simply defines additional key management, policy,
parameter values, and messages, all of which are key system-specific. As
with the basic message flow, heartbeat, etc., I expect that key systems
will eventually converge on a set of best practices, but these are not
usually defined in a standards-track spec.

Finally are there implementors and CDM providers that intend to support
this? Are there any content providers besides Netflix that intend to use it?

I do not think a Working Draft should include a feature where the answer to
the above questions is "no", especially when it adds non-trivial complexity
to implementations.

Regards,
David

On Fri, Jan 11, 2013 at 9:10 AM, Mark Watson <watsonm@netflix.com> wrote:

>  https://www.w3.org/Bugs/Public/show_bug.cgi?id=17199
>
>  An updated proposal is attached.
>
>  I'd like to propose that we include this text in the First Public
> Working Draft.
>
>  [It need not be Section 4, as written, since this interrupts the flow of
> the rest of the document. I leave it to David to suggest the best place for
> it.]
>
>  …Mark
>

Received on Friday, 11 January 2013 18:08:01 UTC