Re: Custom and extending CDM to support other DRM systems from János Barta on 2015-02-01 (public-html-media@w3.org from February 2015)

From: János Barta <bartakok@gmail.com>
Date: Sun, 01 Feb 2015 17:37:22 +0100
To: Emmanuel Poitier <emmanuel.poitier@enman.fr>, Mark Watson <watsonm@netflix.com>
CC: "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <54CE5642.6040401@gmail.com>
Hi Emmanuel,

On 2015.01.31. 17:26, Emmanuel Poitier wrote:
> Mark,
>
> Le 30/01/2015 16:59, Mark Watson a écrit :
>>
>>
>> On Fri, Jan 30, 2015 at 7:53 AM, Emmanuel Poitier 
>> <emmanuel.poitier@enman.fr <mailto:emmanuel.poitier@enman.fr>> wrote:
>>
>>     Matt,
>>
>>     Le 30/01/2015 16:14, Mark Watson a écrit :
>>>
>>>
>>>     On Fri, Jan 30, 2015 at 6:58 AM, Glenn Adams <glenn@skynav.com
>>>     <mailto:glenn@skynav.com>> wrote:
>>>
>>>
>>>         On Fri, Jan 30, 2015 at 7:49 AM, Emmanuel Poitier
>>>         <emmanuel.poitier@enman.fr
>>>         <mailto:emmanuel.poitier@enman.fr>> wrote:
>>>
>>>             All,
>>>
>>>             I am currently looking after the information on how to
>>>             extend the CDM to support other DRM systems, which is
>>>             nowadays fixed and hardcoded for each browsers (IE with
>>>             PlayReady, Chrome with Widevine, Safari with FairPlay).
>>>             It would be nice to ensure the EME spec does provide
>>>             information and also how browsers would support that in
>>>             an agnostic manner to ensure a non fragmented market
>>>             where the user does want to play a protected video
>>>             content whatever the browser he is using.
>>>
>>>
>>>         I doubt if anything has changed on this front, but this type
>>>         of specification was ruled out of scope for EME. EME uses
>>>         the term and concept "CDM" only in a notional manner, and
>>>         does not specify any concrete interface to such a component.
>>>
>>>         It is likely that interface and any mechanism for
>>>         adding/extending UA supplied CDMs will remain UA specific,
>>>         that is, until some organization steps forward to
>>>         standardize it (assuming UA vendors are willing to do
>>>         that... a dubitable proposition).
>>>
>>>
>>>     Yes, such an API is not really in scope of W3C, never mind just
>>>     EME. Just as NPAPI for <object> was created by UA vendors any
>>>     such cross-browser CDM API would need to come from the UA 
>>>     vendors. Of course, the open source implementations of EME have
>>>     CDM APIs in their code, but a major point of EME was to bring
>>>     DRM under UA control, so I would not expect UAs ever to support
>>>     download of arbitrary user-installable CDMs - at least it's not
>>>     clear to me how this could be done and simultaneously meet the
>>>     privacy and security requirements of the specification. Whilst
>>>     UAs can technically enforce many security and privacy properties
>>>     through sandboxing I'm not sure they will be willing to host
>>>     CDMs about which they have no knowledge whatsoever.
>>>
>>>     …Mark
>>
>>     I can understand this point, though a service provider protecting
>>     their content will evaluate DRM systems based on the UA CDM DRM
>>     support before using EME which is at the moment quite split
>>     across browsers. Thanks anyway for your view on this issue.
>>
>>
>>  What's your alternative and how does it address the security and 
>> privacy issues ?
>>
>> …Mark
>
> I would see a separate working group who will be in charge of offering 
> a CDM description with security analysis based on the data flow 
> interfacing with the CDM. It may be a consortium composed of all or 
> the most used DRM providers to design a such component, so they would 
> have a complete knowledge and the necessary technical constraints to 
> ensure the required level of security delivered by the CDM component 
> within the EME feature. It does definitely require a collaborative 
> work to assure content protection and the legitimate use of protected 
> content in a generic manner to let users choose their preferred way to 
> use them.


do we really need to have a standard CDM solution or wouldn’t it be 
better to focus on a standard, auditable layer amongst browser 
components and  CDM modules (as it is already available in case of 
Firefox), called CDM/DRM sandbox?
In case of a Sandbox solution:
-    CDM-Sandbox can be a “bridge” with well-defined, standard interfaces
-    DRM specific CDM can be an independent/closed/proprietary module
-    CDM will be downloaded and activated from the website of DRM 
provider based on user consent
-    Decoupled Browser and DRM layers (-> Multi-DRM support)
-    etc…

I think the biggest issue is that there is no interest from the 
UI/Browser side to have a cross-platform solution. There is no doubt 
about their intention is to set their own CDM in stone (because of the 
additional incomes, e.g.  from licenses).
I would like to believe that it is only my misinterpretation and they 
(Google/Microsoft/Mozilla/Opera/Apple…) are willing to make sacrifices 
in order to have a standard, sandbox based cross-CDM solution. We will see…

Best regards,
Janos BARTA
1. dia
Received on Sunday, 1 February 2015 16:37:52 UTC