[encrypted-media] New Key Rotaition Support (#576) from David E via GitHub on 2025-11-20 (public-html-media@w3.org from November 2025)

From: David E via GitHub <noreply@w3.org>
Date: Thu, 20 Nov 2025 16:02:53 +0000
To: public-html-media@w3.org
Message-ID: <issues.opened-3647943948-1763654571-noreply@w3.org>

deisenbacher has just created a new issue for https://github.com/w3c/encrypted-media:

== New Key Rotaition Support ==
https://github.com/w3c/encrypted-media/blob/adbdf579fc83a54c6812d0896bd326661e43b764/key-rotation.md?plain=1#L1

Missing Requirement: Business-Rules Validation During Key Rotation

While the proposal modernizes EME to support embedded keys and reduces network load during key rotation, it does not address one of the most critical functional requirements of key rotation in commercial streaming systems: ongoing entitlement checks and business-rules enforcement during playback.

Embedded Keys eliminate the mid-stream license transactions that operators depend on to verify whether a user is still authorized to continue viewing. Once a Root Key is delivered to the device, the client can decrypt every future embedded key locally, without any additional server contact. This removes the ability to enforce:

- subscription validity
- regional blackout rules
- concurrency limits
- revocation events
- session integrity
- anti-piracy signals (watermark updates, session binding, etc.)

Operationally, this model becomes equivalent to locking your car but leaving the keys on top of it and hoping no one steals it. The content is encrypted, but the mechanism to unlock future keys is already in the attacker’s possession.

Embedded Keys ≠ Real Security When the Root Key Is Local

If the Root Key is:

- baked into the device,
- provisioned internally to the CDM, or
- obtained once at the start of playback,

then the system effectively becomes an embedded-clear-key model. Whoever has the Root Key can decrypt all future rotated content keys offline, with no further entitlement validation or business-logic control points. This breaks the fundamental purpose of key rotation in premium streaming workflows.

Why This Is a Major Problem for Commercial Streaming

Key rotation is used not only for cryptographic freshness but also as a business-logic enforcement loop. Without mid-stream validation:

- unauthorized devices can continue playing indefinitely,
- compromised sessions cannot be revoked in real time,
- concurrency abuse cannot be stopped,
- regional rights cannot be dynamically enforced,
- restreamers retain uninterrupted access,
- forensic watermark payloads cannot be refreshed per rotation.

In short: Embedded Keys provide transport efficiency, but they remove the operator’s only control points for entitlement and anti-piracy enforcement during playback. Any EME extension must address this gap, or it will fail to meet commercial streaming security requirements.

Please view or discuss this issue at https://github.com/w3c/encrypted-media/issues/576 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 20 November 2025 16:02:54 UTC