- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Tue, 14 May 2013 09:49:40 +0300
- To: Rick <graham.rick@gmail.com>
- Cc: Mark Watson <watsonm@netflix.com>, Brendan Aragorn <gloppius@yahoo.com>, public-restrictedmedia@w3.org
On Tue, May 14, 2013 at 12:01 AM, Rick <graham.rick@gmail.com> wrote: > UA's gain a level of trust with me by publishing their source so that it can > be vetted by the community at large. I don't trust them blindly. > Publishing the source for CDM's would make it less threatening. I see no > reason why this can't be done; ssh is open, and more secure for having > published source. ssh is a bad analog, because the trust assumptions are different. When Alice uses ssh to connect to sshd on Bob's server, the adversary is neither Alice nor Bob but Cecil who is a MITM on the network and controls neither the computer running ssh nor the computer running sshd. In the DRM case, Alice runs a CDM in order to watch movies to which Cecil own the copyright from a streaming service operated by Bob. The adversary is Alice, so the CDM runs on a computer controlled by the adversary. This makes the requirements for the CDM fundamentally different from the requirements for ssh. But despite ssh being an inapplicable analog, in theory, it would be possible to publish the source code of the CDM except for the CDM's private key assuming that there exists a sufficiently strongly obfuscating compiler that can obfuscate both the binary and the runtime memory layout of the program. The source code of the compiler could be published, too, if the ways the obfuscation functions work can be parameterized from a random number generator. However, Alice cannot be allowed to perform the CDM the build process. The CDM needs to be built by someone that Cecil trusts to perform the build process using the published compiler, the published CDM source and a cryptographically strong random number generator for parametrizing the compiler and for generating the CDM private key. That is, the source disclosure would not involve the downstream freedoms associated with Open Source. Don't hold your breath for the source for Hollywood-approved CDMs being available without an NDA, though. Even though what I said in the previous paragraph could work in theory, publishing the source code for the CDM makes developing the obfuscating compiler postulated in the previous paragraph a more difficult engineering undertaking than developing an obfuscating compiler that may rely on the secrecy of the CDM source code. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Tuesday, 14 May 2013 06:50:08 UTC