Re: Clarification

On Tue, May 14, 2013 at 12:01 AM, Rick <graham.rick@gmail.com> wrote:
> UA's gain a level of trust with me by publishing their source so that it can
> be vetted by the community at large.  I don't trust them blindly.
> Publishing the source for CDM's would make it less threatening.  I see no
> reason why this can't be done; ssh is open, and more secure for having
> published source.

ssh is a bad analog, because the trust assumptions are different. When
Alice uses ssh to connect to sshd on Bob's server, the adversary is
neither Alice nor Bob but Cecil who is a MITM on the network and
controls neither the computer running ssh nor the computer running
sshd.

In the DRM case, Alice runs a CDM in order to watch movies to which
Cecil own the copyright from a streaming service operated by Bob. The
adversary is Alice, so the CDM runs on a computer controlled by the
adversary. This makes the requirements for the CDM fundamentally
different from the requirements for ssh.

But despite ssh being an inapplicable analog, in theory, it would be
possible to publish the source code of the CDM except for the CDM's
private key assuming that there exists a sufficiently strongly
obfuscating compiler that can obfuscate both the binary and the
runtime memory layout of the program. The source code of the compiler
could be published, too, if the ways the obfuscation functions work
can be parameterized from a random number generator. However, Alice
cannot be allowed to perform the CDM the build process. The CDM needs
to be built by someone that Cecil trusts to perform the build process
using the published compiler, the published CDM source and a
cryptographically strong random number generator for parametrizing the
compiler and for generating the CDM private key. That is, the source
disclosure would not involve the downstream freedoms associated with
Open Source.

Don't hold your breath for the source for Hollywood-approved CDMs
being available without an NDA, though. Even though what I said in the
previous paragraph could work in theory, publishing the source code
for the CDM makes developing the obfuscating compiler postulated in
the previous paragraph a more difficult engineering undertaking than
developing an obfuscating compiler that may rely on the secrecy of the
CDM source code.

--
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/

Received on Tuesday, 14 May 2013 06:50:08 UTC