Re: [MEDIA_PIPELINE_TF] Common content security requirements

On Sep 1, 2011, at 4:43 AM, Mays, David wrote:

In principle I agree with the idea of decoupling the "common" bits from the DRM solution, but there are big challenges here.

Regarding the below comment, it may be quite difficult to get there based on the robustness requirements for various DRMs. If the browser is performing the decryption, that means it has the key in its possession. Unless the browser is able to obscure the key in memory and prevent debugging or other similar attacks to acquire the key, the DRM vendors likely won't allow this approach.

Sure, when I say encryption can be dealt with in a common way I mean that the algorithm used and the details of how it is applied can be made independent of the protection scheme. It is still the protection scheme, with its robustness requirements, that actually performs the decryption, though, after obtaining the key in its proprietary fashion. This allows one file to be used with multiple protection schemes. This is the approach agreed by several DRM vendors in DECE and now standardized in ISO, at least for the ISO FIle Format.

...Mark


Dave

David Mays | sr. software architect | 15.217 | one comcast center | philadelphia, pa. 19103 | 215.286.3395 w | 215.847.9631 m
----------------------------------------------------------------------------------------------------------------------------------------

From: Mark Watson <watsonm@netflix.com<mailto:watsonm@netflix.com>>
Date: Thu, 1 Sep 2011 00:10:56 -0700
To: Clarke Stevens <C.Stevens@CableLabs.com<mailto:C.Stevens@CableLabs.com>>
Cc: "juhani.huttunen@nokia.com<mailto:juhani.huttunen@nokia.com>" <juhani.huttunen@nokia.com<mailto:juhani.huttunen@nokia.com>>, Bob Lund <B.Lund@CableLabs.com<mailto:B.Lund@CableLabs.com>>, "public-web-and-tv@w3.org<mailto:public-web-and-tv@w3.org>" <public-web-and-tv@w3.org<mailto:public-web-and-tv@w3.org>>
Subject: Re: [MEDIA_PIPELINE_TF] Common content security requirements
Resent-From: <public-web-and-tv@w3.org<mailto:public-web-and-tv@w3.org>>
Resent-Date: Thu, 1 Sep 2011 07:11:29 +0000

And finally, as presented at the Web&TV workshop, I think it's of value if we can decouple as much functionality as possible from the 'closed' DRM realm. Specifically, encryption can be dealt with in a common way (in particular, MPEG have a new standard for this) and authentication and authorization can and should be dealt with by the application, not the DRM.

Received on Friday, 2 September 2011 22:55:43 UTC