W3C home > Mailing lists > Public > www-tag@w3.org > August 2014

Re: Comments on draft opinion on EME

From: David Dorwin <ddorwin@google.com>
Date: Tue, 19 Aug 2014 15:58:21 -0700
Message-ID: <CAHD2rsgW6Q9=wRoTcGuNYSusLnEHbNM1QwGthXxrbnaTxUMFVQ@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>
Cc: Sergey Konstantinov <twirl@yandex-team.ru>, www-tag <www-tag@w3.org>
On Tue, Aug 19, 2014 at 2:15 PM, Mark Watson <watsonm@netflix.com> wrote:

On Tue, Aug 19, 2014 at 12:18 PM, Sergey Konstantinov <twirl@yandex-team.ru>
> wrote:
>


>  CDM is obviously misnamed, but that's not the problem. The problem is
>> proprietary format of license. I'd prefer to have open and transparent
>> format since (a) it decreases risks of exploiting possible vulnerabilities
>> in decryption module; (b) I don't really understand why "conditions
>> regarding their use" shall be kept in secret.
>>
>
> I share your preference, but I do not know how to acheive that.
>

>From a technical point of view, I believe the only requirements are that a)
the decryption key is encrypted with a key known only to the CDM and b) the
CDM can verify that the related policies apply to that key (to prevent
applying policies from one license to another key, for example).

This could probably be accomplished using an open unencrypted license
format (i.e. JSON with a standardized schema) that contains encrypted
content key(s) along with a hash (using a secret key) that
cryptographically ties the policy to the key(s). Such a standardized format
would go a long way towards ensuring a consistent set of capabilities and
behaviors across key systems.



> Well, I could imagine non-secure connection between CDM and CDN, but I
>> will object against that on another basis: we should encourage encryption
>> of any channel possibly providing sensitive information, including what
>> people are watching or listening.
>>
>
I think "CDN" should be "license server" in the above sentence (at least
when discussing the current EME spec). As Mark mentions, there is no direct
connection. However, the path through the application could be secured. You
may want to weigh in on this bug:
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

>
> ‚ÄčThere is no connection between CDM and CDN. The CDM should not be given
> network access (and should ideally be sandboxed ‚Äčin other ways as well).
> The content is obtained by the video element in the usual way the video
> element obtains content (from a URL, from Media Source Extensions) and
> passed to the CDM by the video element.
>
>



>  Well, in my view current DRM systems are just doing something wrong. The
>> easiest way to implement DRM is just (a) serving a CDN <-> CDM connection
>> using secure connection (https for example), (b) keep private key secret..
>> There is no need in any proprietary algorithm or exchange format *at all*,
>> and I will be very happy if such alternative spec is developed.
>>
>
This is in theory possible. (It would also involve client-side certificates
since the server needs to trust the client instead of the other way around
as in most HTTPS connections.) However, due to the robustness requirements
and need to establish a trust relationship with the client, such a
connection would need to terminate in the CDM. That would mean pulling the
network stack into the CDM or extending the trusted execution environment
to the network stack.

Similarly, any attempt to use WebCrypto to do the decryption would require
pulling (that part of) the WebCrypto implementation into the trusted
execution environment. The EME/CDM design, on the other hand, restricts the
trusted execution environment to (part of) the media stack.
Received on Tuesday, 19 August 2014 22:59:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:04 UTC