Default_KID alone being sufficient to check the presence of key(s)?

[haudiobe]

In Sec 1.3 there is a mention of default_KID alone being sufficient to check the presence of key(s) or even to acquire license/key(s)? Our understanding is that it shall always be combined with ‘pssh’ info either from MPD or in-band (e.g. INIT), when obtaining license.

[haudiobe]

Niels will check this

[nthorwir]

The KID is not sufficient in all cases to retrieve the license and typically needs to be combined with pssh, but there may be cases where only the KID is needed if the client knows all other instructions. It CAN be sufficient to check if this key has been retrieved already without knowing pssh.

this is expressed with the current text: " The mp4protection Descriptor with @DASHAdmin cenc:default_KID may be sufficient to acquire a license or identify a previously acquired license that can be used to decrypt the Adaptation Set. It may also be sufficient in the MPD when combined with license acquisition information stored in ‘pssh’ boxes in Initialization Segments. "

i think the current text is correct but may benefit from clarification and welcome suggestions.

[ghost]

The general solution is to send the ‘pssh’ info to the server, which will work by definition for that DRM.

There are other ways to do it that are DRM and app dependent. The minimum information a DRM server needs is the KID and some identification of the player’s DRM domain ID so it can encrypt the license with the domain-specific key that identifies that user, client, device, or subscriber group, etc. The player app may also make the choice of license server regardless of URLs in the ‘pssh’. The KID by itself isn’t sufficient without locating the client’s domain key on the license server to encrypt the license.

Kilroy Hughes | Senior Digital Media Architect |Windows Azure Media Services | Microsoft Corporation [cid:image001.png@01CDABBA.71FD8800]http://www.windowsazure.com/media

From: Niels [mailto:notifications@github.com] Sent: Wednesday, March 19, 2014 1:12 PM To: Dash-Industry-Forum/DRM Subject: Re: [DRM] Default_KID alone being sufficient to check the presence of key(s)? (#2)

The KID is not sufficient in all cases to retrieve the license and typically needs to be combined with pssh, but there may be cases where only the KID is needed if the client knows all other instructions. It CAN be sufficient to check if this key has been retrieved already without knowing pssh.

this is expressed with the current text: " The mp4protection Descriptor with @DASHAdminhttps://github.com/DASHAdmin cenc:default_KID may be sufficient to acquire a license or identify a previously acquired license that can be used to decrypt the Adaptation Set. It may also be sufficient in the MPD when combined with license acquisition information stored in ‘pssh’ boxes in Initialization Segments. "

i think the current text is correct but may benefit from clarification and welcome suggestions.

— Reply to this email directly or view it on GitHubhttps://github.com/Dash-Industry-Forum/DRM/issues/2#issuecomment-38100851.

[andrejp]

Killroy I would like to point it out that Domains are might be a DRM specific technique / feature. For example in PlayReady DRM yes but doesn't means that other DRMs also use the same approach and Domains ID for example.

Regards, A.

[ghost]

I use the term in a general way, and usually mention device, user, region, etc. as possible domains. The point is that the license has to be bound to something or else everyone on the planet could use it. The license server needs to cryptographically bind the license to whatever that “key” or ID is, so needs to identify that device, user, region, domain key, etc.; hence the general meaning of domain ID.

Historically, it was used to distinguish licenses that worked on multiple devices from licenses that only worked on one device (often encrypted with a different key for each user); so it does have the connotation of multiple device domains … so I get you point.

Kilroy Hughes | Senior Digital Media Architect |Windows Azure Media Services | Microsoft Corporation [cid:image001.png@01CDABBA.71FD8800]http://www.windowsazure.com/media

From: Andrew Popov [mailto:notifications@github.com] Sent: Friday, March 21, 2014 5:22 AM To: Dash-Industry-Forum/DRM Cc: Kilroy Hughes Subject: Re: [DRM] Default_KID alone being sufficient to check the presence of key(s)? (#2)

Killroy I would like to point it out that Domains are might be a DRM specific technique / feature. For example in PlayReady DRM yes but doesn't means that other DRMs also use the same approach and Domains ID for example.

Regards, A.

— Reply to this email directly or view it on GitHubhttps://github.com/Dash-Industry-Forum/DRM/issues/2#issuecomment-38270976.

[haudiobe]

Conclusion: DRM specific and could be sufficient without pssh (with just KID and some form of device/domain ID). I don’t have any more questions here.

[haudiobe]

No modifications are required. Niels adds clarification

[nthorwir]

also to clarify this has been added to satisfy the dash requirement below and we are saying this may be sufficient as we may have more than one ContentProtection element.

5.8.4.1 Content protection For the element ContentProtection the @schemeIdUri attribute is used to identify a content protection scheme. This attribute should provide sufficient information, possibly in conjunction with the @value and/or extension attributes and elements, such as the DRM system(s), encryption algorithm(s), and key distribution scheme(s) employed, to enable a client to determine whether it can possibly play the protected content.

[nthorwir]

now clarified as: Although commonly the ContentProtection Descriptor for UUID Scheme described below is used for license acquisition, the mp4protection Descriptor with @cenc:default_KID may be sufficient ...

[andrejp]

Niels the only thing which I am concerned about "May be" it's to open