Connection of KIDs

[haudiobe]

KIDs are present at multiple levels – ‘pssh’ (KID_count), MPD (default_KID), CENC boxes (e.g. ‘tenc’/’senc’ default_KID/KID). How are these connected? Assuming MPD carries default_KID, what does it mean for a client to request for a (root)license for this “default_KID” – is it for one specific KID or for a bunch of keys (KIDs) going to appear in the stream later? And when say a client finds a KID in moof (‘senc’), the idea is that the already installed license has (or info to deduce) the content key corresponding to this KID. Also if the containing moof carries a ‘pssh’ (e.g. leaf license), does the KID in the pssh match the one in ‘senc’?

[andrejp]

It is DRM specific. I can say that there might be the case when Key ID is not required at all to request a Root license. In PlayReady there is header version 4.1.0.0. The KID element is located inside the PROTECTIONINFO element and is optional rather then required.

For example Scalable License Chaining might contain Empty Protection Header without KeyID to request a Root License and then every 'pssh' contains it's own leaf license which is decrypted by Root License.

If moof carries a 'pssh' (e.g. leaf license) it should match KID the one specified in 'senc'.

[haudiobe]

Kilroy: There is only one default_KID per file/Initialization Segment. It is unique to that key, so it is sufficient to identify the content (might be one or more Adaptation Sets), and other keys if key rotation is used.

A license has to be bound to a DRM domain (device, user, household, geography, subscriber list, etc.), and the default key encrypted with a key specific to that DRM domain to limit authorization and authentication to trusted DRM clients that have been issued domain keys. The DRM module in a client usually has to form the license request with both the default_KID and domain ID (in some DRM system protected way that might provide authentication of the DRM client).

Keys in ‘moof’/’pssh’ boxes need to be accessible to all authorized users (who got a root license) because they are the same for all users, for each DRM system.

Leaf keys are stored in ‘moof’/’pssh’ but KIDs are signaled in sample groups.

[haudiobe]

Status:

Conflicting comments

1) “Leaf keys are stored in ‘moof’/’pssh’ but KIDs are signaled in sample groups” indicates that the KID in pssh is a leaf key KID and is different from KID in ‘tenc’.

2) Another comment – “If moof carries a 'pssh' (e.g. leaf license) it should match KID the one specified in 'senc'” indicates that they need to match.

[haudiobe]

Issue is understood, clarification would be beneficial. KID is pssh box is a reference to be looked up. Kilroy will clarify, check 1.3.1.3 => clarification.