|
The Digital Media Project |
|||
|
Source |
GA03 |
Date: |
2004/07/15 |
|
Title |
Requirements for PAV Devices |
No. |
0146/Osaka |
Requirements for PAV Devices
This document describes the requirements for the technical features of Portable Audio and Video (PAV) Devices. This document should be read in conjunction with the PAV Call for Proposals (CfP) DMP0145 and with the PAV Terminology given in DMP0147.
1.3 Digital representation of Use Data
1.4 Digital representation of Rights Expressions
3.3 Discovery of Device capabilities
3.4 Managing confidentiality of User and Use Data
5.5 Transferring Content to an external rendering device via a secure transport mechanism
6 Support for payment methods and mechanisms
7.2 Enforcing Rights Expressions
These are the basic technologies required for the implementation of a DMP Device. They cover the identification of data, users, devices and resource formats; the representation of content, rights expressions and use data; the underlying encryption technology and management of confidentiality of use data; and the support for payment mechanisms. These basic technogies are built upon in later sections to flesh out the requirements for the DMP Device.
This subsection refers to means of identification of Data, Users, Devices, Content formats and device capabilities and, where relevant, the development of classification schemes.
Definition: The means to uniquely and unambiguosly
· identify a piece of
o Content Data
o Content Data Element
o Use Data
· refer to the identification.
Objective: To support the association of Resources, Metadata, Rights Expressions, Licences and/or Use Data with a piece of Data that may be remote from such Resources, Metadata, Rights Expressions, Licenses and/or Function that generated the Use Data.
Requirements:
· Unambiguous identification of a piece of Content Data and Content Data Element
· Unambiguous identification of Use Data
· Ability to work in conjunction with multiple, existing industry schemes for Content Data identification.
· Ability to extend the total number of identifiers that can be assigned in such a manner that previously assigned identifiers do not become obsolete.
Benefits:
· Flexible distribution schemes where different Content Data Elements may be supplied from different sources.
· A given Content Data Element may be applied to a multiplicity of other Content Data Elements without duplication.
· Fine granularity of Rights Expressions.
Definition: The means to identify the device that represents the (human, corporate etc.) User in a particular instance of Use
Objective: To enable
· Content Access and Use of Content and Services
· Payment systems to operate
Requirements:
· Being usable for the purpose of User authentication
· Ability to accommodate a variety of models for human interaction with Devices e.g.:
o Allow a single User to use multiple Devices,
o Allow multiple Users to share a single Device,
o Allow the use of a confidential identity,
· Ability to extend the total number of identifiers that can be assigned in such a manner that previously assigned identifiers do not become obsolete.
Benefits: Depending on a given device's design, allows one User to employ multiple devices or allows multiple Users to use a single device. Usefulness in the event of disaster recovery scenarios when a device or storage medium is destroyed
Definition: The means to identify the Device employed in a particular instance of Use
Objective:
· To support the association of a piece of Governed Content with a Device
· To support Trust management
Requirements:
· Compatible with administration of Domain models for Use.
· Ability to work in conjunction with existing industry schemes to administer customer/device-specific uses.
· Ability to extend the total number of identifiers that can be assigned in such a manner that previously assigned identifiers do not become obsolete.
Benefits:
· Allows reliable administration of Device-based Uses.
· Compatible with succession strategies in cases where a Device is destroyed or otherwise replaced, or else used only for a period of time after which a different Device will be used.
Definition: Identification of Content formats and Device handling capabilities
Objective: To provide the means to identify Content formats and device handling capabilities
Requirements:
· How to identify Content formats
· How to identify Device capabilities, e.g. capability to process certain Resource types; certain Rights Expressions etc.
Benefits: The ability to acquire Content that is suitable for the Device
Definition: The means to organize and associate Content Data and Content Data Elements including Resources, Metadata, Rights Expressions and Licenses.
Objective: Provide for the ability to group any of the following components: Resources, Metadata, Rights Expressions and Licenses
Requirements:
· Persistent Association of Identifiers and Metadata to Resources
· Ability to include encrypted and unencrypted Data
· Ability to apply Rights Expressions to Composite Content components
· Ability to Use Content Data Elements from Governed Content
· Ability to associate Composite Content Elements stored at locations remote from each other
· Ability to support association of Composite Content Elements
· Ability to support Element unavailability, both temporary and permanent.
Benefits:
· Different Uses of the same Content (e.g. Resource selection)
· Executing sets of Functions on Content that serve for orientation, navigation and judgement (e.g. searching/filtering content)
Definition: A format representing how the Use of a piece of Governed Content has actually taken place in a Device
Objective: To enable further digital processing of Use Data
Requirements:
· Ability to identify Use Data
· Ability to support protection of Use Data
· Ability to convert Use Data to a human readable form
· Ability to represent a wide range of Content Uses e.g. time of Use, Composite Content, Domains, Superdistribution Uses
Benefits: Provides a machine-processable record of Uses.
Definition: Format that is capable of expressing Rights
Objective: To allow conditional use of Content, based on the conditions being satisfied or fulfilled.
Requirements
· The solution shall represent varying subsets of Rights
· The Solution shall represent new Rights when the need occurs
· The Solution shall unambiguously identify
o the User granting the Right
o the User, Device or Domains obtaining the Right
o the piece(s) of Content to which the Rights Expression refers
o the Right that is granted in such a way that there is no ambiguity in the semantics of the Rights Expression
· The Solution shall support the following Functions:
o Copy
o Move
o Backup/Restore
o Export
o Import
o Transfer to an external rendering device
· The Rights Expression shall support at least the following:
o To assign one Rights Expression to many pieces of Governed Content
o To assign many Rights Expressions each referring to a component of a Composite Content
o To specify Content Uses e.g.
§ Period of time (e.g. play as long as the play time is less than the specified period) and based on time/date
· Note: requires access to a secure clock
§ User identity-based
§ Count based (play up to the specified number of time)
o To specify Resource Uses e.g.
§ Audio
§ Video
§ Executables (e.g. applet)
o To allow streaming
o To process metadata
§ Presentation of Metadata
§ Presentation of human-readable Cleartext Rights Expression
o To allow trick modes
Benefits: Potentially allows the full range of human contractual agreements to be embodied in the digital domain, especially including automatic processing of agreements that are stated in sufficiently rigorous forms.
Without Trust it is impossible to create an Environment that protects the Content and Rights between the various Users in a DMP Environment. This section covers the different aspects of trust needed in a DMP Environment, including authentication and certification of Users and Devices. It also covers the verification of Device software.
Definition: The procedure to validate the User identity
Objective: To make sure that Governed Content is Used by the intended User
Requirements:
· Protocol for the authentication of Users
Benefits: To enable Content Uses by identified Users
Definition: The procedure to validate the Device
Objective: To make sure that Governed Content is Used by the intended Device
Requirements:
· Protocol for the authentication of the Device
Benefits: To enable Content Uses on identified Devices
Definition: The procedure to detect corruption or loss of part of the Content, Use Data and Executables
Objective:
· Correct delivery of Content, Use Data and Executables.
Requirements:
· Ability to detect that there is corruption or loss of part of the Content, Use Data and Executables
· Support error recovery in the case where Content, Use Data and Executables is delivered over an imperfect Delivery System.
· Compatibility with data protection and privacy aspects (e.g. to limit the compilation of user profiles by third parties)
Benefits: To provide Content, Use Data and Executables integrity
Definition: The procedure to detect corruption of part of the software of a Device
Objective: To support Trust management with a Device that may be remote from a User
Requirements:
· Ability to detect that there is corruption of the Device software
Benefits: the ability to support Trust management with a Device that may be remote from a User
Definition: The issuance of a statement by an authority that the claim by a user to be the User is supported
Objective: To make sure that Governed Content is Used by the intended User
Requirements:
· A mechanism to certify Users
Benefits: To enable Content Uses by certified Users
Definition: The issuance of a statement by an authority that the claim by a device to be the Device is supported
Objective: To make sure that Governed Content is Used by the intended Device
Requirements:
· A mechanism to certify Devices
Benefits: To enable Content Uses by certified Devices
A number of management processes are needed to support the DMP Environment. In this section we define the management capabilities required to support Keys, Domains, the Discovery of device capabilities and confidentiality of User and Use Data.
Definition: Controlling, generating, protecting, distributing, assigning, installing, tracking, validating and using keys. Also, updating, revoking, destroying, storing, and archiving keys as well as providing some means of Backup/Restore.
Objective:
· to enable the controlled encryption and decryption of Data
Requirements:
· To support multiple key exchange protocols without loss of interoperability
o One key to one or to many piece(s) of Governed Content
o One key to one or to many Users
o One key to one or to many Devices
· To support identification of authorised key management systems
· Technology to protect keys
· For any pieces of Content used within Composite Content, it shall be possible to choose not to encrypt that piece of Content and it shall also be possible to encrypt that piece of Content using individual keys.
· The ability to support superdistribution of Governed Content when each instance of such Governed Content is encrypted with a different key.
· The Solution should lend itself easily to key management implementations that do not interfere with an enjoyable User experience.
· Key management solutions should not be completely destroyed by a single failure and if defeated, should have adequate recovery plans in place to restore key management security.
Benefits: To be enable Users to employ a wide variety of key management systems in an interoperable fashion.
Definition: Procedure to manage a set of Devices such that only those Devices can Use the same Governed Content
Objective: to enable groups of Devices and/or Users e.g. belonging to a family to Use the same Governed Content on any of the Devices in the group
Requirements:
· Setting up a Domain, including the ability to distribute Rights Expressions that can only be used by Devices in the Domain
· Joining a Domain
· Authorising entry to a Domain
· Leaving a Domain
· Directing to leave a Domain, including the ability to exclude a Device so that it cannot process Rights Expressions associated with the Domain after the time of exclusion
· Users with an authorised entitlement shall be able to fully control Domain membership and Content distribution.
· Users without an authorised entitlement shall not be able to obtain confidential information related to the Domain
· A Domain shall be configurable to permit a variety of distribution options between Devices belonging to the Domain, e.g. superdistribution of Content and Composite Content to Devices belonging to a sub-Domain within the Domain (e.g., specialized interest groups).
Benefits: Enables content distribution to be both very wide and very specific, supporting many possible business models.
Definition: The procedure by which a Device can acquire information of the capabilities of another Device
Objective: To determine the capabilities of a Device so that Content suitable for Use on it, or Rights Expressions, can be provided/acquired
Requirements:
· Protocol to ascertain that a device is a Device
· Protocol to determine the Device’s Rights Expression interpretation capabilities
· Protocol to determine the Device’s Use capabilities
· A Device shall be able to identify another Device before distributing (or refusing to distribute) Content or Rights Expressions to that Device, however configurations for anonymity and/or confidentiality should be optional
· Content shall include relevant Metadata identifying the characteristics of that Content and the Device capabilities required to process that Content
· A Device shall be able to request and receive information identifying relevant capabilites of another Device before distributing (or refusing to distribute) requested Content or its associated Rights Expression to that Device
· A Device shall be able to request and receive information identifying characteristics of Content before receiving (or refusing to receive) the Content or its Rights Expression
· If a Device has received Content, the Device shall be able to determine whether it is able to process the Content before requesting the Rights Expression associated with it; the same shall apply if a Device has received the Rights Expression but has not received the Content
· The solution shall provide sufficient flexibility to respect Users' wishes for anonymous use and confidentiality of information not necessary for the purpose of discovery of Device capabilities.
Benefits: To enable Users to acquire Governed Content that matches their Devices’ capabilities.
Definition: Protocols that allow User A to negotiate the way User B will utilise acquired User and Use Data of User A
Objective: To let two Users determine how the information acquired during their interaction can be further utilised
Requirements:
· Mechanism for protection of Use Data
· Ability to decide the utilisation of Use Data
Benefits:
Allows User confidence that their privacy will be protected, simultaneously allowing Providers to gain knowledge from User and Use Data to the extent this is agreed.
Definition: Methods used to hide portions or totality of Content Data Elements.
Objective: To prevent a user from using Content Data
Requirements:
· Suitably flexible for a wide variety of Content Data
· Efficiently implementable on a wide range of Devices
· Based on Encryption Algorithms that are:
o publicly disclosed
o subject to constant scrutiny and evaluation by the worldwide cryptographic community
o supporting stream and bulk ciphers
o considered as secure
o in broad use
· The appropriate consideration of export restrictions .
Benefits:
§ To protect Content and Rights Expressions from being read by unintended Users
The PAV Device needs to perform a number of functions on Content. Clearly the Device needs to be able to transfer the Content for external rendering. Functions are provided to distribute Content to other Devices. There are separately defined functions for creating backup copies of Content and transferring content to/from non DMP-DRM devices.
Definition: The Function by which a piece of Governed Content can be transferred to another Device, leaving the original (Copy) and deleting the original (Move). See DMP0147 for precise definition.
Grouped together as a higher-level Function, the "Copy/Move" function accomplishes the transfer of a piece of Governed Content between Devices, either leaving the original in place ("Copy") or deleting the original ("Move").
Objective: To enable more use of the same piece of Governed Content.
Requirements:
· A protocol to communicate with another Device to accomplish the function required by the definitions of Copy/Move, including the point-to-multipoint case
· The protocol should lend itself to secure implementations
· The protocol should lend itself to efficient implementations on a wide variety of devices.
Benefits:
· Allow controlled Copy and Move of Content.
Definition: The Function by which a Device can store a copy of a piece of Content or Governed Content (in case the Rights Expression is a Stateless Rights Expression) in a device where the (Governed) Content is not for Use, e.g. for the purpose of later restoring the (Governed) Content. See DMP0147 for precise definition.
Objective: to be able to backup/restore Content to an external device
Requirements:
· There are no identified requirements.
Benefits:
To be able to make room for Governed Content in a Device without losing permanently the Governed Content that is removed from the Device.
Definition: The Function by which a Device makes available a piece of Governed Content for use by a non-DMP DRM system.
Objective: To enable use of a piece of Governed Content outside of an Environment.
Requirements:
· A protocol to communicate with a non-DMP DRM system. This includes, as a minimum, a means to identify non-DMP DRM systems
Benefits:
A Rights Holder has the ability to extend the range of use of their Content to other governed environments.
Definition: The Function by which a Device accesses a piece of content governed by a non-DMP DRM system.
Objective: To enable Use of a piece of governed content by a Device.
Requirements:
· A protocol to communicate with a non-DMP DRM system. This includes, as a minimum, a means to identify non-DMP DRM systems
Benefits:
Enables Environments to be populated with governed content from sources outside of DMP.
Definition: The temporary transmission of content during playback/access to an external device for rendering.
Objective: To Render Resources securely.
Requirements:
· A protocol to communicate with the external rendering device. This includes, as a minimum, a means to identify external rendering devices
· Ability to work with standards already in development for the networked home.
Benefits: Interferes with capture of the rendered bitstream.
Definition: providing Use, User, Device and Governed Content information to a payment system external to an Environment
Objective: To enable flexible payment systems such as subscription, pre-payment or transaction-based payment by a single Device, a Domain or a User.
Requirements:
· The ability to support multiple payment methods and mechanisms
Benefits: Automated payment
At this stage DMP has not yet developed requirements for PAV Device conformance. This section identifies three areas where DMP may later issue a Call for Proposals and proponents are encouraged to contribute to these issues in their responses.
Definition: Verifying that a Rights Expression is interpreted and provides the output as intended by the originator of the Rights Expression
Objective: To verify Conformance of the engine interpreting the Rights Expressions
Requirements: Proponents are asked to provide their views on this issue
Benefits: It is essential for a Rights Holder that a Device will interpret correctly Rights Expressions.
Definition: Verifying that the Functions corresponding to the output are executed as intended
Objective: To verify Conformance of the engine executing the Rights Expressions
Requirements: Proponents are asked to provide their views on this issue
Benefits: It is essential for a Rights Holder that a Device will execute correctly the intepreted Rights Expressions.
Definition: Defining the levels of tamper resistance and the methods to be used when an implementation is put under test for tamper resistance to determine such levels
Objective: To verify the robustness of a Device to attacks
Requirements: Proponents are asked to provide their views on this issue
Benefits: It is essential for a Rights Holder that a Device is implemented in a way that makes it difficult for an attacker to tamper with it.