SMPTE 21DC conducts a study group to learn the impacts on SMPTE standards of the changes in NIST FIPS standards. Luckily for SMPTE, it was recently determined that no impact to its standards will occur for three years.
DCI wishes it were so lucky. In its quest to carry on with its reliance on NIST, it recently hired a NIST expert to advise it of its situation. As any good consultant would do, this one is apparently checking on the meaning of the language used in NIST’s own documents to gain surety of the damage about to be inflicted. But it appears none of DCI’s advisors have a real grasp of the impact that NIST’s changes are about to occur in the business of cinema, and the urgency that this imparts.
The dilemma is that the DCI specification will contradict itself after 31 December, 2010, requiring compliance to FIPS 140-2, as well as SMPTE DCP and security standards. The immediate problem was introduced through changes by NIST to FIPS 140-2 that take effect after 31 December. The most bothersome of the changes requires at least two, if not three, digital certificates in each media block. Current DCI compliance requirements, and the media blocks striving to meet DCI compliance, are designed around a single digital certificate. For most if not all products, the change to multiple certificates requires new hardware. A hardware update across the industry will be expensive and most unwelcome.
If you’re an exhibitor whose system is financed through a VPF plan, the studios will be on the hook to pay. But if you’re a studio, that’s not a fun place to be.
A different problem that the 31 December date poses is that manufacturers of new in-projector media blocks will find that they cannot meet both the revised FIPS 140-2 and the rest of the DCI specification. DCI compliance will go out the window. At such point, any studio that attempts to enforce DCI compliance in equipment can be accused of a restraint of trade.
DCI remains silent about its dilemma. Its only sin was to hinge its specification on a security standard over which it has no control. The independent publication of the original FIPS 140-2 documents on which the DCI specification was based, which are public domain, would do the trick. To not take such an action dooms the industry to changes, now and in the future, that it can neither afford nor control.