Once of the challenges of the DCI specification is to insure that products continue to comply over time. Those familiar with the deployment agreements of a certain studio know of the requirement to retest equipment after each software or hardware upgrade. Given that software updates occur frequently, such requests are unreasonable. While the request is founded with reason, it is simply too costly to implement, and has counterproductive impacts. A full DCI test takes weeks to conduct, and costs in the neighborhood of $100K. The effect of a stiff and expensive testing policy would be to stifle bug fixes, and to impede the innovation of new and improved features.
Recognizing the problem, DCI’s members huddled over the issue, and reportedly were all over the map. Some insisted on draconian testing, some did not see a need for any retesting at all. Smoke came out the chimney late this month with the release of version 2.0 of its Compliance Text Plan Addendum. The latest Addendum adds a new section 6, which for the first time introduces their policy for retesting.
The new retesting requirements appear to be straightforward. If a change of any kind is made to a secure media block (SPB Type 1 in DCI security parlance), it must be submitted to a FIPS 140 testing laboratory for evaluation. The extent to which it may require FIPS re-testing is the determination of the testing laboratory. To a fair extent, this policy is already in place. Companies submit to the FIPS testing lab the changes made to tested devices, and a design review determines if a retest is required. Not all changes require retesting.
Also with this revision, DCI institutes the Confidence Retest subset of the Compliance Test Plan. Changes to software or firmware require Confidence Retesting by a licensed DCI testing agency, on a “three-year or four-upgrade cycle.” If no changes are made to a product, then no retesting is required. If up to three changes are made within a 3-year period following the last test date, then a Confidence Retest must be conducted. A Confidence Retest is immediately triggered if four upgrades are conducted within the 3-year period.
The proof of the pudding, so to speak, will be how the Confidence Retest is defined. DCI has still to produce this subset of its Compliance Test Plan (CTP). If the definition leads to a cost effective test, then it’s unlikely to counter resistance. But if only a few tests are held back from the full CTP, there will be those ready to dump gasoline down the chimney.