This journal has not been one to withhold words over the lack of security key management in the DCI specification. While Fox deserves praise for putting the Facility List Message (FLM) concept to work, no effort has been made at the standards level to better facilitate the transmission of Key Delivery Messages (KDMs) to sites.
Standards are necessary when a single solution is sought that can be scaled across multiple implementations. But a standardized solution must address a number of moving parts. For example, one of the toughest elements that continues to elude definition is the concept of site identifiers. Agreement on a common set of site identifiers could take years to resolve.
Timing is also an issue. When the DCI specification was first released, a standardized key management solution would have shaped every product to come. But now that the industry has reached a substantial number of installations, it is reasonable to doubt that a shiny new solution would get traction. Given the digital cinema industry’s poor track record for implementing SMPTE standards, it may be a better idea to pursue a different approach. Taking a tip from Apple, it might be a smarter to encourage the development of complete, proprietary ecosystems, each with its own security key management system. Instead of emailing KDMs to over 10,000 sites, simply upload the KDMs to a handful of cloud servers, and let each ecosystem figure out where the keys are supposed to land.
To a large extent, the makers of theatre management systems (TMS) have already made moves into this territory. Deployment entities use their TMS and central management systems to track equipment inventory, and some already handle the delivery of KDMs. A key delivery ecosystem provides a holistic approach. KDMs are uploaded to a cloud server. The server looks inside the KDM, learns the public certificate for which it is intended, and drops the KDM at the site where with the public cert resides. It doesn’t need standards to do this. The means by which the system operates is defined within the proprietary boundaries of the ecosystem.
What’s missing is the socialization and marketing of the ecosystem approach. Studios are unlikely to socialize any solution that they’re not a direct participant of, and solution providers like to talk about such features quietly, so as to use it to differentiate themselves from competitors. But if there is no appetite for standards, then proprietary ecosystems make the most sense.