In digital cinema, a trusted device list is a commercial product and service provided by numerous suppliers of Key Delivery Message (KDM) generation services. A KDM is required to unlock a movie for playout in a cinema. The Trusted Device List (TDL) confirms that the equipment for which the KDM is targeted is authentic and trusted. Maintaining an accurate TDL, therefore, is an important role of KDM service providers. However, common policies do not exist to guide such service providers. This is an important area to address as digital cinema moves towards an equipment replacement cycle.
So as not to confuse those who have studied this technology, there has been an overloading of the term TDL. The DCI specification refers to TDL as a list of authorized equipment in the KDM. The purpose of the list is to marry a server to a projector, for example, by targeting the KDM to the server, and listing the projector as authorized external equipment. Separate the server from the authorized projector, and the KDM will not allow the movie to play. This functionality is well defined in the SMPTE ST430-1 standard for KDM, but the standard names the function AuthorizedDeviceInfo, and not TDL. This was done as the term TDL is commonly used by service providers to refer to the list of authorized equipment, which correlates equipment location information, serial numbers, digital certificate, and forensic mark identifiers, all of which are necessary for generation of a KDM.
The process for managing the TDL has several components. Manufacturers are required by DCI to maintain a database of equipment certificates. Approved products from manufacturers must pass DCI compliance testing. As equipment is produced, each article receives a unique digital certificate, signed by a root certificate of the manufacturer. The manufacturer lists the certificates in its database of approved products. Allowing authorized parties access to the database is an important step towards the establishment of trust across the system.
Service providers that generate KDMs collect equipment serial numbers from exhibitors, associating serial numbers with equipment location. This is the foundation of a TDL. The TDL is completed with information received from the manufacturer’s database. The two-step process just described isn’t necessary if the digital cinema equipment is capable of exposing its digital certificate and forensic mark identifiers, a useful fact for automated population of TDLs.
As equipment is taken out of service, the integrity of the TDL comes into question. It’s easy to validate the authenticity of digital certificates by verifying the root certificate and the accompanying signature chain. But it’s not easy to know if the equipment is no longer in service. KDMs created for such equipment could be a path to unauthorized playback of a movie, and potential piracy. This concern was expressed by several major studios during an industry meeting this month attended by exhibitors and major motion picture distributors.
The integrity of the TDL is not a new subject. In public key cryptography, the usual mechanism for maintaining a TDL is the revocation list. Revocation lists are populated with the serial numbers of digital certificates that are no longer to be trusted. The problem with such lists, however, is that once an equipment’s certificate is placed on a revocation list, the equipment is no longer trusted, and no longer of value. At the onset of digital cinema, there was concern from exhibitors that revocation lists could be used irresponsibly or maliciously to block the legitimate use of digital cinema equipment. Exhibitors should continue to be wary of such lists.
Instead of revocation lists, rules based on equipment usage should be employed to determine if equipment is actually in use. Digital certificates in a TDL that have not been used to generate a KDM in, say, three months, should be retired from the TDL. If put back into service, as could be the case with spare equipment, a call with the exhibitor may be in order to validate an unexpected request for a KDM. A mechanism as simple as this builds on the trust between distributor and exhibitor. Those service providers that generate KDMs may need to enforce such policies as a necessary step in doing business. There may be other ideas to consider, as well. The value of a simple and public policy for managing a TDL would be useful for both distributors and exhibitors. For distributors, it would provide a uniform policy for service providers to meet. For exhibitors, it would provide knowledge of what to expect when taking equipment out of and back into service. A public policy for managing TDLs would be a benefit to all.