The Digital Media Project  

Source

GA03

Date:

2004/07/15

Title

Requirements for PAV Devices

No.

0146/Osaka

  

Requirements for PAV Devices

 This document describes the requirements for the technical features of Portable Audio and Video (PAV) Devices. This document should be read in conjunction with the PAV Call for Proposals (CfP) DMP0145 and with the PAV Terminology given in DMP0147. 

 

1      Information representation.

1.1       Identification.

1.2       Content structure.

1.3       Digital representation of Use Data.

1.4       Digital representation of Rights Expressions.

2      Establishing trust

2.1       Authentication.

2.2       Verification of integrity.

2.3       Certification.

3      Management

3.1       Key management

3.2       Domain management

3.3       Discovery of Device capabilities.

3.4       Managing confidentiality of User and Use Data.

4      Encryption technology.

5      Processing Content

5.1       Copy/Move.

5.2       Backup/Restore.

5.3       Export

5.4       Import

5.5       Transferring Content to an external rendering device via a secure transport mechanism..

6      Support for payment methods and mechanisms.

7      Conformance issues.

7.1       Rights Expressions.

7.2       Enforcing Rights Expressions.

7.3       Tamper resistance.

 

1          Information representation

These are the basic technologies required for the implementation of a DMP Device. They cover the identification of data, users, devices and resource formats; the representation of content, rights expressions and use data; the underlying encryption technology and management of confidentiality of use data; and the support for payment mechanisms. These basic technogies are built upon in later sections to flesh out the requirements for the DMP Device.

1.1        Identification

This subsection refers to means of identification of Data, Users, Devices, Content formats and device capabilities and, where relevant, the development of classification schemes.

1.1.1        Data identification

Definition: The means to uniquely and unambiguosly

        identify a piece of

o       Content Data

o       Content Data Element

o       Use Data

        refer to the identification.

Objective: To support the association of Resources, Metadata, Rights Expressions, Licences and/or Use Data with a piece of Data that may be remote from such Resources, Metadata, Rights Expressions, Licenses and/or Function that generated the Use Data. 

Requirements:

        Unambiguous identification of a piece of Content Data and Content Data Element

        Unambiguous identification of Use Data

        Ability to work in conjunction with multiple, existing industry schemes for Content Data identification.

        Ability to extend the total number of identifiers that can be assigned in such a manner that previously assigned identifiers do not become obsolete.

Benefits:

        Flexible distribution schemes where different Content Data Elements may be supplied from different sources.

        A given Content Data Element may be applied to a multiplicity of other Content Data Elements without duplication.

        Fine granularity of Rights Expressions.

1.1.2        User identification

Definition: The means to identify the device that represents the (human, corporate etc.) User in a particular instance of Use

Objective: To enable

        Content Access and Use of Content and Services

        Payment systems to operate

Requirements:

        Being usable for the purpose of User authentication

        Ability to accommodate a variety of models for human interaction with Devices e.g.:

o       Allow a single User to use multiple Devices,

o       Allow multiple Users to share a single Device,

o       Allow the use of a confidential identity,

        Ability to extend the total number of identifiers that can be assigned in such a manner that previously assigned identifiers do not become obsolete.

Benefits: Depending on a given device's design, allows one User to employ multiple devices or allows multiple Users to use a single device. Usefulness in the event of disaster recovery scenarios when a device or storage medium is destroyed

1.1.3        Device identification

Definition: The means to identify the Device employed in a particular instance of Use

Objective:

        To support the association of a piece of Governed Content with a Device

        To support Trust management

Requirements:

        Compatible with administration of Domain models for Use.

        Ability to work in conjunction with existing industry schemes to administer customer/device-specific uses.

        Ability to extend the total number of identifiers that can be assigned in such a manner that previously assigned identifiers do not become obsolete.

Benefits:

        Allows reliable administration of Device-based Uses.

        Compatible with succession strategies in cases where a Device is destroyed or otherwise replaced, or else used only for a period of time after which a different Device will be used.

1.1.4        Content format and device capability identification

Definition: Identification of Content formats and Device handling capabilities

Objective: To provide the means to identify Content formats and device handling capabilities

Requirements:

        How to identify Content formats

        How to identify Device capabilities, e.g. capability to process certain Resource types; certain Rights Expressions etc.

Benefits: The ability to acquire Content that is suitable for the Device

1.2        Content structure

Definition: The means to organize and associate Content Data and Content Data Elements including Resources, Metadata, Rights Expressions and Licenses.

Objective: Provide for the ability to group any of the following components: Resources, Metadata, Rights Expressions and Licenses

Requirements:

        Persistent Association of Identifiers and Metadata to Resources

        Ability to include encrypted and unencrypted Data

        Ability to apply Rights Expressions to Composite Content components

        Ability to Use Content Data Elements from Governed Content

        Ability to associate Composite Content Elements stored at locations remote from each other

        Ability to support association of Composite Content Elements

        Ability to support Element unavailability, both temporary and permanent.

Benefits:

        Different Uses of the same Content (e.g. Resource selection)

        Executing sets of Functions on Content that serve for orientation, navigation and judgement (e.g. searching/filtering content)

1.3        Digital representation of Use Data

Definition: A format representing how the Use of a piece of Governed Content has actually taken place in a Device

Objective: To enable further digital processing of Use Data

Requirements:

        Ability to identify Use Data

        Ability to support protection of Use Data

        Ability to convert Use Data to a human readable form

        Ability to represent a wide range of Content Uses e.g. time of Use, Composite Content, Domains, Superdistribution Uses

Benefits: Provides a machine-processable record of Uses.

1.4        Digital representation of Rights Expressions

Definition: Format that is capable of expressing Rights

Objective: To allow conditional use of Content, based on the conditions being satisfied or fulfilled.

Requirements

        The solution shall represent varying subsets of Rights

        The Solution shall represent new Rights when the need occurs

        The Solution shall unambiguously identify

o       the User granting the Right

o       the User, Device or Domains obtaining the Right

o       the piece(s) of Content to which the Rights Expression refers

o       the Right that is granted in such a way that there is no ambiguity in the semantics of the Rights Expression

        The Solution shall support the following Functions:

o       Copy

o       Move

o       Backup/Restore

o       Export

o       Import

o       Transfer to an external rendering device

        The Rights Expression shall support at least the following:

o       To assign one Rights Expression to many pieces of Governed Content

o       To assign many Rights Expressions each referring to a component of a Composite Content

o       To specify Content Uses e.g.

         Period of time (e.g. play as long as the play time is less than the specified period) and based on time/date

        Note: requires access to a secure clock

         User identity-based

         Count based (play up to the specified number of time)

o       To specify Resource Uses e.g.

         Audio

         Video

         Executables (e.g. applet)

o       To allow streaming

o       To process metadata

         Presentation of Metadata

         Presentation of human-readable Cleartext Rights Expression

o       To allow trick modes

Benefits: Potentially allows the full range of human contractual agreements to be embodied in the digital domain, especially including automatic processing of agreements that are stated in sufficiently rigorous forms. 

2          Establishing trust

Without Trust it is impossible to create an Environment that protects the Content and Rights between the various Users in a DMP Environment. This section covers the different aspects of trust needed in a DMP Environment, including authentication and certification of Users and Devices. It also covers the verification of Device software.

2.1        Authentication

2.1.1        Authenticating Users

Definition: The procedure to validate the User identity

Objective: To make sure that Governed Content is Used by the intended User

Requirements:

        Protocol for the authentication of Users

Benefits: To enable Content Uses by identified Users

2.1.2        Authenticating Devices

Definition: The procedure to validate the Device

Objective: To make sure that Governed Content is Used by the intended Device

Requirements:

        Protocol for the authentication of the Device

Benefits: To enable Content Uses on identified Devices

2.2        Verification of integrity

2.2.1        Verification of the integrity of Content, Use Data and Executables

Definition: The procedure to detect corruption or loss of part of the Content, Use Data and Executables

Objective:

        Correct delivery of Content, Use Data and Executables.

Requirements:

        Ability to detect that there is corruption or loss of part of the Content, Use Data and Executables

        Support error recovery in the case where Content, Use Data and Executables is delivered over an imperfect Delivery System.

        Compatibility with data protection and privacy aspects (e.g. to limit the compilation of user profiles by third parties)

Benefits: To provide Content, Use Data and Executables integrity

2.2.2        Verification of the integrity of the Device software

Definition: The procedure to detect corruption of part of the software of a Device

Objective: To support Trust management with a Device that may be remote from a User

Requirements:

        Ability to detect that there is corruption of the Device software

Benefits: the ability to support Trust management with a Device that may be remote from a User

2.3        Certification

2.3.1        Certifying Users

Definition: The issuance of a statement by an authority that the claim by a user to be the User is supported

Objective: To make sure that Governed Content is Used by the intended User

Requirements:

        A mechanism to certify Users

Benefits: To enable Content Uses by certified Users

2.3.2        Certifying Devices

Definition: The issuance of a statement by an authority that the claim by a device to be the Device is supported

Objective: To make sure that Governed Content is Used by the intended Device

Requirements:

        A mechanism to certify Devices

Benefits: To enable Content Uses by certified Devices

3          Management

A number of management processes are needed to support the DMP Environment. In this section we define the management capabilities required to support Keys, Domains, the Discovery of device capabilities and confidentiality of User and Use Data.

3.1        Key management

Definition: Controlling, generating, protecting, distributing, assigning, installing, tracking, validating and using keys. Also, updating, revoking, destroying, storing, and archiving keys as well as providing some means of Backup/Restore.

Objective:

        to enable the controlled encryption and decryption of Data

Requirements:

        To support multiple key exchange protocols without loss of interoperability

o       One key to one or to many piece(s) of Governed Content

o       One key to one or to many Users

o       One key to one or to many Devices

        To support identification of authorised key management systems

        Technology to protect keys

        For any pieces of Content used within Composite Content, it shall be possible to choose not to encrypt that piece of Content and it shall also be possible to encrypt that piece of Content using individual keys.

        The ability to support superdistribution of Governed Content when each instance of such Governed Content is encrypted with a different key.

        The Solution should lend itself easily to key management implementations that do not interfere with an enjoyable User experience.

        Key management solutions should not be completely destroyed by a single failure and if defeated, should have adequate recovery plans in place to restore key management security.

Benefits: To be enable Users to employ a wide variety of key management systems in an interoperable fashion.

3.2        Domain management

Definition: Procedure to manage a set of Devices such that only those Devices can Use the same Governed Content

Objective: to enable groups of Devices and/or Users e.g. belonging to a family to Use the same Governed Content on any of the Devices in the group

Requirements:

        Setting up a Domain, including the ability to distribute Rights Expressions that can only be used by Devices in the Domain

        Joining a Domain

        Authorising entry to a Domain

        Leaving a Domain

        Directing to leave a Domain, including the ability to exclude a Device so that it cannot process Rights Expressions associated with the Domain after the time of exclusion

        Users with an authorised entitlement shall be able to fully control Domain membership and Content distribution.

        Users without an authorised entitlement shall not be able to obtain confidential information related to the Domain

        A Domain shall be configurable to permit a variety of distribution options between Devices belonging to the Domain, e.g. superdistribution of Content and Composite Content to Devices belonging to a sub-Domain within the Domain (e.g., specialized interest groups).

Benefits: Enables content distribution to be both very wide and very specific, supporting many possible business models.

3.3        Discovery of Device capabilities

Definition: The procedure by which a Device can acquire information of the capabilities of another Device

Objective: To determine the capabilities of a Device so that Content suitable for Use on it, or Rights Expressions, can be provided/acquired

Requirements:

        Protocol to ascertain that a device is a Device

        Protocol to determine the Device’s Rights Expression interpretation capabilities

        Protocol to determine the Device’s Use capabilities

        A Device shall be able to identify another Device before distributing (or refusing to distribute) Content or Rights Expressions to that Device, however configurations for anonymity and/or confidentiality should be optional

        Content shall include relevant Metadata identifying the characteristics of that Content and the Device capabilities required to process that Content

        A Device shall be able to request and receive information identifying relevant capabilites of another Device before distributing (or refusing to distribute) requested Content or its associated Rights Expression to that Device

        A Device shall be able to request and receive information identifying characteristics of Content before receiving (or refusing to receive) the Content or its Rights Expression

        If a Device has received Content, the Device shall be able to determine whether it is able to process the Content before requesting the Rights Expression associated with it; the same shall apply if a Device has received the Rights Expression but has not received the Content

        The solution shall provide sufficient flexibility to respect Users' wishes for anonymous use and confidentiality of information not necessary for the purpose of discovery of Device capabilities.

Benefits: To enable Users to acquire Governed Content that matches their Devices’ capabilities.

3.4        Managing confidentiality of User and Use Data

Definition: Protocols that allow User A to negotiate the way User B will utilise acquired User and Use Data of User A

Objective: To let two Users determine how the information acquired during their interaction can be further utilised

Requirements:

        Mechanism for protection of Use Data

        Ability to decide the utilisation of Use Data

Benefits:

Allows User confidence that their privacy will be protected, simultaneously allowing Providers to gain knowledge from User and Use Data to the extent this is agreed.

4          Encryption technology

Definition: Methods used to hide portions or totality of Content Data Elements.

Objective: To prevent a user from using Content Data

Requirements:

        Suitably flexible for a wide variety of Content Data

        Efficiently implementable on a wide range of Devices

        Based on Encryption Algorithms that are:

o       publicly disclosed

o       subject to constant scrutiny and evaluation by the worldwide cryptographic community

o       supporting stream and bulk ciphers

o       considered as secure

o       in broad use

        The appropriate consideration of export restrictions .

Benefits:

         To protect Content and Rights Expressions from being read by unintended Users

5          Processing Content

The PAV Device needs to perform a number of functions on Content. Clearly the Device needs to be able to transfer the Content for external rendering. Functions are provided to distribute Content to other Devices. There are separately defined functions for creating backup copies of Content and transferring content to/from non DMP-DRM devices.

5.1        Copy/Move

Definition: The Function by which a  piece of Governed Content can be transferred to another Device, leaving the original (Copy) and deleting the original (Move). See DMP0147 for precise definition.

Grouped together as a higher-level Function, the "Copy/Move" function accomplishes the transfer of a piece of Governed Content between Devices, either leaving the original in place ("Copy") or deleting the original ("Move").

Objective: To enable more use of the same piece of Governed Content.

Requirements:

        A protocol to communicate with another Device to accomplish the function required by the definitions of Copy/Move, including the point-to-multipoint case

        The protocol should lend itself to secure implementations

        The protocol should lend itself to efficient implementations on a wide variety of devices.

Benefits:

        Allow controlled Copy and Move of Content.

5.2        Backup/Restore

Definition: The Function by which a Device can store a copy of a piece of Content or Governed Content (in case the Rights Expression is a Stateless Rights Expression) in a device where the (Governed) Content is not for Use, e.g. for the purpose of later restoring the (Governed) Content. See DMP0147 for precise definition.

Objective: to be able to backup/restore Content to an external device

Requirements:

        There are no identified requirements.

Benefits:

To be able to make room for Governed Content in a Device without losing permanently the Governed Content that is removed from the Device.

5.3        Export

Definition: The Function by which a Device makes available a piece of Governed Content for use by a non-DMP DRM system.

Objective: To enable use of a piece of Governed Content outside of an Environment.

Requirements:

        A protocol to communicate with a non-DMP DRM system. This includes, as a minimum, a means to identify non-DMP DRM systems

Benefits:

A Rights Holder has the ability to extend the range of use of their Content to other governed environments.

5.4        Import

Definition: The Function by which a Device accesses a piece of content governed by a non-DMP DRM system.

Objective: To enable Use of a piece of governed content by a Device.

Requirements:

        A protocol to communicate with a non-DMP DRM system. This includes, as a minimum, a means to identify non-DMP DRM systems  

Benefits:

Enables Environments to be populated with governed content from sources outside of DMP.

5.5        Transferring Content to an external rendering device via a secure transport mechanism

Definition: The temporary transmission of content during playback/access to an external device for rendering.

Objective: To Render Resources securely.

Requirements:

        A protocol to communicate with the external rendering device. This includes, as a minimum, a means to identify external rendering devices

        Ability to work with standards already in development for the networked home.

Benefits: Interferes with capture of the rendered bitstream.

6          Support for payment methods and mechanisms

Definition: providing Use, User, Device and Governed Content information to a payment system external to an Environment

Objective: To enable flexible payment systems such as subscription, pre-payment or transaction-based payment by a single Device, a Domain or a User.

Requirements:

        The ability to support multiple payment methods and mechanisms

Benefits: Automated payment

 

7          Conformance issues

At this stage DMP has not yet developed requirements for PAV Device conformance. This section identifies three areas where DMP may later issue a Call for Proposals and proponents are encouraged to contribute to these issues in their responses.

7.1        Rights Expressions

Definition: Verifying that a Rights Expression is interpreted and provides the output as intended by the originator of the Rights Expression

Objective: To verify Conformance of the engine interpreting the Rights Expressions

Requirements: Proponents are asked to provide their views on this issue

Benefits: It is essential for a Rights Holder that a Device will interpret correctly Rights Expressions.

7.2        Enforcing Rights Expressions

Definition: Verifying that the Functions corresponding to the output are executed as intended

Objective: To verify Conformance of the engine executing the Rights Expressions

Requirements: Proponents are asked to provide their views on this issue

Benefits: It is essential for a Rights Holder that a Device will execute  correctly the intepreted Rights Expressions.

 

7.3        Tamper resistance

Definition: Defining the levels of tamper resistance and the methods to be used when an implementation is put under test for tamper resistance to determine such levels

Objective: To verify the robustness of a Device to attacks

Requirements: Proponents are asked to provide their views on this issue

Benefits: It is essential for a Rights Holder that a Device is implemented in a way that makes it difficult for an attacker to tamper with it.