Compliance and Robustness
Encyclopedia
Compliance and Robustness, sometimes abbreviated as C&R, refers to the legal structure or regime underlying a Digital Rights Management
(DRM) system. In many cases, the C&R regime for a given DRM is provided by the same company that sells the DRM solution. For example, RealNetworks
Helix or Microsoft
Windows Media DRM
.
However, for standardised DRM systems, it is fairly common for a separate body to be established to run the C&R regime.
or forum with representation from multiple companies, structured in such as way as to avoid accusations of antitrust
violations. The nature of the business is that such bodies will generally be composed of manufacturers and content owners, with little or no direct representation from consumer advocates.
To meet this requirement, it is normal that any device planning to receive DRMed content is required to validate that it meets the C&R requirements, and this is usually done using a device certificate of some kind. The issuance of such certificates is the stamp of approval for both the manufacturer and the device.
If two devices can verify that they both have trusted certificates, they can then reasonably expect that content passed between them will remain secure.
ed technology, often as part of the trust establishment mechanism. This means that anyone wanting to implement the DRM in a way that will work with others is forced to license these patents. A condition of obtaining such a license is to follow the rules of the C&R regime itself. Thus a C&R body has a 20-year window to pursue legal measures against a "rogue" implementation on the grounds of patent violation, rather than having to rely on a DMCA-style regulation provided by the relevant government. The need to license hook IP patents also impacts anyone thinking of building a product covered by the GPL.
One well-known example of a system employing such Hook IP is the DVB Common Scrambling Algorithm DVB-CSA, which though standardised by ETSI, includes secret patented elements that are only licensed to approved Conditional access
systems vendors who agree to maintain the secrecy and integrity of the algorithm in their chip designs.
Digital rights management
Digital rights management is a class of access control technologies that are used by hardware manufacturers, publishers, copyright holders and individuals with the intent to limit the use of digital content and devices after sale. DRM is any technology that inhibits uses of digital content that...
(DRM) system. In many cases, the C&R regime for a given DRM is provided by the same company that sells the DRM solution. For example, RealNetworks
RealNetworks
RealNetworks, Inc. is a provider of Internet media delivery software and services based in Downtown Seattle, Washington, United States. The company is the creator of RealAudio, a compressed audio format; RealVideo, a compressed video format; RealPlayer, a media player; RealDownloader, a download...
Helix or Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Windows Media DRM
Windows Media DRM
Windows Media DRM is a Digital Rights Management service for the Windows Media platform. It is designed to provide delivery of audio and/or video content over an IP network to a PC or other playback device in such a way that the distributor can control how that content is used.WMDRM includes the...
.
However, for standardised DRM systems, it is fairly common for a separate body to be established to run the C&R regime.
C&R Body
The legal entity that establishes and maintains the regime. Usually this will be a joint ventureJoint venture
A joint venture is a business agreement in which parties agree to develop, for a finite time, a new entity and new assets by contributing equity. They exercise control over the enterprise and consequently share revenues, expenses and assets...
or forum with representation from multiple companies, structured in such as way as to avoid accusations of antitrust
Antitrust
The United States antitrust law is a body of laws that prohibits anti-competitive behavior and unfair business practices. Antitrust laws are intended to encourage competition in the marketplace. These competition laws make illegal certain practices deemed to hurt businesses or consumers or both,...
violations. The nature of the business is that such bodies will generally be composed of manufacturers and content owners, with little or no direct representation from consumer advocates.
Trust Model
The C&R body is responbile for ensuring a chain of trust, such that the original content provider is sufficiently satisfied that their content will remain adequately secure throughout all future links in the chain. This may include export of content from one DRM system to another.To meet this requirement, it is normal that any device planning to receive DRMed content is required to validate that it meets the C&R requirements, and this is usually done using a device certificate of some kind. The issuance of such certificates is the stamp of approval for both the manufacturer and the device.
If two devices can verify that they both have trusted certificates, they can then reasonably expect that content passed between them will remain secure.
Compliance Rules
In many cases there will be gaps, ambiguities or options left open in a DRM technical specification. The C&R regime must clarify exactly how a compliant device is to behave in these cases. For example, a compliance rule may define which other types of interfaces are acceptable on a device, something that the technical specification itself will never do.Robustness Rules
The most controversial aspect of C&R is the agreement on how to ensure that a device is sufficiently robust at resisting attacks. These rules may require that certain elements are implemented only in hardware, or run on secure CPUs, or that the code must not be available as open source. Manufacturers then have to satisfy the C&R body that they meet this requirement before they are granted access to the certificates needed to establish their products as trusted."Hook IP"
One particular trick that is often used is to include some patentPatent
A patent is a form of intellectual property. It consists of a set of exclusive rights granted by a sovereign state to an inventor or their assignee for a limited period of time in exchange for the public disclosure of an invention....
ed technology, often as part of the trust establishment mechanism. This means that anyone wanting to implement the DRM in a way that will work with others is forced to license these patents. A condition of obtaining such a license is to follow the rules of the C&R regime itself. Thus a C&R body has a 20-year window to pursue legal measures against a "rogue" implementation on the grounds of patent violation, rather than having to rely on a DMCA-style regulation provided by the relevant government. The need to license hook IP patents also impacts anyone thinking of building a product covered by the GPL.
One well-known example of a system employing such Hook IP is the DVB Common Scrambling Algorithm DVB-CSA, which though standardised by ETSI, includes secret patented elements that are only licensed to approved Conditional access
Conditional access
Conditional Access is the protection of content by requiring certain criteria to be met before granting access to this content...
systems vendors who agree to maintain the secrecy and integrity of the algorithm in their chip designs.
Examples
- OMA DRMOMA DRMOMA DRM is a Digital Rights Management system invented by the Open Mobile Alliance, whose members represent mobile phone manufacturers , mobile system manufacturers , mobile phone network operators OMA DRM is a Digital Rights Management (DRM) system invented by the Open Mobile Alliance, whose...
is governed by the CMLA C&R regime - DTCP-IP is governed by the DTLA C&R regime