Topology DKDM
121 views
Skip to first unread message
Manuel Weber
Jun 14, 2015, 11:34:53 PM6/14/15
to ope...@googlegroups.com
Hi dear people
I'm eager to know the progresses of DKDM generation in the opensource field.
People say it's overkill to produce KDM as a videopost-service due to the effort.
But more companies are comming up to take that part for payment.
So for me DKDM generation is still interesting.
I work in video post as a 1-man-band orchestra, built my own DCP pipeline with some other features.
Questions:
- I'm unclear about the topology with the certificates:
> My knowledge so far says there is my own cert chain based on a international issuer, with which I encode my DCPs (ie using opendcp)
> To generate a DKDM I need the trusted company's own cert as a "target" for which I produce the DKDM.
> Say I used my registered cert to encode the DCP, will the DKDM-generation-application calculate solely on that DCP (say "the folder/XMLs") and the target cert, or are there more components involved?
- Is there news on a DKDM generation application and management for a handfull of target certificates?
Thanks for lighten me up!
Have a good week!
Best
Manu
I'm eager to know the progresses of DKDM generation in the opensource field.
People say it's overkill to produce KDM as a videopost-service due to the effort.
But more companies are comming up to take that part for payment.
So for me DKDM generation is still interesting.
I work in video post as a 1-man-band orchestra, built my own DCP pipeline with some other features.
Questions:
- I'm unclear about the topology with the certificates:
> My knowledge so far says there is my own cert chain based on a international issuer, with which I encode my DCPs (ie using opendcp)
> To generate a DKDM I need the trusted company's own cert as a "target" for which I produce the DKDM.
> Say I used my registered cert to encode the DCP, will the DKDM-generation-application calculate solely on that DCP (say "the folder/XMLs") and the target cert, or are there more components involved?
- Is there news on a DKDM generation application and management for a handfull of target certificates?
Thanks for lighten me up!
Have a good week!
Best
Manu
Wolfgang Woehl
Jun 16, 2015, 3:36:40 AM6/16/15
to ope...@googlegroups.com
In digital cinema there is no central or DCI-sanctioned certificate authority. Everyone is maintaining their own root CAs and issued chains. Trust is built in n-to-n relations.
"Everyone" includes
* Content owners (Fox, Sony)
* Post production facilities (Technicolor, you)
* System manufacturers/vendors (Doremi, Dolby)
The first DKDM you want to generate is targeted at your own leaf, a step closely tied to content authoring. This "master" DKDM lets you store content keys safely and will be used to issue DKDMs/KDMs for other parties.
DKDM/KDM authoring for other parties is not tied to content authoring.
Note that you are not encrypting content "with your own chain" but with the public key contained in your target certificate. That public key is one element of a key pair and you can decrypt only with the private component.
A DKDM/KDM issuer will care about and verify the receiving end’s certificate chain. Crucial in order to establish that they are indeed issuing for the intended target.
A DKDM/KDM receiver will not necessarily care about or verify the issuer’s certificate chain. Until stuff stops working.
Wolfgang
> Manuel Weber:
> --
> You received this message because you are subscribed to the Google Groups "opendcp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to opendcp+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
"Everyone" includes
* Content owners (Fox, Sony)
* Post production facilities (Technicolor, you)
* System manufacturers/vendors (Doremi, Dolby)
The first DKDM you want to generate is targeted at your own leaf, a step closely tied to content authoring. This "master" DKDM lets you store content keys safely and will be used to issue DKDMs/KDMs for other parties.
DKDM/KDM authoring for other parties is not tied to content authoring.
Note that you are not encrypting content "with your own chain" but with the public key contained in your target certificate. That public key is one element of a key pair and you can decrypt only with the private component.
A DKDM/KDM issuer will care about and verify the receiving end’s certificate chain. Crucial in order to establish that they are indeed issuing for the intended target.
A DKDM/KDM receiver will not necessarily care about or verify the issuer’s certificate chain. Until stuff stops working.
Wolfgang
> Manuel Weber:
> You received this message because you are subscribed to the Google Groups "opendcp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to opendcp+u...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Manuel Weber
Oct 5, 2015, 1:13:03 PM10/5/15
to opendcp
Hi Wolfgang
I hope there were no loose ends after your post, it cleared up quite some questions, thank you very much.
Am Dienstag, 16. Juni 2015 09:36:40 UTC+2 schrieb Wolfgang Woehl:
The first DKDM you want to generate is targeted at your own leaf, a step closely tied to content authoring. This "master" DKDM lets you store content keys safely and will be used to issue DKDMs/KDMs for other parties.
concerning my own-leaf DKDM:
atm, I dont know an open source way to use a DKDM as a source for further generation. I keep on searching, though.
(if I knew how to extract the essence/UUID from a DKDM, I could go on with cinemaslides)
Q: is security the only disadvantage to storing UUID and audio/video essence in a database?
ps: huge waves of pleasure/heureka/hallelluja at 4 in the morning, when i finally managed the first zero-error KDM, btw. Thank you so much. I felt like the real Indiana Jones.
best
m
Manuel Weber
Oct 5, 2015, 1:20:53 PM10/5/15
to opendcp
Am Montag, 5. Oktober 2015 19:13:03 UTC+2 schrieb Manuel Weber:
atm, I dont know an open source way to use a DKDM as a source for further generation. I keep on searching, though.(if I knew how to extract the essence/UUID from a DKDM, I could go on with cinemaslides)
bingo. I think I can quote your own answer here:
Usage: kdm-decrypt.rb [options] <KDM file> <RSA private key file>
--as-triple Output content keys as <key id>:<key type>:<key data> triple to STDOUT
-h, --help Display this screen
thank you!
m
Reply all
Reply to author
Forward
0 new messages