Help with DKDM for Berlinale

Anything and everything to do with DCP-o-matic.
AndrewMcKee
Posts: 2
Joined: Tue Jan 23, 2018 5:02 pm

Help with DKDM for Berlinale

Post by AndrewMcKee »

Hi All. I'm and Editor and Colourist, but a recent feature I worked on was particularly low budget and the DCP duties for the festival circuit fell to me. I've just about managed to figure everything out, even creating KDMs, and thankfully its paid off for the film and its won some big UK awards. Now, however the film is going to be screened at Berlinale and instead of a KDM they've asked for a DKDM. I understand the concept of it and get why they want one, but going off the manual the only thing I can figure out to do is to create one on my system (which I presume will be of no use to them on their system?). I have two certs from them in the .pem format, but the create DKDM function doesnt seem to offer an option to point to them. The user manual talks about the possibility of needing to send a DKDM to someone else so they can create KDMs as needed but then it doesnt go through how to do that. Is this something I can do with DCP-o-matic? And if so, how?

Thanks in advanced. I love the software.

Andrew McKee
andrew-mckee.net
Carsten
Posts: 2804
Joined: Tue Apr 15, 2014 9:11 pm
Location: Germany

Re: Help with DKDM for Berlinale

Post by Carsten »

A DKDM is the same as a KDM, the only difference is that a KDM is targeted at DCI playout servers, while a DKDM is targeted at a mastering system or KDM management system. The reason a festival like Berlinale wants a DKDM is that they want to be able to create KDMs for all festival locations on their own, so they can make sure they work on all systems and festival showtimes even if there are last minute changes to equipment and schedules. They may also want to play the feature on their mastering system for an internal quality check (framing, audio levels, etc). It is pretty normal for Berlinale to want this deep access to content.

The process to create a DKDM for a remote system in DCP-o-matic is the same as for a KDM - they will sent you a certificate (generated from their mastering system), in your cinema database you should create a cinema 'Berlinale' and a screen 'Berlinale DKDM', and add this certificate to the screen, then just create a KDM for the feature. This KDM is their DKDM. They probably have a set of information for you. Although their system probably does not evaluate the timeframe of the DKDM, you should probably create a timeframe from now until a week after Berlinale, or e.g. until the end of february. Choose 'Modified Transitional 1' if they don't tell you otherwise.

The 'Make DKDM' feature in DCP-o-matic is just a simplification so you can create future KDMs easy without the need to store the whole project - it is simply a shortcut to the same process under 'Make KDM', with the assumption that the certificate/screen is always your own DCP-o-matic installation. As a matter of fact, if you go to 'Preferences'->'Certificates/Keys' and export your DCP decryption leaf cert, then create a screen from it and issue a KDM, it is exactly the same as 'Create DKDM'. So you are right, using 'Make DKDM' will not create a useful DKDM for them. Consider 'Make DKDM' as 'Make SelfDKDM'.

In order for this DKDM to work at Berlinale, it is essential that you create the DKDM on the same system/installation that you used to create/encrypt the DCP. If your keys/certs have changed because you reinstalled, switched to another machine, etc. without backing up/restoring your keys and certs, the DKDM will no longer work for this feature. Once you start creating encrypted DCPs, you need to keep your keys and certs as safe as you keep essential personal information like credit card numbers,PINs, etc. DCP-o-matic upgrades will usually not hurt your keys and certs, but you should always have a backup stored.
The good thing is - you can easily verify if that whole process works if you load this encrypted DCP into your own installation of DCP-o-matic (or the new standalone Player in 2.11.x). By itself, DCP-o-matic will not be able to show/play that feature because of the encryption - but if you assign the (self)DKDM you hopefully created, this DKDM will serve as a KDM you can use to play the DCP. If your DOM private key/certs changed, this will not work, because the DKDM will no longer match your installation.

DCP-o-matic main app, DCP-o-matic player, and DCP-o-matic KDM creator always share the same private key/cert set.

If they send you a pair of certs, it is probably their whole chain, and the other just their leaf certificate. DCP-o-matic should be able to use both alternatively, but if in doubt, just use the (smaller) leaf certificate to set up the Berlinale DKDM screen.

- Carsten
AndrewMcKee
Posts: 2
Joined: Tue Jan 23, 2018 5:02 pm

Re: Help with DKDM for Berlinale

Post by AndrewMcKee »

Thanks so much Carsten. I got why they wanted one, it just hadn't clicked that a DKDM was just a KDM made with the certificate of a KDM management system, rather than with the certificate of a projector. I'll be sure to try the test you mentioned before sending it off. Thanks again.

Andy