Delivering encrypted DCP with DKSM and certificate?

[flmmkr]

I need to deliver an encrypted DCP. I've made the DCP and exported the DKDM. As I see it, they also need the certificate key from the config.xml in order to be able to use the DKDM to make KDMs, correct? In the config.xml I see information for multiple DCPs I've made before and there are more than one certificate blocks. How do I know which one is for the DCP I need to deliver now? Also, how do I give that certificate key? Can I just copy the config.xml, then edit it to remove the unwanted information and hand that off to the distributor?

[flmmkr]

I think I figured out that I can export the certificate from the Keys window of the Preferences and give them that. But what do I export? The decryption cert or the signing cert, and exactly which of those?

[Carsten]

The decryption chain, or just the decryption leaf certificate. Both should work. Choose a useful name. What name, doesn't matter. Extension should be .pem.

However - if you encrypted that DCP yourself, your own certificates are useless - you need to request THEIR certificate if they want to play that encrypted DCP. Once you received their certificate, you need to set them up as a screen in your cinema database, add their certificate to it, then issue a KDM for them. Send it away by mail, zipped.

- Carsten

[flmmkr]

The decryption chain, or just the decryption leaf certificate. Both should work. Choose a useful name. What name, doesn't matter. Extension should be .pem.

However - if you encrypted that DCP yourself, your own certificates are useless - you need to request THEIR certificate if they want to play that encrypted DCP. Once you received their certificate, you need to set them up as a screen in your cinema database, add their certificate to it, then issue a KDM for them. Send it away by mail, zipped.

- Carsten

Thank you for replying. Do I also need their certificate if I want them to be able to generate their own KDMs? I'm delivering to a distributor. They just asked for an encrypted DCP. No other info. No request for KDMs for any cinemas.

[Carsten]

https://dcpomatic.com/manual/html/ch09.html

Yes - if they want to create their own KDMs, they need to supply the leaf certificate of their KDM authoring system (like DCP-o-matic KDM Creator) to you. You then create a KDM for them based on that certificate, actually, that KDM then is a DKDM.

A KDM targeted at a DCI playout server allows to play back the feature on that server. A (D)KDM issued towards a mastering/authoring system allows to decrypt/edit a DCP, or to issue new KDMs for it.

If they use DCP-o-matic as well, then yes, in theory they could work with your config.xml - however, that would render all their previous KDMs/encrypted DCPs useless, and, you would grant them limitless access to all your encrypted DCPs and DKDMs. It could be an emergency help, but is not recommended. DKDMs enable distribution of encrypted DCPs on a per-feature level.

- Carsten

[flmmkr]

Thank you for the explanation.