Hi,
I have always hated it when I see a non-encrypted DCP come through the cinemas I own. Here in Australia, its pretty safe but in many other parts of the world it's just straight-out crazy to pass a MASTER copy of a film to random people.
I have spoken to a few small film-makers over the years who have told me stories of cinemas playing their film without permission and keeping any profit made. Or films leaking into the Torrents, obviously via conversion of a DCP.
Due to this, I would like to, as a next project I work on, create a free online portal that uses dcp-o-matic to generate KDMs.
The idea is, ANYONE, no login needed, can register a CPL with DKDM into the website. Once a CPL is registered, anyone who knows the CPL-CTT name or CPL-UUID can simply go to the website. insert the CPL-CTT or CPL-UUID, then certificates or serial numbers of players. And it will spit out KDMs as a zip or Email it to a specific Email address.
The solution will check all target player certs by certifying them to the root certs of the hardware makers. (A little like a web browser works with its Certificate store, ensuring you go to only trusted websites)
This means a film-maker can ensure the DCP can ONLY be used against a trusted hardware DCP player (neoDCP, dcp-o-matic etc will not work)
The content creator or the cinema can make KDMs for the film on need. And the creation of the DCPs can have a NotValidAfter END date to close out the capability.
This would allow even the poorest filmmaker to protect their content.
I would likely also build an extension to my www.d-cine.net protal extending the capabilities. Easier to bring up TDLs for certain locations, edit the exact specifics of a KDM being created etc.
But really, the objective is to make it simply ridiculous to send an unencrypted DCP anywhere anymore.
Now implementation comments.
I have studied the KDM tool in dcp-o-moatic. Currently, I would have to generate a config.xml, cinema.xml, dkdm.xml file to feed into the command like kdm tool. Its a little messy, so if there is an easier way to simply specify everything in one file. Would be better. Or any general comment on implementing such a model.
Thanks,
James
dcp-o-matic used for free KDM service. Comments please.
-
- Posts: 20
- Joined: Mon Oct 14, 2019 3:48 am
- Location: Australia
-
- Site Admin
- Posts: 2548
- Joined: Thu Nov 14, 2013 2:53 pm
Re: dcp-o-matic used for free KDM service. Comments please.
Hi James,
This sounds interesting! I guess this way you can't stop the scenario of a cinema playing some content without permission (assuming they can get hold of the DCP and make themselves a KDM with your service) but at least it would limit the possible "mis-use" to cinema presentation (and not allow rips/torrents). Or do I misunderstand?
Do you have a database of serial numbers/certificates already? Could a filmmaker make a KDM for any cinema given only the serial number of the media block/projector?
As regards the use of dcpomatic2_kdm_cli, I think you should be able to get close to what you want with
without any need for configuration files... does that sound right?
edit: ah except you'd need a config file to contain the decryption key for the DKDMs; alternatively we could add a command-line option to specify that.
Best,
Carl
This sounds interesting! I guess this way you can't stop the scenario of a cinema playing some content without permission (assuming they can get hold of the DCP and make themselves a KDM with your service) but at least it would limit the possible "mis-use" to cinema presentation (and not allow rips/torrents). Or do I misunderstand?
Do you have a database of serial numbers/certificates already? Could a filmmaker make a KDM for any cinema given only the serial number of the media block/projector?
As regards the use of dcpomatic2_kdm_cli, I think you should be able to get close to what you want with
Code: Select all
dcpomatic2_kdm_cli -o the_output_kdm.xml -f now -d "2 weeks" -C projector_cert.pem the_dkdm_for_the_dcp.xml
edit: ah except you'd need a config file to contain the decryption key for the DKDMs; alternatively we could add a command-line option to specify that.
Best,
Carl
-
- Posts: 20
- Joined: Mon Oct 14, 2019 3:48 am
- Location: Australia
Re: dcp-o-matic used for free KDM service. Comments please.
Yes Carl, you basically have the idea.
I could build up on a local cached version of the player certs as it goes along. But maintaining a TDL involves effort. This effort will be left up to the cinema and producer to follow up on any errors in that a supplied KDM is a mismatch as the cinema has supplied the wrong certs or serial numbers for the location.
If the solution became popular I could make a login for the cinema to update the certs, or if they exposed an FLM endpoint, utilise that.
I must admit, I can see this also commoditising the TDL. They are guarded by the vendors who have built them as a key to the kingdom. (Ever wondered why FLM never took off, the incumbents would be disrupted if it did...) I don't agree with that Gatekeeper stance. We have a root certificate trust mechanism here. We should rely on that more. Especially for non-Hollywood films. We don't need to go to those extremes and costs in my opinion.
The KDM tool would need to run as a service out of a docker container, exposing an endpoint where you feed "all" the relevant data.
Upping the security to a level like the Cinecert tool etc, would be another project and probably could not be free as it would involve far more effort to raise the security requirements to that level.
I could build up on a local cached version of the player certs as it goes along. But maintaining a TDL involves effort. This effort will be left up to the cinema and producer to follow up on any errors in that a supplied KDM is a mismatch as the cinema has supplied the wrong certs or serial numbers for the location.
If the solution became popular I could make a login for the cinema to update the certs, or if they exposed an FLM endpoint, utilise that.
I must admit, I can see this also commoditising the TDL. They are guarded by the vendors who have built them as a key to the kingdom. (Ever wondered why FLM never took off, the incumbents would be disrupted if it did...) I don't agree with that Gatekeeper stance. We have a root certificate trust mechanism here. We should rely on that more. Especially for non-Hollywood films. We don't need to go to those extremes and costs in my opinion.
The KDM tool would need to run as a service out of a docker container, exposing an endpoint where you feed "all" the relevant data.
Upping the security to a level like the Cinecert tool etc, would be another project and probably could not be free as it would involve far more effort to raise the security requirements to that level.
-
- Site Admin
- Posts: 2548
- Joined: Thu Nov 14, 2013 2:53 pm
Re: dcp-o-matic used for free KDM service. Comments please.
Sounds good. Let me know if I can help with making the KDM tool into a service.
-
- Posts: 133
- Joined: Wed Oct 04, 2017 4:49 am
Re: dcp-o-matic used for free KDM service. Comments please.
I was once using a KDM generation service for a movie release and whenever the cinemas used to update their server certificate due to a upgrade of the server for whatever reasons (Hardware or Software), there used to be a automatic trigger to generate the KDMs for the new certificate without any manual involvement. I guess they had some way of receiving server updates automatically and checking if a previously rendered KDM would render useless as a result of that upgrade and generate the new KDM whenever that situation arises.
-
- Posts: 20
- Joined: Mon Oct 14, 2019 3:48 am
- Location: Australia
Re: dcp-o-matic used for free KDM service. Comments please.
Yes, Guddu, if implementing a full KDM service in combination with the upkeep of a TDL, (Trusted Device list.)
You would keep track of all this in a Database,and if a KDM was allocated to a specific screen, and that screen was updated to point to a new player certificate, it would automatically resend a new KDM pointing at the new player certificate.
When building a kdm type solution, your actually building a database that applied a business agreement of a film against a cinema. and all the screens at that cinema. The system then generates, based on this contractual representation in the database, all the KDMs needed.
You would keep track of all this in a Database,and if a KDM was allocated to a specific screen, and that screen was updated to point to a new player certificate, it would automatically resend a new KDM pointing at the new player certificate.
When building a kdm type solution, your actually building a database that applied a business agreement of a film against a cinema. and all the screens at that cinema. The system then generates, based on this contractual representation in the database, all the KDMs needed.
-
- Posts: 81
- Joined: Tue Apr 15, 2014 1:06 am
Re: dcp-o-matic used for free KDM service. Comments please.
This sounds very promising.
My dream is to be able to give my clients access to some kind of portal that allow the clients to do KDM orders but still only to some already defined cinemas.
For example in my home country I am often the one who are generating the KDMs for the entire country.
At the moment I just get email from the local distributor and he ask me to generate KDMs for some cinemas. And then I do it manually with Dolby CineAsset Pro or EasyDCP KDM creator.
It would be nice if the distributor could do it himself in some online portal but I do want to give somebody else permission to generate KDMs to anything else than a set of cinema database that I have create KDMs to anything else than the existing cinemas. Otherwise anyone could log in and generate DKDM for themselves.
So if the client can’t upload new cert himself then this would be great.
My dream is to be able to give my clients access to some kind of portal that allow the clients to do KDM orders but still only to some already defined cinemas.
For example in my home country I am often the one who are generating the KDMs for the entire country.
At the moment I just get email from the local distributor and he ask me to generate KDMs for some cinemas. And then I do it manually with Dolby CineAsset Pro or EasyDCP KDM creator.
It would be nice if the distributor could do it himself in some online portal but I do want to give somebody else permission to generate KDMs to anything else than a set of cinema database that I have create KDMs to anything else than the existing cinemas. Otherwise anyone could log in and generate DKDM for themselves.
So if the client can’t upload new cert himself then this would be great.