Just a quick question.
When i create DKDM keys for others or others create that for me...
I know DKDM key are actually the same thing as KDM and have the same time validation stucture.
But do they really expire?
I still do not have any DKDM from other that have expired.
But after their extirpation date wont they then work anymore in DoM or does/can DoM ignore the date?
Do DKDM keys expire?
-
- Site Admin
- Posts: 2548
- Joined: Thu Nov 14, 2013 2:53 pm
Re: Do DKDM keys expire?
DoM ignores the date on DKDMs.
-
- Posts: 2804
- Joined: Tue Apr 15, 2014 9:11 pm
- Location: Germany
Re: Do DKDM keys expire?
In principle, DKDMs are just like KDMs, with a timeframe assigned. When issued for a DCI server, that time frame is strictly applied.
As all mastering systems and DKDM management systems are purely software based and not strictly certified or 'security hardened', they may or may not evaluate the time frame of the DKDM. I talked to Carl about this once and he told me that DCP-o-matic currently wouldn't care about timeframes in a DKDM.
Commercial mastering systems may impose limitations. From hearsay, I remember that a commercial movie was no longer available for booking because the DKDM issued for the german distributor or mastering company had expired and thus no new KDMs could be issued using that DKDM.
If studios consider mastering systems to be compliant, they may use DKDM expiration dates as a tool to control distribution of their encrypted masters. So if a local distributor signs a distribution deal for movie x for e.g. 2018 until 2019, the studio may enforce this by issuing a DKDM only for this time period, and only for mastering/KDM management tools that are known to comply with DKDM time frames. I would think that a compliant mastering/KDM management solution will limit the time period of KDMs issued with it to the time frame established in the DKDM.
As DCP-o-matic is open source, any limitation or special handling of DKDMs could easily be changed by compiling your own version. So it makes little sense to apply DKDM time frames within DCP-o-matic. A KDM managment tool will necessarily have access to the raw decryption keys while it creates KDMs. So, if it doesn't comply with time frame limits in the DKDM, it may issue KDMs with new timeframes outside the DKDM scope.
Another aspect of (D)KDMs is that certs also have an expiration date. For most current DCI servers, they expire somewhere between 2024 and 2043 or so.
For a DCP-o-matic cert, see the attached screenshot.
- Carsten
As all mastering systems and DKDM management systems are purely software based and not strictly certified or 'security hardened', they may or may not evaluate the time frame of the DKDM. I talked to Carl about this once and he told me that DCP-o-matic currently wouldn't care about timeframes in a DKDM.
Commercial mastering systems may impose limitations. From hearsay, I remember that a commercial movie was no longer available for booking because the DKDM issued for the german distributor or mastering company had expired and thus no new KDMs could be issued using that DKDM.
If studios consider mastering systems to be compliant, they may use DKDM expiration dates as a tool to control distribution of their encrypted masters. So if a local distributor signs a distribution deal for movie x for e.g. 2018 until 2019, the studio may enforce this by issuing a DKDM only for this time period, and only for mastering/KDM management tools that are known to comply with DKDM time frames. I would think that a compliant mastering/KDM management solution will limit the time period of KDMs issued with it to the time frame established in the DKDM.
As DCP-o-matic is open source, any limitation or special handling of DKDMs could easily be changed by compiling your own version. So it makes little sense to apply DKDM time frames within DCP-o-matic. A KDM managment tool will necessarily have access to the raw decryption keys while it creates KDMs. So, if it doesn't comply with time frame limits in the DKDM, it may issue KDMs with new timeframes outside the DKDM scope.
Another aspect of (D)KDMs is that certs also have an expiration date. For most current DCI servers, they expire somewhere between 2024 and 2043 or so.
For a DCP-o-matic cert, see the attached screenshot.
- Carsten
You do not have the required permissions to view the files attached to this post.
Last edited by Carsten on Sat Feb 24, 2018 1:34 am, edited 1 time in total.
-
- Posts: 81
- Joined: Tue Apr 15, 2014 1:06 am
Re: Do DKDM keys expire?
Thank you for your answers.
Good to know that DoM ignore this
Good to know that DoM ignore this