Requirements for DRM in HTML5 are a secret




That's what I love about web technologies, the secrecy.


What is meant by Standardized DRM is an oxymoron ? I understand this for older technologies, like "shift each line according to this sequence : 1 5 7 42 9 0 2", but what if your machine is connected to the internet ?
Surely one could write "the dvd player has to call this ip, send this UID encrypted with the studio's public key, and receive that" ?

Oh, but then you could send a UID that is always accepted instead of the actual one, or spoof the server's answer, I guess ^^


Assuming the standards will be shared with Google, Mozilla, MicroSoft and Apple, does that mean that others aren't allowed to write web browsers anymore? I mean, obviously I can code my own browser, but I can't make it compliant with their standard because I can't know what it is.

And do they seriously think that if they share the standards with the makers of the most popular web browsers so they can be implemented, that no one is going to leak them to the public? It's only a matter of time.

Finally, does anyone behind this understand that there is a cable coming out of my computer that goes to a monitor that could instead go to a video recording device? That there are cables that instead of going to speakers could go to an audio recording device? Are they going to put DRM in copper wire? (I'm sure they're working on it)


They are certainly doing their best:


Wild weird stuff there - especially after the recent post about laws needing to be public.

Secret web standards is just the oddest idea I've heard this week. I really see this going badly for everyone - everywhere.


Yeah, I'm sure they are. But I've had it explained to me by people who know better that if I have my hands on the hardware then true security is impossible. Intel can do whatever they want inside the cable but every monitor in the world has to be able to take that signal and turn it into video. If I buy any monitor in the world I have purchased a piece of hardware that has what I need to get around their security - that knows how to say, "Sure, you are sending information to a monitor, it's safe to send me the video!" I mean, I can't actually do it, but I know people who surely can, and a lot of people who don't know the first thing about DRM know me.

(And now on to hyperbolic ranting about how the W3C decision can be likened to murder)

This just drives me insane. They try to scare us into not buying pirated DVDs because the money fund terrorist organizations. If that's true, then somehow they've actually turned movies into the war on drugs. Are bodies piling up in a foreign nation because people want to watch North American movies in North America?

And even if terrorist groups were not selling pirated DVDs for cash I'm sure the recording industry gave them the idea by claiming that they were doing it. The world has so many people who would be happy to sell DVDs and drugs and who really don't want to kill anybody. Somehow governments and standards bodies pass rules that ensure that only those who have an interest in murdering people can make profit off of certain segments of the economy.


"It's your computer. Whatever steps the browser takes to obscure how it is playing the video back can be unpicked by you, at your leisure, so you can make a tool that gets around it."

We have ways of solving that problem.


It's probably more accurate to say that 'standardized DRM that doesn't exert control over implementors is an oxymoron'.

There are some in-house DRM schemes (Apple's 'fairplay' and Amazon's 'I don't think it actually has a name, so I'll just call it "451"', kept proprietary largely for ecosystem lock-in); but there are plenty of 'standardized' DRM schemes, CSS, AACS, Cablecard/Common Interface conditional access modules, etc.

However, all such schemes employ legal means (so-called 'hook IP' which must be licensed, use of DMCA-style law, both, or other) to control who implements the standard, mandate that they include all crippling and control features the standard provides for, and usually have one or more cartel organizations that hand out cryptographic blessings to conforming implementations.

As you say, the seriously retro 'DRM through obfuscation' schemes cannot be documented if they are to work; but strong crypto changed all that. You could have an OSS implementation of a crypto scheme if you wanted, so long as the root of control was in who signs the binaries. Sure, anybody could stub out the restrictions and compile a de-crippled version; but they couldn't get it signed...


People will still be able to record DRM-hobbled video stuff. There's CamStudio and Jing for starters.


So you return the signature of the original program when asked. IIRC, a similar trick was used on some IM client.

If signatures are needed to run, you just compile that bit out too. There needs to be something non-OSS in the chain for it to work.


The reply from the Netflix dude is reasonable in isolation, in that of course studios will never reveal their private requirements. The EME will have an "open spec", but it will be open in the same way that Dual_EC_DRBG is an open spec.

And still, no one will explain why this belongs in a W3C spec. Why couldn't the studios have gone with ECMA? It's pretty much the entire purpose of that standards body, to standardize what everyone except one or a handful of commercial interests can't standardize, won't standardize, or don't care to standardize. They had to have the imprimatur of the W3C (and in the process utterly discredit an organization which helps bring together the thing that makes their distribution methods obsolete).


The pragmatic (but nasty and underhanded) approach the W3C took was to standardize the interface to the so-called 'Content decryption module' (Just don't call it a plugin! Plugins are filthy and Not HTML5, but CDMs are A-OK!). The interface itself is pretty trivial, and fully open, and doesn't have any control over the actual DRM process.

So, anyone who wants can add CDM interface support quite easily, no threat to OSS at all! But, if the CDM that a site wants isn't available? To bad, so sad. And it says, explicitly, that 'CDM may use or defer to platform capabilities'(so 'standard' support that only works on browsers running in Windows with WMDRM available, or browsers running on iDevices with fairplay available, or Roku boxes with hardware-locked DRM of some kind, all doable). Further 'CDM implementations may return decrypted frames or render them directly': this means, in practice, that the area in the browser window occupied by a DRMed video may be (and likely will be, since handing unencrypted frames back to an untrusted browser would be idiotic), 100% under the control of the CDM, from decryption to framebuffer to monitor. In principle, one could even abuse this to implement arbitrary plugin-like capabilities within the CDM: you've got a bidirectional data-transfer channel, and you've got arbitrary control over an area of screen, and you've got a binary black-box running whatever code you want, so re-implementing Flash, Java, Emacs Lisp, or anything else as a 'CDM' rather than a 'plugin' would be 100% doable. Ugly, outside the spirit of the standard; but totally within the letter of the standard.

You could even implement an entire 'trusted' web browser (say a basic webkit build) inside the CDM, and wrap your entire website in DRM, finally defeating the wicked 'right click' and 'view source' menaces once and for all...


Closed Open Standard... yeah, that's going to work. This is why the corps can never get their technology right. If they try this crap the standard is going to fail and we, the implementers of internet standards, will have to drag them over to something functional and rational kicking and screaming. The corps gumming up the internet is a non-starter.


This is why I use lynx. You kids and your images.


Because by it's nature DRM cannot be standardized, because that would mean giving away the means for anyone to defeat it. At the same time DRM as part of a 'standards' specification is also an oxymoron. This is the snake eating it's own tail.


I just put a video camera in front of my screen. Beat that !


The worst part is that this was the concern that was voiced 15 years ago when DRM percolated into people's minds.. I remember long rants on Slashdot warning that eventually it would collide with the average joe's ability to use their computer and subvert not just our freedoms but open standards.

It's not really a surprise that it happened, but it's extremely unfortunate that anyone was able to prevent such a predictable outcome.

The W3C has revealed itself to be a limp dicked figurehead who's no longer relevant.


Yup all bullshit really, at the end of the day unworkable. Kurt Gödel proved that a long time ago, complexity will only help with leverage.

The real issue here is with those parties that are pushing for this 'sugar'. Really they aren't dissimilar from say the NSA and their efforts to undermine. What those that are pushing for this should be doing is to realise that what they produce isn't actually worth that much, it needs to be cheaper. Funny how those bodies that often view themselves as capitalists and are so quick to protect their business model don't seem to understand the basics of economies of scale.

Get that right and DRM won't be needed in the first place, because people will actually tend to pay for your crap.


My feeling is while that the video camera on a box technology is promising, it needs more development effort before it's ready for prime time.