Compliance And Robustness
   HOME

TheInfoList



Click Here for Items Related To - Compliance And Robustness
OR:
Compliance And Robustness on:   [Wikipedia]   [Google]   [Amazon]

Compliance and Robustness, sometimes abbreviated as C&R, refers to the legal structure or regime underlying a Digital Rights Management (DRM) system. In many cases, the C&R regime for a given DRM is provided by the same company that sells the DRM solution. For example, RealNetworks Helix or
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...
Windows Media DRM Windows Media DRM or WMDRM, is a Digital Rights Management service for the Windows Media platform. It is designed to provide delivery of audio or video content over an IP network to a PC or other playback device in such a way that the distributor ca ...
. However, for standardised DRM systems, it is fairly common for a separate body to be established to run the C&R regime.


Elements


C&R Body

The legal entity that establishes and maintains the regime. Usually this will be a
joint venture A joint venture (JV) is a business entity created by two or more parties, generally characterized by shared ownership, shared returns and economic risk, risks, and shared governance. Companies typically pursue joint ventures for one of four rea ...
or forum with representation from multiple companies, structured in such as way as to avoid accusations of antitrust violations. The nature of the business is that such bodies will generally be composed of manufacturers and content owners, with little or no direct representation from consumer advocates.


Trust Model

The C&R body is responsible for ensuring a chain of trust, such that the original content provider is sufficiently satisfied that their content will remain adequately secure throughout all future links in the chain. This may include export of content from one DRM system to another. To meet this requirement, it is normal that any device planning to receive DRMed content is required to validate that it meets the C&R requirements, and this is usually done using a device certificate of some kind. The issuance of such certificates is the stamp of approval for both the manufacturer and the device. If two devices can verify that they both have trusted certificates, they can then reasonably expect that content passed between them will remain secure.


Compliance Rules

In many cases there will be gaps, ambiguities or options left open in a DRM technical specification. The C&R regime must clarify exactly how a compliant device is to behave in these cases. For example, a compliance rule may define which other types of interfaces are acceptable on a device, something that the technical specification itself will never do.


Robustness Rules

The most controversial aspect of C&R is the agreement on how to ensure that a device is sufficiently robust at resisting attacks. These rules may require that certain elements are implemented only in hardware, or run on secure CPUs, or that the code must not be available as open source. Manufacturers then have to satisfy the C&R body that they meet this requirement before they are granted access to the certificates needed to establish their products as trusted.


"Hook IP"

One particular trick that is often used is to include some
patent A patent is a type of intellectual property that gives its owner the legal right to exclude others from making, using, or selling an invention for a limited period of time in exchange for publishing an enabling disclosure of the invention."A ...
ed technology, often as part of the trust establishment mechanism. This means that anyone wanting to implement the DRM in a way that will work with others is forced to license these patents. A condition of obtaining such a license is to follow the rules of the C&R regime itself. Thus a C&R body has a 20-year window to pursue legal measures against a "rogue" implementation on the grounds of patent violation, rather than having to rely on a
DMCA The Digital Millennium Copyright Act (DMCA) is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO). It criminalizes production and dissemination of technology, devices, or ...
-style regulation provided by the relevant government. The need to license hook IP patents also impacts anyone thinking of building a product covered by the
GPL The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the four freedoms to run, study, share, and modify the software. The license was the first copyleft for general u ...
. One well-known example of a system employing such Hook IP is the DVB Common Scrambling Algorithm DVB-CSA, which though standardised by ETSI, includes patented elements that are only licensed to approved Conditional access systems vendors who agree to maintain the secrecy and integrity of the algorithm in their chip designs.


Examples

*
OMA DRM OMA DRM is a digital rights management (DRM) system invented by the Open Mobile Alliance, whose members represent mobile phone manufacturers (e.g. Nokia, LG, Motorola, Samsung, Sony-Ericsson, BenQ-Siemens), mobile system manufacturers (e.g. Er ...
is governed by th
CMLA
C&R regime *
DTCP-IP Digital Transmission Content Protection (DTCP) is a digital rights management (DRM) technology that restricts digital home technologies including DVD players and televisions by encrypting interconnections between devices. This permits the distribut ...
is governed by th
DTLA
C&R regime


References

{{Reflist Intellectual property law Digital rights management