When a client encounters encrypted content it requires a content key with which it can decrypt the content. Content keys are delivered to the client via a DRM scheme that ensures secure delivery of the content key to the client to so that the content key can not be intercepted and used to decrypt the content outside of the platform.
The licence service validates that the user is entitled to the content, generates a valid licence response for the required DRM scheme and acts on any restrictions imposed by the Entitlement service for which it may hold responsibility. Where restrictions may be enforced by the DRM scheme, the licence service ensures that the restrictions are applied to the generated licence response.
The licence service is responsible for acting on the following entitlement restrictions
- Must register device
- Must report licence
- Output protection settings (i.e. require HDCP, allow airplay) where applicable
The licence service may ignore restrictions imposed by the Entitlement service for which it does not hold a responsibility. For example, if the Entitlement service requires the client to enforce Concurrency the licence service will take no further action as it is the responsibility of the video player to enforce Concurrency.
The service has the following responsibilities:
- Issuing licences
- Ensuring entitlement has been checked
- Storage of policies resources
- Registering devices
- Reporting licences issued
Protection in client applications
Securely delivering DRM licenses does not ensure that premium content is secured. Once a license is issued the receiver must successfully enforce all of the required restrictions. Therefore, client applications must be trustworthy.
A chain of trust, such that the original media service provider is sufficiently satisfied that their content will remain adequately secure throughout all future links in the chain, must be established. Were applicable this trust should be delegated to an approved DRM provider
To meet this requirement, any device planning to receive restricted content is required to validate that it meets the Compliance & Robustness (C&R) requirements. Were applicable this can be delegated to the DRM provider, partially or in full.
When a DRM provider is involved, it’s (C&R) requirements must be met. Further to this, any restrictions to be enforced outside of the DRM provider must clarify exactly how a compliant device is to behave in these cases. For example, a compliance rule may define how a device should respond if it’s told to enforce a limit on concurrent streams
When a DRM provider is involved, it’s (C&R) requirements must be met. This is the agreement on how to ensure that a device is sufficiently robust at resisting attacks. These rules may require code must not be available as open source or must be obfuscated etc.
Full reference docs are available here.