Is there anyway of knowing if, when you're provided with with a server certificate, that the KDM produced from it is a KDM or if it is a DKDM? The reason I ask is that I can see that if we're given a certificate for a server from which further KDMs can be made (represented as a single projector server) this may be used as circumvention of the security offered by encryption. I've just been given a certificate which I believe will create a DKDM if I produce a KDM for it and making the key was the same as making any 'normal' KDM. I'm probably not understanding something properly but it was just a thought.
Thanks for great software.
How to tell if the public server certificate is for a KDM or a DKDM
-
- Posts: 83
- Joined: Tue Apr 22, 2014 6:08 pm
-
- Site Admin
- Posts: 2548
- Joined: Thu Nov 14, 2013 2:53 pm
Re: How to tell if the public server certificate is for a KDM or a DKDM
In a word: no. The only "safety" in a KDM made for a projector is that the decrypting private key is buried inside the projector and in theory not known by anybody.Is there anyway of knowing if, when you're provided with with a server certificate, that the KDM produced from it is a KDM or if it is a DKDM?
I think this is why most distribution companies, in my experience, ask for the serial number of your projector rather than the certificate. They get the certificate by looking up the serial number in a (hopefully) secure database provided by the projector manufacturer.
Otherwise, yes, I could call up J. Random Hollywood Distributor and say that the server in Carl's Cinema Screen 1 has been replaced and so here is the new certificate. That could just be DCP-o-matic's decryption cert and then I could decrypt any features they sent me.
-
- Posts: 116
- Joined: Mon May 09, 2016 7:19 am
Re: How to tell if the public server certificate is for a KDM or a DKDM
I guess that it is possible to tell if the certificate is for a KDM or a DKDM. Not with 100% certainty of course.
On Windows I changed the certificate file extension from .pem to .cer so it could be opened by Windows by double clicking. Studying the properties of the certificate can tell us about its recipient and its issuer.
For example, for Doremi DCP2000 server:
Issuer:
CN=.DC.DOLPHIN.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM
Recipient:
CN=LE SPB MD SM.DCP2000-211018.DC.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM
For Doremi ShowVault server:
Issuer:
CN=.US1.DCS.DOLPHIN.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM
Recipient:
CN=LE SPB MD FM SM.IMB-273822.DC.DOLPHIN.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM
For Dolby DSS200 server:
Issuer:
CN=.Cinea.MFGCA.1
OU=MFGCA1.DC256.Cinea.Com
O=DC256.Cinea.Com
Recipient:
CN=SM.Dolby256-CAT862-0007cc8e
OU=DolbyMediaBlock
O=DC256.Cinea.Com
For Christie Integrated Media Block (IMB):
Issuer:
CN=.signer_dcine_christie
OU=Christie Digital Systems
O=ca.christiedigital.com
Recipient:
CN=SM.Christie.IMB-S2.0000000CFD3D
OU=Christie Digital Systems
o=ca.christiedigital.com
That's for every type of servers that we have. As we can see, the recipient is quite identifyable.
On Windows I changed the certificate file extension from .pem to .cer so it could be opened by Windows by double clicking. Studying the properties of the certificate can tell us about its recipient and its issuer.
For example, for Doremi DCP2000 server:
Issuer:
CN=.DC.DOLPHIN.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM
Recipient:
CN=LE SPB MD SM.DCP2000-211018.DC.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM
For Doremi ShowVault server:
Issuer:
CN=.US1.DCS.DOLPHIN.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM
Recipient:
CN=LE SPB MD FM SM.IMB-273822.DC.DOLPHIN.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM
For Dolby DSS200 server:
Issuer:
CN=.Cinea.MFGCA.1
OU=MFGCA1.DC256.Cinea.Com
O=DC256.Cinea.Com
Recipient:
CN=SM.Dolby256-CAT862-0007cc8e
OU=DolbyMediaBlock
O=DC256.Cinea.Com
For Christie Integrated Media Block (IMB):
Issuer:
CN=.signer_dcine_christie
OU=Christie Digital Systems
O=ca.christiedigital.com
Recipient:
CN=SM.Christie.IMB-S2.0000000CFD3D
OU=Christie Digital Systems
o=ca.christiedigital.com
That's for every type of servers that we have. As we can see, the recipient is quite identifyable.