KDM Validity VS Signing Cert Validity error

[Aswippe Johnson]

Had an issue creating valid new KDMs for a theatre this week, so I upgraded my very old version of DOM to V.2.16.8. Running Windows 7 Pro 64-bit. The reason my KDMs weren't working was quickly identified with the following error message:



I ran the DOM uninstaller and deleted the old c:\Users\your_user_name\AppData\Local\dcpomatic directory before installing the update. I also clicked on the make new certificate choice when I ran the updated version, and then rebooted my computer.

I normally make long expiration KDMs as it prevents the sharing of custom content that I sell to theatres. Previously, I could make a KDM valid long enough to exceed the cert validity on the server if I wanted... now, I can't go longer than 3 years. I can live with that, but the time will come when that 3 year span expires and I'll be up against a wall - unable to make new KDMs for that DKDM... thanks for your help.

How do I fix this, please?

Oh, yes, it might help to know when I Quit the KDM maker app... I get a Windows ".exe has stopped working" error, and have to force it to close. Never had that happen before.

[Carsten]

The signing certs in the 2.16.x versions, when created from scratch, should last 10 years into the future from now.


- Carsten

[Aswippe Johnson]

Thank you.

[Carsten]

We recently came across an issue with a few servers that did not like long signing cert validity. That was a critical issue, as it would prevent encrypted DCPs to play. So, for now, the default validity window is until 2032 or so. Once we get more information, it may be possible to extend this towards 2038 or so. It looks as if the whole certificate system in DCI is only targeted at short to medium timeframe distribution, not archiving.

For most applications, recreating signing certs with a safe validity timeframe should not cause any issues at all, encryption/decryption/KDM creation is not impacted by new signing certs.

- Carsten

[gunnar]

We recently came across an issue with a few servers that did not like long signing cert validity.

This is actually something that can be avoided during the KDM creation itself.
I own both Dolby CineAsset Pro and EasyDCP and if the server certificate of the cinema server that KDM is being created for is already expired or will be expire when the KDM you are creating will expire then you just get error during the KDM generation.
So I don't thing this has anything to do with "some server that do not like long signing cert."
I am almost sure that this is more about that DCP-o-Matic should not been able to generate KDMs that owerlap the certificate of the targeted cinema server but DoM is probably doing that.

[Carsten]

Well, we actually came across servers that had media block/decryption cert validity well beyond 2044, but would fail if signing cert validity was shorter than that. In general, signing cert is of little practical relevance - but for encrypted SMPTE DCPs, some servers do check it, and two different brands actually failed with long signing cert validity. Obviously, a bug, as none of the SMPTE/DCI spec documents limit cert type validity.

DCP-o-matic does check cert validity when creating KDMs.

[carl]

I am almost sure that this is more about that DCP-o-Matic should not been able to generate KDMs that owerlap the certificate of the targeted cinema server but DoM is probably doing that.

Are you talking about the validity period of the KDM? Or the validity period of the certificate that is used to sign the KDM?

[jamiegau]

This is a good question.
If a dci-player cert is to expire in 2 years and you try and make a KDM that extends passed this timeframe. Should this be possible? Should it error?
Should it just say fine, and not really matter. The player will need a new cert installed at some stage meaning a new KDM for all content you want to play will need to be regenerated anyway.

[Carsten]

Happens quite often with GDC servers, as they use rather short media block cert validities. Some KDM service companies now issue advance warnings if a cert is about to expire.

Some few commercial KDMs I see have validity windows of max 3 months into the future. Most probably only one or two weeks.

[jamiegau]

Short certificates for players is quite a big issue.
Its technically illegal as it forces cinema owners to pay for upgrades they may not want to do.
I know they should keep their players up to date but that's not the point.
You shouldn't have to pay for an updated player cert every 3-5 years on a unit that should run for 15 years. (Or life of the unit)
Its not fit for purpose under consumer law in my neck of the woods.

It's like buying a car and it stops working if you don't get it serviced by the specific company you purchased it from. Obviously that's not going to fly.
And this is an equivalent issue.