How to tell if the public server certificate is for a KDM or a DKDM

Anything and everything to do with DCP-o-matic.
rtX
Posts: 83
Joined: Tue Apr 22, 2014 6:08 pm

How to tell if the public server certificate is for a KDM or a DKDM

Post by rtX »

Is there anyway of knowing if, when you're provided with with a server certificate, that the KDM produced from it is a KDM or if it is a DKDM? The reason I ask is that I can see that if we're given a certificate for a server from which further KDMs can be made (represented as a single projector server) this may be used as circumvention of the security offered by encryption. I've just been given a certificate which I believe will create a DKDM if I produce a KDM for it and making the key was the same as making any 'normal' KDM. I'm probably not understanding something properly but it was just a thought.
Thanks for great software.
carl
Site Admin
Posts: 2548
Joined: Thu Nov 14, 2013 2:53 pm

Re: How to tell if the public server certificate is for a KDM or a DKDM

Post by carl »

Is there anyway of knowing if, when you're provided with with a server certificate, that the KDM produced from it is a KDM or if it is a DKDM?
In a word: no. The only "safety" in a KDM made for a projector is that the decrypting private key is buried inside the projector and in theory not known by anybody.

I think this is why most distribution companies, in my experience, ask for the serial number of your projector rather than the certificate. They get the certificate by looking up the serial number in a (hopefully) secure database provided by the projector manufacturer.

Otherwise, yes, I could call up J. Random Hollywood Distributor and say that the server in Carl's Cinema Screen 1 has been replaced and so here is the new certificate. That could just be DCP-o-matic's decryption cert and then I could decrypt any features they sent me.
scorpio81
Posts: 116
Joined: Mon May 09, 2016 7:19 am

Re: How to tell if the public server certificate is for a KDM or a DKDM

Post by scorpio81 »

I guess that it is possible to tell if the certificate is for a KDM or a DKDM. Not with 100% certainty of course.
On Windows I changed the certificate file extension from .pem to .cer so it could be opened by Windows by double clicking. Studying the properties of the certificate can tell us about its recipient and its issuer.

For example, for Doremi DCP2000 server:
Issuer:
CN=.DC.DOLPHIN.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM
Recipient:
CN=LE SPB MD SM.DCP2000-211018.DC.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM

For Doremi ShowVault server:
Issuer:
CN=.US1.DCS.DOLPHIN.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM
Recipient:
CN=LE SPB MD FM SM.IMB-273822.DC.DOLPHIN.DC2.SMPTE
OU=DC.DOREMILABS.COM
O=DC2.SMPTE.DOREMILABS.COM

For Dolby DSS200 server:
Issuer:
CN=.Cinea.MFGCA.1
OU=MFGCA1.DC256.Cinea.Com
O=DC256.Cinea.Com
Recipient:
CN=SM.Dolby256-CAT862-0007cc8e
OU=DolbyMediaBlock
O=DC256.Cinea.Com

For Christie Integrated Media Block (IMB):
Issuer:
CN=.signer_dcine_christie
OU=Christie Digital Systems
O=ca.christiedigital.com
Recipient:
CN=SM.Christie.IMB-S2.0000000CFD3D
OU=Christie Digital Systems
o=ca.christiedigital.com

That's for every type of servers that we have. As we can see, the recipient is quite identifyable.