-
Notifications
You must be signed in to change notification settings - Fork 79
/
encrypted-media-respec.html
9282 lines (9235 loc) · 395 KB
/
encrypted-media-respec.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>
Encrypted Media Extensions
</title>
<script src="https://www.w3.org/Tools/respec/respec-w3c" class="remove"></script>
<script class="remove">
var respecConfig = {
// specification status (e.g. WD, LCWD, NOTE, etc.). If in doubt use ED.
specStatus: "ED",
implementationReportURI: "https://w3c.github.io/test-results/encrypted-media/all.html",
// the specification's short name, as in https://www.w3.org/TR/short-name/
shortName: "encrypted-media-2",
edDraftURI: "https://w3c.github.io/encrypted-media/",
prevRecURI: "https://www.w3.org/TR/2017/REC-encrypted-media-20170918/",
// editors, add as many as you like
// only "name" is required
editors: [
{ name: "Joey Parrish", w3cid: "105371",
company: "Google Inc.", companyURL: "https://www.google.com/" },
{ name: "Greg Freedman", w3cid: "115364",
company: "Netflix Inc.", companyURL: "https://www.netflix.com/" },
],
formerEditors: [
{ name: "Mark Watson", note: "Until September 2019", w3cid: "46379",
company: "Netflix Inc.", companyURL: "https://www.netflix.com/" },
{ name: "David Dorwin", note: "Until September 2017", w3cid: "52505",
company: "Google Inc.", companyURL: "https://www.google.com/" },
{ name: "Jerry Smith", note: "Until September 2017", w3cid: "60176",
company: "Microsoft Corporation", companyURL: "https://www.microsoft.com/" },
{ name: "Adrian Bateman", note: "Until May 2014", w3cid: "42763",
company: "Microsoft Corporation", companyURL: "https://www.microsoft.com/" },
],
group: "media",
github: "w3c/encrypted-media",
// URI of the public WG page
wgURI: "https://www.w3.org/media-wg/",
// name (without the @w3c.org) of the public mailing to which comments are due
wgPublicList: "public-media-wg",
// URI of the patent status for this WG, for Rec-track documents
// !!!! IMPORTANT !!!!
// This is important for Rec-track documents, do not copy a patent URI from a random
// document unless you know what you're doing. If in doubt ask your friendly neighbourhood
// Team Contact.
wgPatentURI: "https://www.w3.org/2004/01/pp-impl/115198/status",
localBiblio: {
"CENC": {
title: "ISO/IEC 23001-7:2016, Information technology — MPEG systems technologies — Part 7: Common encryption in ISO Base Media File Format files",
href: "https://www.iso.org/obp/ui/#iso:std:iso-iec:23001:-7:ed-3:v1",
status: "International Standard",
publisher: "ISO/IEC",
},
},
xref: ["dom", "html", "infra", "webaudio"]
};
</script>
<link rel="stylesheet" href="eme.css">
</head>
<body>
<section id="abstract">
<p>
This specification extends {{HTMLMediaElement}} [[HTML]] providing APIs to control playback
of encrypted content.
</p>
<p>
The API supports use cases ranging from simple clear key decryption to high value video
(given an appropriate user agent implementation). License/key exchange is controlled by the
application, facilitating the development of robust playback applications supporting a
range of content decryption and protection technologies.
</p>
<p>
This specification does not define a content protection or Digital Rights Management
system. Rather, it defines a common API that may be used to discover, select and interact
with such systems as well as with simpler content encryption systems. Implementation of
Digital Rights Management is not required for compliance with this specification: only the
[=Clear Key=] system is required to be implemented as a common baseline.
</p>
<p>
The common API supports a simple set of content encryption capabilities, leaving
application functions such as authentication and authorization to page authors. This is
achieved by requiring content protection system-specific messaging to be mediated by the
page rather than assuming out-of-band communication between the encryption system and a
license or other server.
</p>
</section>
<section id="sotd">
<p>
Two new features were added since publication as a <abbr title=
"World Wide Web Consortium">W3C</abbr> Recommendation in <a href=
"https://www.w3.org/TR/2017/REC-encrypted-media-20170918/">September 2017</a>:
</p>
<ul>
<li>Encryption scheme capability detection, through the
{{MediaKeySystemMediaCapability/encryptionScheme}} attribute.
</li>
<li>The ability to query the status of a key associated with an HDCP policy, through the
{{MediaKeys/getStatusForPolicy()}} method.
</li>
</ul>
<p>
Inclusion of other features is out of scope for the Media Working Group. On top of
editorial updates, other substantive changes made to this specification address maintenance
issues against this specification:
</p>
<ul>
<li>Integrate with the Permissions Policy through the [=encrypted-media=] identifier.
</li>
<li>Add {{MediaKeyStatus/"usable-in-future"}} to {{MediaKeyStatus}} for keys that are not
yet usable for decryption.
</li>
<li>Return [=QuotaExceededError=] when steps fail due to a lack of resources.
</li>
<li>Add {{MediaKeySessionClosedReason}} to describe possible reasons for a session closure,
and adjust algorithms accordingly.
</li>
</ul>
<p>
For a full list of changes made since the previous version, see the <a href=
"https://github.com/w3c/encrypted-media/commits/main">commits</a>.
</p>
</section>
<section class="informative">
<h2>
Introduction
</h2>
<p>
This specification enables script to select content protection mechanisms, control
license/key exchange, and execute custom license management algorithms. It supports a wide
range of use cases without requiring client-side modifications in each user agent for each
use case. This enables content providers to develop a single application solution for all
devices.
</p>
<p>
Supported content is encrypted per container-specific "common encryption" specifications,
enabling use across key systems. Supported content has an unencrypted container, enabling
metadata to be provided to the application and maintaining compatibility with other
{{HTMLMediaElement}} features.
</p>
<p>
Implementers should pay attention to the mitigations for the security and privacy threats
and concerns described in this specification. In particular, the specification requirements
for security and privacy cannot be met without knowledge of the security and privacy
properties of the [=Key System=] and its implementation(s). <a href=
"#implementation-requirements"></a> contains security and privacy provisions related to the
integration and use of underlying [=Key System=] implementations. <a href="#security"></a>
focuses on external threats, such as input data or network attacks. <a href="#privacy"></a>
focuses on the handling of user-specific information and providing users with adequate
control over their own privacy.
</p>
<p class="note">
While this specification is independent of the source of the media data, authors should be
aware that many implementations only support decrypting media data provided via Media
Source Extensions [[MEDIA-SOURCE]].
</p>
<p>
A generic stack implemented using the API is shown below. This diagram shows an example
flow; other combinations of API calls and events are possible.
</p><img src="stack_overview.svg" alt="A generic stack implemented using the proposed APIs"
height="700">
</section>
<section>
<h2>
Definitions
</h2>
<dl>
<dt>
<dfn class="export" data-lt="CDM">Content Decryption Module (CDM)</dfn>
</dt>
<dd>
<p>
Content Decryption Module (CDM) is the client component that provides the
functionality, including decryption, for one or more [=Key Systems=].
</p>
<p class="note">
Implementations may or may not separate the implementations of CDMs or treat them as
separate from the user agent. This is transparent to the API and application.
</p>
</dd>
<dt>
<dfn class="export">Key System</dfn>
</dt>
<dd>
<p>
A Key System is a generic term for a decryption mechanism and/or content protection
provider. Key System strings provide unique identification of a Key System. They are
used by the user agent to select a [=CDM=] and identify the source of a key-related
event. User agents MUST support the [=Common Key Systems=]. User agents MAY also
provide additional [=CDMs=] with corresponding Key System strings.
</p>
<p>
A Key System string is always a reverse domain name. Key System strings are compared
using case-sensitive matching. It is RECOMMENDED that [=CDMs=] use simple lower-case
ASCII key system strings.
</p>
<p class="note">
For example, "com.example.somesystem".
</p>
<p class="note">
Within a given system ("somesystem" in the example), subsystems may be defined as
determined by the key system provider. For example, "com.example.somesystem.1" and
"com.example.somesystem.1_5". Key System providers should keep in mind that these will
be used for comparison and discovery, so they should be easy to compare and the
structure should remain reasonably simple.
</p>
</dd>
<dt>
<dfn>Key Session</dfn>
</dt>
<dd>
<p>
A Key Session, or simply Session, provides a context for message exchange with the
[=CDM=] as a result of which key(s) are made available to the [=CDM=]. Sessions are
embodied as {{MediaKeySession}} objects. Each Key session is associated with a single
instance of [=Initialization Data=] provided in the
{{MediaKeySession/generateRequest()}} call.
</p>
<p>
Each Key Session is associated with a single {{MediaKeys}} object, and only media
element(s) associated with that {{MediaKeys}} object may access key(s) associated with
the session. Other {{MediaKeys}} objects, [=CDM=] instances, and media elements MUST
NOT access the key session or use its key(s). Key sessions and the keys they contain
are no longer [=usable for decryption=] once the session has been closed, including
when the {{MediaKeySession}} object is destroyed.
</p>
<p>
All license(s) and key(s) associated with a Key Session which have not been explicitly
stored MUST be destroyed when the Key Session is closed.
</p>
<p>
[=Key IDs=] MUST be unique within a session.
</p>
</dd>
<dt>
<dfn>Session ID</dfn>
</dt>
<dd>
<p>
A Session ID is a unique string identifier generated by the [=CDM=] that can be used by
the application to identify {{MediaKeySession}} objects.
</p>
<p>
A new Session ID is generated each time the user agent and [=CDM=] successfully create
a new session.
</p>
<p>
Each Session ID SHALL be unique within the browsing context in which it was created.
For session types for which the [=Is persistent session type?=] algorithm returns
<code>true</code>, Session IDs MUST be unique within the [=origin=] over time,
including across browsing sessions.
</p>
<p class="note">
The underlying content protection protocol does not necessarily need to support Session
IDs.
</p>
</dd>
<dt>
<dfn data-lt="key(s)">Key</dfn>
</dt>
<dd>
<p>
Unless otherwise stated, key refers to a decryption key that can be used to decrypt
blocks within [=HTMLMediaElement/media data=]. Each such key is uniquely identified by
a [=key ID=]. A key is associated with the [=key session|session=] used to provide it
to the [=CDM=]. (The same key may be present in multiple sessions.) Such keys MUST only
be provided to the [=CDM=] via an {{MediaKeySession/update()}} call. (They may later be
loaded by {{MediaKeySession/load()}} as part of the stored session data.)
</p>
<p class="note">
Authors SHOULD encrypt each set of stream(s) that requires enforcement of a
meaningfully different policy with a distinct key (and key ID). For example, if
policies may differ between two video resolutions, stream(s) containing one resolution
should not be encrypted with the key used to encrypt stream(s) containing the other
resolution. When encrypted, audio streams SHOULD NOT use the same key as any video
stream. This is the only way to ensure enforcement and compatibility across clients.
</p>
</dd>
<dt>
<dfn>Usable For Decryption</dfn>
</dt>
<dd>
<p>
A key is considered usable for decryption if the [=CDM=] is certain the key is
currently usable to decrypt one or more blocks of [=HTMLMediaElement/media data=].
</p>
<p class="note">
For example, a key is not usable for decryption if its license has expired. Even if its
license has not expired, a key is not usable for decryption if other conditions (e.g.,
output protection) for its use are not currently satisfied.
</p>
</dd>
<dt>
<dfn class="export" data-export="" data-lt="Decryption key ID">Key ID</dfn>
</dt>
<dd>
<p>
A [=key=] is associated with a key ID that is a sequence of octets and which uniquely
identifies the key. The container specifies the ID of the key that can decrypt a block
or set of blocks within the [=HTMLMediaElement/media data=]. [=Initialization Data=]
MAY contain key ID(s) to identify the keys that are needed to decrypt the media data.
However, there is no requirement that Initialization Data contain any or all key IDs
used in the [=HTMLMediaElement/media data=] or <a data-cite="html#media-resource">media
resource</a>. [=Licenses=] provided to the [=CDM=] associate each key with a key ID so
the [=CDM=] can select the appropriate key when decrypting an encrypted block of media
data.
</p>
</dd>
<dt>
<dfn data-lt="Known">Known Key</dfn>
</dt>
<dd>
<p>
A key is considered to be known to a session if the [=CDM=]'s implementation of the
session contains any information - specifically the [=key ID=] - about it, regardless
of whether the actual [=key=] is usable or its value is known. Known keys are exposed
via the {{MediaKeySession/keyStatuses}} attribute.
</p>
<p>
Keys are considered known even after they become unusable, such as due to
[=expiration=] or if they are removed but a [=record of license destruction=] is
available. Keys only become unknown when they are explicitly removed from a session and
any license release message is acknowledged.
</p>
<p class="note">
For example, a key could become unknown if an {{MediaKeySession/update()}} call
provides a new license that does not include the key and includes instructions to
replace the license(s) that previously contained the key.
</p>
</dd>
<dt>
<dfn>License</dfn>
</dt>
<dd>
<p>
A license is key system-specific state information that includes one or more [=key(s)=]
- each associated with a [=key ID=] - and potentially other information about key
usage.
</p>
</dd>
<dt id="initialization-data">
<dfn class="export">Initialization Data</dfn>
</dt>
<dd>
<p class="note">
[=Key Systems=] usually require a block of initialization data containing information
about the stream to be decrypted before they can construct a license request message.
This block could be a simple key or content ID or a more complex structure containing
such information. It SHOULD always allow unique identification of the [=key(s)=] needed
to decrypt the content. This initialization information MAY be obtained in some
application-specific way or provided with the [=HTMLMediaElement/media data=].
</p>
<p>
Initialization Data is a generic term for container-specific data that is used by a
[=CDM=] to generate a license request.
</p>
<p>
The format of the initialization data depends upon the type of container, and
containers MAY support more than one format of initialization data. The <dfn class=
"export">Initialization Data Type</dfn> is a string that indicates the format of the
accompanying Initialization Data. Initialization Data Type strings are always matched
case-sensitively. It is RECOMMENDED that Initialization Data Type strings are
lower-case ASCII strings.
</p>
<p>
The [[[EME-INITDATA-REGISTRY]]] [[EME-INITDATA-REGISTRY]] provides the mapping from
[=Initialization Data Type=] string to the specification for each format.
</p>
<p>
When the user agent encounters Initialization Data in the [=HTMLMediaElement/media
data=], it provides that Initialization Data to the application in the
{{MediaEncryptedEvent/initData}} attribute of the {{encrypted}} event. The user agent
MUST NOT store the Initialization Data or use its <em>content</em> at the time it is
encountered. The application provides [=Initialization Data=] to the [=CDM=] via
{{MediaKeySession/generateRequest()}}. The user agent MUST NOT provide [=Initialization
Data=] to the [=CDM=] by other means.
</p>
<p>
Initialization Data MUST be a fixed value for a given set of stream(s) or
[=HTMLMediaElement/media data=]. It MUST only contain information related to the keys
required to play a given set of stream(s) or [=HTMLMediaElement/media data=]. It MUST
NOT contain application data, client-specific data, user-specific data, or executable
code.
</p>
<p>
Initialization Data SHOULD NOT contain Key System-specific data or values.
Implementations MUST support the common formats defined in [[EME-INITDATA-REGISTRY]]
for each [=Initialization Data Type=] they support.
</p>
<p class="note">
Use of proprietary formats/contents is discouraged, and supporting or using
<em>only</em> proprietary formats is strongly discouraged. Proprietary formats should
only be used with pre-existing content or on pre-existing client devices that do not
support the common formats.
</p>
</dd>
<dt>
<dfn data-lt="associable">Associable Value</dfn>
</dt>
<dd>
<p>
Two or more identifiers or other values are said to be associable if they are identical
<em>or</em> it is possible - with a reasonable amount of time and effort - to correlate
or associate them. Otherwise, the values are <dfn>non-associable</dfn>.
</p>
<div class="note">
<p>
For example, values created in the following ways are [=associable=]:
</p>
<ul>
<li>
<p>
Using a trivially-reversible hash function.
</p>
</li>
<li>
<p>
Sharing a prefix or other subset
</p>
</li>
<li>
<p>
Replacing random value N with N+10
</p>
</li>
<li>
<p>
XORing the origin with a fixed value (because it is trivially reversible)
</p>
</li>
</ul>
<p>
In contrast, two values that are completely unrelated or cryptographically distinct,
such as via a cryptographically strong non-reversible hash function, are
[=non-associable=]
</p>
</div>
<p>
Two or more identifiers or other values are said to be <dfn>associable by an
entity</dfn> if it is possible - with a reasonable amount of time and effort - for the
referenced entity or set of entities to correlate or associate them without
participation of additional entity(ies). Otherwise, the values are <dfn>non-associable
by an entity</dfn>.
</p>
<p>
Two or more identifiers or other values are said to be <dfn data-lt=
"non-associable by application">non-associable by the application</dfn> if they are
[=non-associable by an entity=] where the entity is the set that includes the
application, all other applications, and other entities such as servers that they use
or with which they communicate. Otherwise, the values would be considered
<dfn>associable by the application</dfn>, which is forbidden.
</p>
</dd>
<dt>
<dfn data-lt="distinctive">Distinctive Value</dfn>
</dt>
<dd>
<p>
A Distinctive Value is a value, piece of data, implication of the possession of a piece
of data, or an observable behavior or timing that is <em>not</em> shared across a large
population of users or client devices. A Distinctive Value may be in memory or
persisted.
</p>
<div class="note">
<p>
Examples of Distinctive Values include but are not limited to:
</p>
<ul>
<li>
<p>
[=Distinctive Identifiers=]
</p>
</li>
<li>
<p>
[=Distinctive Permanent Identifiers=]
</p>
</li>
<li>
<p>
Other identifiers
</p>
</li>
<li>
<p>
[=Session IDs=]
</p>
</li>
<li>
<p>
[=Licenses=]
</p>
</li>
<li>
<p>
Other session data
</p>
</li>
</ul>
</div>
<p class="note">
While a Distinctive Value is typically unique to a user or client device, a value does
not need to be strictly unique to be distinctive. For example, a value shared among a
small number of users could still be distinctive.
</p>
</dd>
<dt>
<dfn data-lt="Permanent Identifier(s)">Permanent Identifier</dfn>
</dt>
<dd>
<p>
A Permanent Identifier is a value, piece of data, implication of the possession of a
piece of data, or an observable behavior or timing that is indelible in some way or
otherwise non-trivial for the user to remove, reset, or change. This includes but is
not limited to:
</p>
<ul>
<li>
<p>
A hardware or hardware-based identifier
</p>
</li>
<li>
<p>
A value provisioned in the hardware device in the factory
</p>
</li>
<li>
<p>
A value associated with or derived from the operating system installation instance
</p>
</li>
<li>
<p>
A value associated with or derived from the user agent installation instance
</p>
</li>
<li>
<p>
A value associated with or derived from the [=CDM=] or other software component
</p>
</li>
<li>
<p>
A value in a configuration file or similar semi-permanent data, even if generated
on the client
</p>
</li>
<li>
<p>
Client or other user account values
</p>
</li>
</ul>
<p>
A <dfn data-lt="Distinctive Permanent Identifier(s)">Distinctive Permanent
Identifier</dfn> is a [=Permanent Identifier=] that is [=distinctive=].
</p>
<p>
When exposed outside the client, Distinctive Permanent Identifiers and values derived
from or otherwise related to them MUST be <a href="#encrypt-identifiers">encrypted</a>.
Distinctive Permanent Identifiers MUST NOT ever be exposed to the application, even in
encrypted form.
</p>
<p class="note">
While a Distinctive Permanent Identifier is typically unique to a user or client
device, a Distinctive Permanent Identifier does not need to be strictly unique to be
distinctive. For example, a Distinctive Permanent Identifier shared among a small
number of users could still be distinctive.
</p>
<p class="note">
A Distinctive Permanent Identifier is <em>not</em> a [=Distinctive Identifier=] because
it is not derived or generated (within the scope of this specification).
</p>
<p class="note">
{{MediaKeySystemConfiguration/distinctiveIdentifier}} controls whether Distinctive
Permanent Identifiers may be used. Specifically, Distinctive Permanent Identifiers may
only be used when the value of the
{{MediaKeySystemConfiguration/distinctiveIdentifier}} member of the
{{MediaKeySystemAccess}} used to create the {{MediaKeys}} object is
{{MediaKeysRequirement/"required"}}.
</p>
</dd>
<dt>
<dfn data-lt="Distinctive Identifier(s)">Distinctive Identifier</dfn>
</dt>
<dd>
<div class="note">
<p>
A Distinctive Identifier is a value, including in opaque or encrypted form, for which
it is possible for any entity external to the client to correlate or associate values
beyond what a user may expect on the web platform (e.g., cookies and other site
data). For example, values that are [=associable by an entity|associable by an entity
other than the application=] across a) [=origins=], b) [=browsing profiles=], or c)
browsing sessions even after the user has attempted to protect his or her privacy by
clearing browsing data or values for which it is not easy for a user to break such
association. In particular, a value is a Distinctive Identifier if it is possible for
a [=associable by an entity|central server, such as an individualization server, to
associate=] values across origins, such as because the [=individualization=] requests
contained a common value, or because values provided in individualization requests
are [=associable by an entity|associable by such a server=] even after attempts to
clear browsing data. Possible causes of this include use of [=Distinctive Permanent
Identifier(s)=] in the individualization process.
</p>
<p>
Distinctive Identifiers exposed to the application, even in encrypted form, MUST
adhere to the <a href="#identifier-requirements">identifier requirements</a>,
including being <a href="#encrypt-identifiers">encrypted</a>, <a href=
"#per-origin-per-profile-identifiers">unique per origin and profile</a>, and <a href=
"#allow-identifiers-cleared">clearable</a>.
</p>
<p>
While the instantiation or use of a Distinctive Identifier is triggered by the
application's use of the APIs defined in this specification, the identifier need not
be provided to the application to trigger conditions related to Distinctive
Identifiers. (The [=Distinctive Permanent Identifier(s)=] MUST NOT ever be provided
to the application, even in opaque or encrypted form.)
</p>
</div>
<p class="note">
{{MediaKeySystemConfiguration/distinctiveIdentifier}} controls whether Distinctive
Identifiers may be used. Specifically, Distinctive Identifiers may only be used when
the value of the {{MediaKeySystemConfiguration/distinctiveIdentifier}} member of the
{{MediaKeySystemAccess}} used to create the {{MediaKeys}} object is
{{MediaKeysRequirement/"required"}}.
</p>
<p>
A Distinctive Identifier is a value, piece of data, implication of the possession of a
piece of data, or an observable behavior or timing for which all of the following
criteria hold:
</p>
<ul>
<li>
<p>
It is [=distinctive=].
</p>
<p class="note">
While a Distinctive Identifier is typically unique to a user or client device, an
identifier does not need to be strictly unique to be distinctive. For example, an
identifier shared among a small number of users could still be distinctive.
</p>
</li>
<li>
<p>
It, information about it, or values derived from or otherwise related to it are
exposed, even in encrypted form, outside the client. This includes but is not
limited to providing it to the application and/or license, [=individualization=],
or other server.
</p>
</li>
<li>
<p>
It has one or more the following properties:
</p>
<ul>
<li>
<p>
It is derived from one or more [=Distinctive Permanent Identifier(s)=].
</p>
</li>
<li>
<p>
The generation, [=individualization=], provisioning or other process that
produced the value involved, used, provided, derived from, or similarly
involved one or more [=Distinctive Permanent Identifier(s)=] or another
Distinctive Identifier.
</p>
</li>
<li>
<p>
It is <a href="#allow-identifiers-cleared">clearable</a> but not <a href=
"#allow-persistent-data-cleared-with-cookies">along with cookies and other site
data</a>.
</p>
<p class="note">
For example, via some mechanism external to the user agent, such as an OS-level
mechanism.
</p>
</li>
</ul>
<div class="note">
<p>
Other properties of concern that are normatively prohibited for values exposed to
the application include:
</p>
<ul>
<li>
<p>
It is a [=Distinctive Permanent Identifier=].
</p>
</li>
<li>
<p>
It is <em>not</em> <a href="#allow-identifiers-cleared">clearable</a>.
</p>
</li>
<li>
<p>
Value(s) created after <a href="#allow-identifiers-cleared">clearing
identifier(s)</a> may be [=associable by the application=] with previous
value(s).
</p>
</li>
<li>
<p>
Values may not be <a href="#per-origin-per-profile-identifiers">unique per
origin and profile</a>.
</p>
</li>
<li>
<p>
Values for different origins may be [=associable by the application=].
</p>
</li>
</ul>
<p>
Examples of such normatively prohibited values include but is not limited to:
</p>
<ul>
<li>
<p>
A single hardware-based value used for all origins.
</p>
</li>
<li>
<p>
A single random based value used for all origins.
</p>
</li>
<li>
<p>
A single value obtained from an [=individualization=] process that is used
for all origins.
</p>
</li>
<li>
<p>
Values that include all or part of any of the above values.
</p>
</li>
<li>
<p>
A single value that is used for multiple but not all origins.
</p>
</li>
<li>
<p>
A single value that is used for all origins on a domain. (Identifiers must be
per-[=origin=].)
</p>
</li>
<li>
<p>
A pre-provisioned origin-specific value.
</p>
</li>
<li>
<p>
Values generated by trivially-reversible means, which are thus [=associable
by the application=], regardless of whether generated on the client or
involving an [=individualization=] process. For example, XORing or otherwise
integrating (part of) the origin with a fixed value.
</p>
</li>
</ul>
</div>
</li>
</ul>
<p class="note">
While Distinctive Identifier are usually [=associable by an entity|associable by the
entity that generated them=] they MUST be [=non-associable by applications=]. In other
words, such correlation or association is only possible by the entity, such as an
[=individualization=] server, that originally generated the Distinctive Identifier
values. Entities with access to the [=Distinctive Permanent Identifier(s)=] MUST NOT
expose this capability to applications, as this would make resulting Distinctive
Identifiers [=associable by the application=], and SHOULD take care to avoid exposing
such correlation to other entities or third parties.
</p>
<div class="note">
<p>
Examples of Distinctive Identifiers include but are not limited to:
</p>
<ul>
<li>
<p>
A series of bytes that is included in key requests, different from the series of
bytes included by other client devices, and based on or was acquired directly or
indirectly using a [=Distinctive Permanent Identifier=].
</p>
</li>
<li>
<p>
A public key included in key requests that is different from the public keys
included in the requests by other client devices and is based on or was acquired
directly or indirectly using a [=Distinctive Permanent Identifier=].
</p>
</li>
<li>
<p>
Demonstration of possession of a private key (e.g., by signing some data) that
other client devices do not have and is based on or was acquired directly or
indirectly using a [=Distinctive Permanent Identifier=].
</p>
</li>
<li>
<p>
An identifier for such a key.
</p>
</li>
<li>
<p>
Such a value used to derive another value that is exposed even though the first
value is not directly exposed.
</p>
</li>
<li>
<p>
A value derived from another Distinctive Identifier.
</p>
</li>
<li>
<p>
A random value that was reported to a (e.g., [=individualization=]) server along
with a [=Distinctive Permanent Identifier=] or provided by such a server after
providing a [=Distinctive Permanent Identifier=].
</p>
</li>
<li>
<p>
A value derived from a unique value provisioned in the hardware device in the
factory.
</p>
</li>
<li>
<p>
A value derived from a unique hardware value (e.g., MAC address or serial number)
or software value (e.g., operating system installation instance or operating
system user account name) in the hardware device in the factory.
</p>
</li>
<li>
<p>
A value derived from a unique value embedded in the [=CDM=] binary or other file
used by the [=CDM=].
</p>
</li>
</ul>
<p>
Examples of things that are <em>not</em> Distinctive Identifiers:
</p>
<ul>
<li>
<p>
A public key shared among all copies of a given [=CDM=] version if the installed
base is large.
</p>
</li>
<li>
<p>
A nonce or ephemeral key that is unique but used in only one session.
</p>
</li>
<li>
<p>
A value that is not exposed, even in derived or similar ways, outside the client,
including via [=individualization=] or similar.
</p>
</li>
<li>
<p>
Device-unique keys used in attestations between, for example, the video pipeline
and the [=CDM=] when the [=CDM=] does not let these attestations further flow to
the application and instead makes a new attestation on its own using a key that
does not constitute a Distinctive Identifier.
</p>
</li>
<li>
<p>
A value that is fully cleared/clearable along with browsing data, such as
cookies, after which it will be replaced by a value that is [=non-associable=]]
(not just [=non-associable by applications=]), even by a central server such as
an [=individualization=] server, AND one or more of the following:
</p>
<ul>
<li>
<p>
No [=Distinctive Permanent Identifier=] or Distinctive Identifier was
involved in the generation of the value.
</p>
</li>
<li>
<p>
It is a random value generated <em>without</em> inputs from the system.
</p>
</li>
<li>
<p>
It is a value provided by a server without the use of or knowledge of another
Distinctive Identifier.
</p>
</li>
</ul>
</li>
</ul>
</div>
</dd>
<dt>
<dfn class="lint-ignore">Use of Distinctive Identifiers and Distinctive Permanent
Identifiers</dfn>
</dt>
<dd>
<p>
An implementation, configuration, instance, or object <dfn data-lt=
"use Distinctive Identifier(s)|use of Distinctive Identifier(s)">uses Distinctive
Identifier(s)</dfn> if, at any time during its lifetime or the lifetime of related such
entities, it exposes, even in encrypted form, one or more [=Distinctive
Identifier(s)=], information about them, or values derived from or otherwise related to
them outside the client. This includes but is not limited to providing such a value to
the application and/or license, [=individualization=], or other server.
</p>
<p>
An implementation, configuration, instance, or object <dfn data-lt=
"use Distinctive Permanent Identifier(s)|using Distinctive Permanent Identifier(s)">uses
Distinctive Permanent Identifier(s)</dfn> if, at any time during its lifetime or the
lifetime of related such entities, it exposes, even in encrypted form, one or more
[=Distinctive Permanent Identifier(s)=], information about them, or values derived from
or otherwise related to them outside the client. This includes but is not limited to
providing such a value to an [=individualization=] server. Such values MUST NOT be
provided to the application.
</p>
<p>
An implementation, configuration, instance, or object <dfn data-lt=
"use Distinctive Identifier(s) or Distinctive Permanent Identifier(s)|use of Distinctive Identifier(s) or Distinctive Permanent Identifier(s)|using Distinctive Identifier(s) or Distinctive Permanent Identifier(s)">
uses Distinctive Identifier(s) or Distinctive Permanent Identifier(s)</dfn> if it
[=uses Distinctive Identifier(s)=] and/or [=uses Distinctive Permanent Identifier(s)=].
</p>
<p class="note">
{{MediaKeySystemConfiguration/distinctiveIdentifier}} controls whether [=Distinctive
Identifiers=] and [=Distinctive Permanent Identifiers=] may be used. Specifically, such
identifiers may only be used when the value of the
{{MediaKeySystemConfiguration/distinctiveIdentifier}} member of the
{{MediaKeySystemAccess}} used to create the {{MediaKeys}} object is
{{MediaKeysRequirement/"required"}}.
</p>
</dd>
<dt>
<dfn class="lint-ignore">Cross Origin Limitations</dfn>
</dt>
<dd>
<p>
During playback, embedded media data is exposed to script in the embedding [=origin=].
In order for the API to provide [=Initialization Data=] in the {{encrypted}} event,
[=HTMLMediaElement/media data=] MUST be [=CORS-same-origin=] with the embedding page.
If [=HTMLMediaElement/media data=] is cross-origin with the embedding document, authors
SHOULD use the {{HTMLMediaElement/crossOrigin}} attribute on the {{HTMLMediaElement}}
and CORS headers on the [=HTMLMediaElement/media data=] response to make it
[=CORS-same-origin=].
</p>
</dd>
<dt>
<dfn>Mixed Content Limitations</dfn>
</dt>
<dd>
<p>
During playback, embedded media data is exposed to script in the embedding [=origin=].
In order for the API to provide [=Initialization Data=] in the {{encrypted}} event,
[=HTMLMediaElement/media data=] MUST NOT be [=Mixed Content=] [[MIXED-CONTENT]].
</p>
</dd>
<dt>
<dfn>Time</dfn>
</dt>
<dd>
<p>
Time MUST be equivalent to that represented in <a class="external" href=
"https://tc39.github.io/ecma262/#sec-time-values-and-time-range">ECMAScript
<span class="estype">Time Values and Time Range</span></a> [[ECMA-262]].
</p>
<p>
Time will equal <code>NaN</code> if no such time exists or if the time is
indeterminate. It should never have the value <code>Infinity</code>.
</p>
<p class="note">
Time generally represents an instant in time with millisecond accuracy; however, that
alone is not a sufficient definition. The defined Time Values and Time Range reference
adds other important requirements.
</p>
</dd>
<dt>
<dfn data-lt="expiration">Expiration Time</dfn>