2016 readium lcp workshop at epub summit
TRANSCRIPT
European Digital Reading Lab
Licensed Content Protection (LCP)
EPUB Summit workshop
Laurent Le Meur
Scope of the workshop
● Update the participants on the architecture of Readium LCP, the workflow, the state of the developments, the agenda, the costs involved;
● Detail the certification process;● Exchange on the level of protection of Readium LCP; ● Exchange on the level of support of this new DRM by the participants.
DRM = Digital Rights Management
Technical implementation of a business model (ex. Library lending)
Protection against wild dissemination (anti-pirating)
Are obligations more than rights
Complexify access to e-books
Lower interopérability and accessibility
Hurt honest sharing
Make archiving an illusion
=> push people to use anti-DRM tools
What the devil was he doing in that galley?
LCP implémentation decided in november 2015, launched in january 2016.
Why do we offer our beloved ebooks to the DRM Moloch?
- Because public libraries need a better solution than the Adobe DRM
- Because for most publishers, unprotected EPUB is a showstopper
- Because the spec is almost ready for 2 years- Because we have been donated source code to help
Goals of Readium LCP
● Simplicity for the user● Perfect interoperability in the LCP ecosystem● No limitation on content accessibility● Offline access to the documents always possible● Dynamic update of licenses● Unlimited access (in time) to the documents● Family sharing possible● No centralized server● Low development costs● Limited cost of certification
LCP - search for a good balance
Readium LCP = simplicity
Encrypted content
Associated decryption key (passphrase)
The owner of the passphrase can read the document
The App can store the key, so that the user can forget it
More details … 1/ encryption
+ =
+ Content Key
Protected Content
2/ License generation
= + + + + + Protected content key
Rights Provider certificate
Passphrase hint
Signature
License
Personal data
Standard rights: start/end datetime,print (# pages), copy (# characters), tts (yes/no)
Choose a passphrase
A user will usually have one passphrase per bookseller or public library.
Must be easy to remember or find.
A hint stored in the license by the licensor will help the user when needed.
It MUST be clear to the user. In a public library, the user ID can be a good choice.
The passphrase will usually be requested only when a protected document is side loaded in a new device.
3/ LCP / EPUB file
= +
EPUB / LCP License Protected content
4/ Open with a passphrase
Hint User Passphrase
Signature checking
EPUB / LCP Content key Clear content content
The passphrase may be acquired automatically and stored in the app without user action. The user will use the hint to “remember” the document passphrase.
5/ Dynamic update of the license
● Early return● Extended lending● Requires an online connection● The licensor can track the number of devices opening the document
Readium LCP ecosystem
Publisher Distributor
Bookseller
1
2
Distributor / Bookseller
What is the certification?● Readium LCP is a DRM ecosystem● Certification is
○ Guarantee of compliance○ Guarantee of robustness○ Guarantee of interoperability
● The specification will be public● The source code will be open-source (BSD-like)● But some confidential information will be transferred to the participants to an
LCP ecosystem○ Root certificate (ITU)○ Provider certificate○ Readium LCP 1.0 profile information (unavailable in the specification)
Compliance rules, Robustness rules
● Client and server side● Compliance
○ Server app must alert if *many* devices use the same license ○ Client app must develop an anti-rollback clock (details to be defined)○ etc.
● Robustness○ A certain data type must be protected against a certain type of attack to a certain extent
■ Client app must obfuscate the decryption process■ Client app must hide Readium LCP confidential information■ Client app must securely store user keys ■ Server app must protect the provider private key
Agenda
Q1 2016: development (iOS, MacOS, Android)
Q2 2016: development (iOS, MacOS, Android); first tests; contractual documents; pricing;
Q3 2016: interop tests; certificate authority setup
Q4 2016: first certifications; launch