European Digital Reading Lab

Licensed Content Protection (LCP)

EPUB Summit workshop

Laurent Le Meur

Scope of the workshop

● Update the participants on the architecture of Readium LCP, the workflow, the state of the developments, the agenda, the costs involved;

● Detail the certification process;● Exchange on the level of protection of Readium LCP; ● Exchange on the level of support of this new DRM by the participants.

DRM = Digital Rights Management

Technical implementation of a business model (ex. Library lending)

Protection against wild dissemination (anti-pirating)

Are obligations more than rights

Complexify access to e-books

Lower interopérability and accessibility

Hurt honest sharing

Make archiving an illusion

=> push people to use anti-DRM tools

What the devil was he doing in that galley?

LCP implémentation decided in november 2015, launched in january 2016.

Why do we offer our beloved ebooks to the DRM Moloch?

- Because public libraries need a better solution than the Adobe DRM

- Because for most publishers, unprotected EPUB is a showstopper

- Because the spec is almost ready for 2 years- Because we have been donated source code to help

Goals of Readium LCP

● Simplicity for the user● Perfect interoperability in the LCP ecosystem● No limitation on content accessibility● Offline access to the documents always possible● Dynamic update of licenses● Unlimited access (in time) to the documents● Family sharing possible● No centralized server● Low development costs● Limited cost of certification

LCP - search for a good balance

Readium LCP = simplicity

Encrypted content

Associated decryption key (passphrase)

The owner of the passphrase can read the document

The App can store the key, so that the user can forget it

More details … 1/ encryption

+ =

+ Content Key

Protected Content

2/ License generation

= + + + + + Protected content key

Rights Provider certificate

Passphrase hint

Signature

License

Personal data

Standard rights: start/end datetime,print (# pages), copy (# characters), tts (yes/no)

Choose a passphrase

A user will usually have one passphrase per bookseller or public library.

Must be easy to remember or find.

A hint stored in the license by the licensor will help the user when needed.

It MUST be clear to the user. In a public library, the user ID can be a good choice.

The passphrase will usually be requested only when a protected document is side loaded in a new device.

3/ LCP / EPUB file

= +

EPUB / LCP License Protected content

4/ Open with a passphrase

Hint User Passphrase

Signature checking

EPUB / LCP Content key Clear content content

The passphrase may be acquired automatically and stored in the app without user action. The user will use the hint to “remember” the document passphrase.

5/ Dynamic update of the license

● Early return● Extended lending● Requires an online connection● The licensor can track the number of devices opening the document

Readium LCP ecosystem

Publisher Distributor

Bookseller

1

2

Distributor / Bookseller

What is the certification?● Readium LCP is a DRM ecosystem● Certification is

○ Guarantee of compliance○ Guarantee of robustness○ Guarantee of interoperability

● The specification will be public● The source code will be open-source (BSD-like)● But some confidential information will be transferred to the participants to an

LCP ecosystem○ Root certificate (ITU)○ Provider certificate○ Readium LCP 1.0 profile information (unavailable in the specification)

Compliance rules, Robustness rules

● Client and server side● Compliance

○ Server app must alert if *many* devices use the same license ○ Client app must develop an anti-rollback clock (details to be defined)○ etc.

● Robustness○ A certain data type must be protected against a certain type of attack to a certain extent

■ Client app must obfuscate the decryption process■ Client app must hide Readium LCP confidential information■ Client app must securely store user keys ■ Server app must protect the provider private key

Agenda

Q1 2016: development (iOS, MacOS, Android)

Q2 2016: development (iOS, MacOS, Android); first tests; contractual documents; pricing;

Q3 2016: interop tests; certificate authority setup

Q4 2016: first certifications; launch