Digital certificates provide a secure and interoperable means for exchange of public keys while proving that the public key is from a trusted entity. The Digital Cinema Certificate is recognized by DCI as a declaration that the certified device meets the DCI Specification. (See DCI DCSS section 126.96.36.199.) A Digital Cinema Certificate, therefore, is a declaration from a trusted party that a particular device is to be trusted.
In cryptography, a digital certificate is typically accompanied by a chain of certificates, tightly linked by digital signature, and ultimately signed by a trusted root certificate. In many business applications, the trusted root certificate is provided by a trusted third party. In digital cinema, the need for a third party is eliminated. The root certificate can be provided by a trusted vendor, such as the manufacturer of a Media Block. Trust in in the vendor is established through the vendor’s relationship with content owners and the knowledge that its products are DCI-compliant, eliminating the need, expense, and complexity of a trusted third party.
In 2011, a change in rules from the US National Institute of Standards and Technology (NIST), the owner of the FIPS 140-2 specification, disallowed the shared use of a single public-private key pair for applications such as TLS, digital signature, and encryption/decryption of AES symmetric keys in the KDM. The result is that new Media Block designs now carry two key pairs, one shared among TLS and digital signature applications, and the other applied only for the protection of AES symmetric keys. For this reason, Media Blocks designed after 2011 have two digital certificates that share public keys.
Digital cinema certificates are a constrained version of the widely used X.509 v3 certificate defined in IETF RFC 5280. The Digital Cinema Certificate uses the following features of the X.509 v3 digital certificate:
- Version Number
- Serial Number
- Signature Algorithm ID
- Issuer Name
- Validity Period
- Subject Name
- Subject Public Key Info
- Issuer Unique Identifier
- KeyUsage Extension
- BasicConstraint Extension
- Certificate Signature Algorithm
- Certificate Signature
The manner in which these elements are applied is defined in SMPTE ST 430-2 Digital Certificate.