On Tue, Mar 9, 2010 at 13:50, Iain Wallace <[email protected]> wrote: > I think I replied from an address which isn't registered with the list > earlier, so here's what I said again: > > The fact that this is all presumably going to be sent in the clear as > opposed to encrypted means this would be technically very easy to > reverse engineer.
Fair point, and indeed I’d probably want some kind of session key involved (be it HTTPS, or whatever) were I _actually_ to propose this as an implementation for something :) > Aside from that, the key really is the resource, > which you'd somehow need to protect in order to stop invalid user > agents just spoofing all this info. In that respect it's very similar > to swf verify, which doesn't work. I should say: I deliberately didn’t ask for a cryptographic critique. this isn’t code I’m planning on deploying anywhere. however, some folk may (as you have) recognise it as being similar to something else, although my code is obviously pretty generic (it’s built on HTTP, but could just as easily be RTSP, or something else). For what it’s worth, SWF Verification _does_ work, if what you want to do is “prevent access to the media from people who don’t have access the SWF”. Assuming they can’t get it any other way. Which is, of course, a massive assumption to work. SWF Verification doesn’t work for anything else, of course, but it’s not really designed for it, either (the clue is in the name!). (I tweaked my code last night after posting this to better explain what it does/doesn’t do or protect against to avoid any misconceptions about what it might achieve were somebody to implement it). > Whether this can be claimed to be a copyright mechanism is a legal > rather than technical issue IMO. …but does rather depend upon the technical aspects of it, to *some* extent. but yes, it’s the legal aspect I’m really interested in. if somebody else were to implement the same algorithm (no spoofing of resource hashes required) as appears in client.php, would they fall afoul of the CDPA (or, indeed, the DMCA)? On an _utterly_ unrelated note, isn’t it weird how Red5 can happily implement SWF Verification on the server side, but XBMC apparently can’t on the client? M. - Sent via the backstage.bbc.co.uk discussion group. To unsubscribe, please visit http://backstage.bbc.co.uk/archives/2005/01/mailing_list.html. Unofficial list archive: http://www.mail-archive.com/[email protected]/
