Digital Cinema Initiatives
Archived Specification Errata
The following errata have been encorporated in a new document with all errata included as of August 30 2012 the following are for archive reference only!
ERRATA #90 - #96 DCI DIGITAL CINEMA SYSTEM SPECIFICATION, VERSION 1.2
Errata items continue to be evaluated and will be posted after agreement by the DCI membership that the specific erratum needs to modify the DCI Digital Cinema System Specification, version 1.2.
Suggested erratum items may be emailed to
Please include "Errata" in the subject line.
« SEE ALL ARCHIVED V1.2 ERRATA through August 30, 2012
DOWNLOAD: ERRATA #90-#96 Approved 30 August 2012
|Erratum ||Spec 1.2 Page ||Sections Affected ||Description
|| In Erratum 70, the second paragraph of Section 184.108.40.206 is amended to read as follows:
The identity of a device shall be represented by its certificate. The make and model of each certificated device shall be carried in the assigned certificate, and the serial number and device role(s) (see below) shall in particular be carried in the Common Name (CN) field of the assigned certificate. The make, model and serial number of each certificated device shall be placed on the exterior of said device in a manner that is easily read by a human.
|| Second sentence in the second to the last paragraph is replaced with:
The most recent editions of the referenced standards shall be valid unless otherwise exempted in this specification.
|| The following is added at the end of this section:
Note: For permanently married implementations where there are no remote SPBs the KDM need not carry Trusted Device List (TDL) information. The KDM syntax requirement that the associated "DeviceList" element not be empty can be satisfied by placing any Digital Cinema certificate thumbprint in this field.
|| Errata 87 is redacted and replaced with:
The title of this section is changed to "Special Auditorium Situations", and the entire section is replaced with:
"Special Auditorium Situations" are defined to allow the Image Media Block (IMB) to operate with more than a single projector. Special Auditorium Situations shall be enabled by the following methods:
- IMB with Multiple Link Encryption means the use of (i) more than one remote LDB/projector pair with a single IMB, or (ii) an LD/LE image processor SPB inserted between the IMB and one or more remote LDB/projector pair(s).
- Integrated IMB with Link Encryption means the use of an integrated and married IMB/projector pair, where the IMB also outputs a Link Encrypted image signal to one or more remote LDB/projector pair(s). The IMB shall simultaneously meet all requirements for both integrated and non-integrated projector system implementations.
SMs shall enable Special Auditorium Situations to operate only when the SM receives a KDM whose Trusted Device List (TDL) contains only the identities of the SPBs it is enabling for playback. For IMB with Multiple Link Encryption operation these shall be the remote SPBs identified during TLS authentication (see details below). For Integrated IMB with Link Encryption this additionally includes the identity of the projector to which the IMB is married. This matching is an indication to the SM that Special Auditorium Situations operation has been approved by the content owner.
IMB with Multiple Link Encryption operation or Integrated IMB with Link Encryption operation shall follow all normal (single) Link Encryption requirements of this section, with the following additional requirements:
- SM behavior shall be designed to identify a Special Auditorium Situation during the auditorium security network TLS session establishment. The digital certificate exchange with remote SPBs shall return the associated certificate roles for each SPB in the auditorium.
- The SM shall independently authenticate each remote SPB against the TDL using a dedicated TLS session.
- The SM shall independently key each remote SPB for Link Encryption operation using standardized Intra-Theater (security) Messaging per Section 9.4.5.
- The SM shall not support the use of more than one LD/LE image processor SPB for any given projector.
- The Link Encryption stages of the LD/LE image processor configuration may use the same LE key(s). Similarly, the SM may key the multiple LDB/projector configuration using the same LE key for each LDB/projector system.
The following paragraph is added at the end of (new) section 220.127.116.11 "Dual Certificate Implementations":
In addition to the above, dual certificate implementations require Digital Cinema certificate validation rules that may not be reflected in the current SMPTE digital cinema specification (see DCSS Section 9.8, SMPTE430-2: "D-Cinema Operations - Digital Certificate"). The affected validation rule is driven by the "Key Usage" constraints as given in Table 2 of SMPTE430-2 ("Field Constraints for Digital Cinema Certificates"), which is then reflected in validation rule # 6 of section 6.2 "Validation Rules". For dual certificate implementations validation rule # 6 shall be as stated in SMPTE430-2 for single certificate implementations, except as follows:
- SM Cert - The DigitalSignature flag shall not be set.
- LS Cert - The KeyEncipherment flag shall not be set.
|| The last sentence of the opening paragraph of this section is replaced with:
CSPs and plain text content essence shall be physically protected by Secure Silicon and/or Secure Processing Blocks as described below:
|| The "Secure Silicon" bullet is replaced with:
- Secure Silicon - Sensitive data contained within a Secure Silicon integrated circuit (IC) can only be compromised by a physical attack on the IC. All type 1 and type 2 Secure Processing Blocks (SPB) shall contain a Secure Silicon IC compliant to the following requirements:
- Secure Silicon integrated circuits used for Digital Cinema security applications shall meet FIPS 140-2 level 3 area five (physical security) requirements as defined for "single-chip cryptographic modules" (no other FIPS 140-2 area requirements are mandated).
- Other than as part of the manufacturing process, SPB private keys used for device identity (see section 9.5.1 "Digital Certificates") shall not exist outside of the Secure Silicon IC. For purposes of clarity, this means that (1) private keys (whether encrypted or not) shall not be moved or copied from Secure Silicon, and (2) the CipherValue element(s) of the KDM's AuthenticatedPrivate element shall be decrypted by and within the Secure Silicon IC.
- Decrypted (plain text) content image keys may be moved from the Secure Silicon IC for purposes of decrypting image essence during playout only. They shall at all other times be contained within the Secure Silicon IC, or be stored off-chip in an encrypted fashion per the requirements of section 9.7.4 "Protection of Content Keys"
Errata items continue to be evaluated and will be posted after agreement by the DCI membership that the specific erratum needs to modify the DCI Digital Cinema System Specification, version 1.2. March 07 2008
ERRATA 1-15 TO DCI DIGITAL CINEMA SYSTEM SPECIFICATION, VERSION 1.2
ERRATA 16-20 TO DCI DIGITAL CINEMA SYSTEM SPECIFICATION, VERSION 1.2
ERRATA 21-33 TO DCI DIGITAL CINEMA SYSTEM SPECIFICATION, VERSION 1.2
ERRATA 34-76 TO DCI DIGITAL CINEMA SYSTEM SPECIFICATION, VERSION 1.2
ERRATA 77 TO 87 DCI DIGITAL CINEMA SYSTEM SPECIFICATION, VERSION 1.2
ERRATA 88 TO 89 DCI DIGITAL CINEMA SYSTEM SPECIFICATION, VERSION 1.2
ERRATA 90 TO 96 DCI DIGITAL CINEMA SYSTEM SPECIFICATION, VERSION 1.2