We are seeing a wave of solutions arrive for DRM/Licensing and eventually we will see features added into the Flash Player. Having created COLA and IFBIN licensing solutions using Flash Player, I wanted to talk about how the Flash and Apollo Players need to implement open licensing API’s.
First off this isn’t a judgment on licensing, I am purely talking about implementation not the politics digital rights or licensing or privacy. Let’s stay on target…
Ideally developers should be able to protect their application very easily without allot of muss or fuss. If I am writing a Flex application for deployment in a Flash Player or Apollo, I should have access to some simple API’s to enable licensing. I would like to see some low level features added to enable developers to create higher level solutions for Licensing and DRM. If the player implements a high level solution, then the solution will be weak. Instead it makes sense to provide low level keys on which a higher level system can be build easily within the Flash Player.
With every licensing system, the entire model comes down to identity. If there is a unchangeable unique ID in the Flash Player for a “USER” and for the “SYSTEM” then it is rather simple to create a server side licensing model for client software. Here are some methods in a hypothetical class called flash.system.Key:
flash.system.Key.getUser( [ domain:String ] ):String
//returns a globally unique SHA-1 40-bit key for the user on a system in a domain
flash.system.Key.getSystem( [ domain:String ] ):String
//returns a globally unique SHA-1 40-bit key for the system in a domain
//returns a globally unique SHA-1 40-bit
flash.system.Key.getSHA1( value:Object ):String
//returns a SHA-1 40-bit key for an Object from its AMF or ByteArray value.
//resets all keys for a particular user in a domain
//resets all keys for a particular system in a domain
Basically these all return a SHA-1 40 Bit keys (I am a huge fan of SHA1!). Within any Flash/Flex application, I can create unique keys that can be reliably generated across player installations and upgrades.
Case A – IFBIN 2.0 100% Web Based
With a reliable unique key on the client side, IFBIN could store licenses on the server-side. If a user requests a download, they will pass their key and if there is a matching key on the server-side, they get a ZIP file otherwise they get a dialog. The user did not have to login, the user did not have to remember a username or password, they just purchased and passed in their Activation ID send via email.
Case B – Multiplayer Game
A developer writes a killer multiuser game in AS3. Users are licensed to use the game for 30 days at a time. To avoid manipulation of the local clock they use server based time expiration combined with a unique user key per domain. Using flash.system.Key.getUser() they store keys on the server for any user on their particular domain along with the date the key was stored. When the user comes to the site they are logged in automatically without any cookie and allowed to play if the server permits them.
Case C – Pay to Print
Assume you run a Tax preparation system. You collect lots of user information and generate completed Tax forms. The user can use the Tax software for free but cannot print results without having paid first. The user has completed everything and pays passing a Unique key from flash.system.Key.getUser() to the server-side. During the print logic, the client passes the key to the server and if there is a license it will generate the Flash Paper documents for client printing. Free to use, Pay to print.
Implementing licensing and DRM using simple SHA-1 keys is very simple provided that the keys are unique for the user/system and do not change over time. It also solves a host of issues related to identity and state management. If you can guarantee that a player is unique, then assumptions about web based security change dramatically. Also you would be able to persist state over a very long period of time given that users could reliably reenter the state over and over again just by using the application on the domain.
The best part about this approach is that developers are not locked in. You can mix and match to create a a licensing/DRM system that fits your needs and your customers. Security, Licensing, and DRM need to be simple to use, seamless for the end user and flexibly allow change over time.
I am sure privacy experts would have a field day with this proposal but how are we supposed to license applications without identity? Obviously in this case the end user should be allowed to reset their keys in the System Settings dialog of the Flash Player but would not be allowed to change them directly. These keys are only good if they are consistant, uneditable, yet resetable.
My 2 Cents,