Right, and it's also worth highlighting here the meaning of these "protection" levels:
L1 - all content processing and cryptography operations are handled inside a CPU that supports a Trusted Execution Environment (TEE).
L2 - only cryptography operations are handled inside a TEE.
L3 - content processing and cryptography operations are (intentionally) handled outside of a TEE, or the device doesn't support a TEE.
This suggests that the media industry only trust you to receive their content if they have some degree of control over what your device is doing. There's an obvious logic to them setting such a requirement, but it does mean rolling out a world wide system where critical security components underpinning our digital societies are resistant to inspection and transparency, by design (and, in many cases, with the full force of the law).
I feel that ultimately this will create a precarious situation and introduce risks that are not justified.
> a world wide system where critical security components [...] are resistant to inspection and transparency, by design (and, in many cases, with the full force of the law).
Fun sci-fi exercise: what happens when you mandate legal backdoors for general-purpose crypto, but lock down content so tight that it's NSA-resistant?
I can imagine some cypherpunks in this sci-fi world creating a crypto-system where the keying data is sent as media files (possibly requiring a new movie studio to be created as a cover story).
Unfortunately I can also imagine that the NSA give themselves backdoors that can even get past the legally-mandated DRM, and the media industries would accept this.
Chrome and Firefox use Widevine DRM at L3 (software implementation). Edge and IE use PlayReady (which has support for hardware DRM, optinally selectable by the app/website).
L1 - all content processing and cryptography operations are handled inside a CPU that supports a Trusted Execution Environment (TEE).
L2 - only cryptography operations are handled inside a TEE.
L3 - content processing and cryptography operations are (intentionally) handled outside of a TEE, or the device doesn't support a TEE.
This suggests that the media industry only trust you to receive their content if they have some degree of control over what your device is doing. There's an obvious logic to them setting such a requirement, but it does mean rolling out a world wide system where critical security components underpinning our digital societies are resistant to inspection and transparency, by design (and, in many cases, with the full force of the law).
I feel that ultimately this will create a precarious situation and introduce risks that are not justified.