Content Usage Rules for OTT

1. Overview

SSP supports declaration and enforcement of content usage rules that define how content shall be used by the client device, for instance regarding output control.

For OTT content, usage rules can be defined in two different ways in SSP:

The preferred method and the most generic is to use Usage Rules Profiles.
1. It consists in referencing a Usage Rules Profile Id
2. It can apply to live channels defined in IMS, to Content authorization tokens, or to specific content tracks (e.g., Audio, SD, HD, UHD) defined in the content.
3. SSP comes with four default profile values that can be customized and additional profiles can be defined.
4. If no usage rules profiles are specified in IMS or in the Content authorization tokens or in the authorization callback mode, then SSP will automatically apply the Default profile of the DRM.
The second method (23.48) Content Usage Rules for OTT#Generic Usage Rules is deprecated but still supported by SSP. It is supported only in Content authorization tokens and consists in declaring the usage rules in a generic format (see details in Content Authorization token definition)

2. Default Usage Rules Profiles per DRM

For OTT contents, SSP supports Usage Rule Profiles (aka UR Profiles). A UR Profile is a set of DRM specific values for the content usage rules defined below and tagged with an identifier. For convenience, a profile identifier can then be used to replace the list of rules in the IMS API as well as in Content authorization tokens.

SSP is delivered with the default set of four content usage rules profiles.

To use one of those profiles, simply use the profile identifier above ("Test" / "SD" / "HD" / "UHD" / “default” ) in the channel definition in IMS or in the Content Authorization token.

Profile "Test" should only be used for integration purposes.
New profiles can be added into the system. Please refer to the SSP Console documentation.

	For all the parameters highlighted, the DRM is proactively validating the value against the challenge data coming from the request.

2.1. PRM & SWPRM

Usage rules	Profile "Test"	Profile "SD"	Profile "HD"	Profile "UHD"	Profile "default" (default system values)	Comments
PRM (Connect client) SWPRM (OpenTV Player)
minLevel	0	1000	1000	3000	1000	This value can be set to 10000 to prevent acquisition of PRM licenses.
analogCappingResolution	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS
digitalOnly	FALSE	FALSE	TRUE	TRUE	TRUE
hdcp	TRUE	TRUE	TRUE	TRUE	TRUE
hdcpType	TYPE_0	TYPE_0	TYPE_0	TYPE_1	TYPE_1
imageConstraint	FALSE	FALSE	FALSE	FALSE	FALSE
uncompressedDigitalCappingResolution	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS
deviceCappingResolution	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS
unprotectedAnalogOutput	TRUE	TRUE	FALSE	FALSE	FALSE
unprotectedDigitalOutput	TRUE	TRUE	FALSE	FALSE	FALSE
watermarkingEnabled	TRUE	TRUE	TRUE	TRUE	TRUE
secureMediaPathActivation	-	-	-	-	-	Optional No default values. If defined, the value overrides the rules based on the minLevel. If not defined, the value is set automatically according to the minLevel. Relation between the Security Level and the Secure Media Path Possible values : SHALL_BE_ACTIVATED CAN_BE_ACTIVATED

2.2. PlayReady

Usage rules

Profile "Test"

Profile "SD"

Profile "HD"

Profile "UHD"

Profile "default"
(default system values)

Comments

PlayReady

minimumSecurityLevel

150

2000

3000

2000

This value can be set to 5000 to prevent acquisition of PlayReady licenses.

hdcpType

-

0

1

Value set in the license and used by the DRM client.

Optional

Minimum HDCP protection.

To be set in the license, the parameter “uncompressedDigitalVideoOutputProtection” must be higher than 271.

Possible values :

Empty (HDCP type not set in the license)
0 (HDCP not engaged - The content protection mechanism is not active)
1 (HDCP engaged - The content protection mechanism is active)

digitalVideoOnly

FALSE

TRUE

Value set in the license and used by the DRM client.

PlayReady products may only pass the video portion of decrypted A/V content to Digital Video Outputs.

Possible values :

TRUE
FALSE

agcAndColorStrip

0

Value set in the license and used by the DRM client.

Only applicable if the parameter “digitalVideoOnly” is set to FALSE.

Possible values :

0 (AGC and Color Strip OFF)
1 (AGC ON and Color Strip OFF)
2 (AGC OFF and Color Strip ON)
3 (AGC ON and Color Strip ON)

minimumAnalogTelevision

100

200

300

Value set in the license and used by the DRM client.

If a PlayReady product asses the video portion of decrypted A/V Content to Analog Television Outputs, the PlayReady product must follow restrictions.

Minimum value.

Check the PlayReady compliance rules for more details.

Possible values :

100
150
200
300

uncompressedDigitalVideoOutputProtection

100

300

Value set in the license and used by the DRM client.

If a PlayReady product passes the video portion of uncompressed decrypted A/V Content, the PlayReady product must follow restrictions.

Minimum value.

Check the PlayReady compliance rules for more details.

Possible values :

100
250
270
300

compressedDigitalVideoOutputProtection

500

If a PlayReady product passes the video portion of compressed decrypted A/V Content, the PlayReady product must follow restrictions.

Minimum value.

Check the PlayReady compliance rules for more details.

Possible values :

400
500

uncompressedDigitalAudioOutputProtection

100

300

Value set in the license and used by the DRM client.

If a PlayReady product passes the audio portion of uncompressed decrypted A/V Content, the PlayReady product must follow restrictions.

Minimum value.

Check the PlayReady compliance rules for more details.

Possible values :

100
150
200
250
300

compressedDigitalAudioOutputProtection

100

300

Value set in the license and used by the DRM client.

If a PlayReady product passes the audio portion of compressed decrypted A/V Content, the PlayReady product must follow restrictions as specified.

Minimum value.

Check the PlayReady compliance rules for more details.

Possible values :

100
150
200
250
300

dtcpExport

FALSE

Value set in the license and used by the DRM client.

Digital Transmission Content Protection, designed to protect audio and video content as it's transmitted between devices.

A PlayReady product may export decrypted PlayReady A/V Content to DTCP.

Applicable only for offline licenses.

Possible values :

TRUE
FALSE

2.3. FairPlay

Usage rules	Profile "Test"	Profile "SD"	Profile "HD"	Profile "UHD"	Profile "default" (default system values)	Comments
FairPlay
airPlayAllowed	TRUE	TRUE	TRUE	FALSE	FALSE	Determines if AirPlay can be activated.
digitalAvAdapter	TRUE	TRUE	TRUE	TRUE	TRUE	Determines if digital AV Adapters are allowed.
hdcpStrictEnforcement	FALSE	FALSE	TRUE	TRUE	TRUE	Value compared with the hdcp enforcement flag coming from the SPC message. Mismatches lead to device hdcp protection errors (error code 4044). Possible values : TRUE FALSE
hdcpLevel	0xEF72894CA7895B78	0xEF72894CA7895B78	0x40791AC78BD5C571	0x285A0863BBA8E1D3	0x285A0863BBA8E1D3	Value set in the license and used by the DRM client. If the hdcp is not sctrictly enforced, the hdcp level cannot be set to Type 0 or 1. Possible values : 0xEF72894CA7895B78 (HDCP not required) 0x40791AC78BD5C571 (HDCP Type 0 is required) 0x285A0863BBA8E1D3 (HDCP Type 1 is required)

2.4. Widevine

Usage rules

Profile "Test"

Profile "SD"

Profile "HD"

Profile "UHD"

Profile "default"
(default system values)

Comments

Widevine

minimumSecurityLevel

5

3

1

3

Value compared with the device security level defined by Widevine.

In case the security level is not accessible in the license request, SSP will consider the device security level to be 5. This could happen with test devices.

This value can be set to 0 to prevent acquisition of Widevine licenses.

Possible values :

0 (Reject license requests)
1 (Hardware security level)
3 (Software security level)
5 (Not accessible)

policySecurityLevel

1

4

1

Value set in the license and used by the DRM client.

EME format (from 1 to 5).

Possible values :

1 (SOFTWARE SECURE CRYPTO)
2 (SOFTWARE SECURE DECODE)
3 (HARDWARE SECURE CRYPTO)
4 (HARDWARE SECURE DECODE)
5 (HARDWARE SECURE ALL)

When dealing with L1 Browser requests, an automatic conversion takes place to align the security level between the Widevine policy and PlayReady security levels :

1-3 (Widevine) => 150 (PlayReady)
4 (Widevine) => 2000 (PlayReady)
5 (Widevine) => 3000 (PlayReady)

hdcp

0

1

5

Possible values :

0 (HDCP_NONE)
1 (HDCP_V1)
2 (HDCP_V2)
3 (HDCP_V2_1)
4 (HDCP_V2_2)
5 (HDCP_V2_3)

disableAnalogOutput

FALSE

TRUE

Indicates if the analog output has to be disabled.

In case the analog output has to be disabled, if the device doesn’t have the ability to do it then the request will be proactively rejected.

For devices with an analog output, the ability to disable it indicates whether the content can be disabled/restricted on the analog interface via the license’s key control block.

If “True” - Analog output is present and output can be disabled/restricted.
If “False” - Analog output is present and output cannot be disabled/restricted.
If “Unknown” - Analog output is either not present or cannot be determined

overrideDeviceRevocation

TRUE

FALSE

If true, a license is generated even if the device is revoked.

Permanently revoked devices cannot be overriden.

If the device is revoked and the override is disabled then the licence will be rejected.

allowUnverifiedPlatform

TRUE

FALSE

Indicates if unverified platforms are allowed.

A license request will fail if VMP status is unverified or tampered for a desktop browser.

The Verified Media Path (VMP) feature is implemented for desktop browser platforms.

Set this field to 'true' to allow license request to succeed when VMP status is unverified.

Related status :

PLATFORM_UNVERIFIED

requireL3SecureStorage

FALSE

Used to require a secure storage on software verified platforms.

The device platform status was verified at the software level and the device has secure storage which is required for license storage persistence.

Applicable for desktop browsers only.

Related status : PLATFORM_SECURE_STORAGE_SOFTWARE_VERIFIED

maxDeviceVulnerabilityLevel

-

Optional

Describes how secure a device is, over time. It determines if a device is exposed to vulnerabilities.

If unset, the UR is not applied.

Default value per profile will be set in future releases.

Only applicable to SDK mode.

Possible values :

NONE
LOW
MEDIUM
HIGH
CRITICAL

allowUnspecifiedDeviceVulnerabilityLevel

-

Optional

Allow devices which vulnerability level is unspecified.

Default for all profiles : TRUE

Default value per profile will be set in future releases.

Only applicable to SDK mode.

Possible values :

TRUE
FALSE

cgmsFlag

CGMS_NONE

COPY_NEVER

CGMS_NONE

Value set in the license and used by the DRM client.

Indicates whether CGMS is required.

2.5. TvKeyCloud

Usage rules	Profile "Test"	Profile "SD"	Profile "HD"	Profile "UHD"	Profile "default" (default system values)	Comments
TVKeyCloud
exportProtection	FALSE	FALSE	TRUE	TRUE	FALSE
redistributionControl	FALSE	FALSE	FALSE	TRUE	FALSE
protectedBufferIndicator	FALSE	FALSE	FALSE	TRUE	FALSE
hdcpUncompressedToken	TRUE	TRUE	TRUE	FALSE	TRUE
hdcpCompressedToken	TRUE	TRUE	TRUE	FALSE	TRUE
hdcpType	0	0	0	0	0	Possible values : 0 (HDCP version 1.x or higher) 1 (HDCP version 2.2 or higher) 2-255 (Reserved for future use)
uncompressedDigitalCappingResolution	15	15	15	15	15	Possible values : 0 (No output. 1 (QCIF (176x144 pixels or equivalent)) 2 (CIF (352x288 pixels or equivalent)) 3 (SD (720x576 pixels or equivalent)) 4 (HD (1280x720 pixels or equivalent)) 5 (Full-HD (1920x1080 pixels or equivalent)) 6 (UHD (3840x2160 pixels or equivalent)) 7-14 (Reserved for future use) 15 (No resolution restrictions)
compressedDigitalCappingResolution	15	15	15	15	15	Possible values : 0 (No output. 1 (QCIF (176x144 pixels or equivalent)) 2 (CIF (352x288 pixels or equivalent)) 3 (SD (720x576 pixels or equivalent)) 4 (HD (1280x720 pixels or equivalent)) 5 (Full-HD (1920x1080 pixels or equivalent)) 6 (UHD (3840x2160 pixels or equivalent)) 7-14 (Reserved for future use) 15 (No resolution restrictions)

2.6. WisePlay

Usage rules

Profile "Test"

Profile "SD"

Profile "HD"

Profile "UHD"

Profile "default"
(default system values)

Comments

WisePlay

securityLevel

1

2

3

1

Minimum security level of a device.

Possible values :

1 (Software level)
2 (Hardware level)
3 (Enhanced hardware level)

outputControl

0

1

2

Output range allowed when the key is used to decrypt the content to be played (that is, control policy during large-screen projection).

Possible values :

0 (Not restricted)
1 (HDCP1.4 or later)
2 (HDCP2.2 or later)
3 (Not allowed)

licenseType

PERSISTENT

NONPERSISTENT

PERSISTENT

Indicates whether a license can be cached locally.

Possible values :

PERSISTENT : After a session is closed, the license is still reserved. You do not need to apply for a new license for the next playback.
NONPERSISTENT : The license is deleted after a session is closed.

3. URP usages

3.1. With Content Authorization Tokens

SSP Content Authorization tokens can include a UR profile identifier both at ContentRights level as well as at Track level (field "usageRulesProfileId" in the ContentAuthZ token definition)

When using UR profile with tokens, the following rules will apply:

If an SSP Content authorization token refers to a UR profile that does not exist, the respective license request will be rejected.
Profiles and rules are mutually exclusive: a given Content AuthZ token can contain either a UR profile identifier or an explicit list of usage rules, but not both (otherwise the license request will be rejected).
If the token contains neither a profile identifier nor explicit usage rules, then default values are applied for each usage rule. The list of default values is detailed above.

3.2. With OTT Live Channels

OTT live channel definitions in IMS shall include a UR Profile identifier.

When using UR profiles with channels, the following rules will apply:

If a channel definition includes a UR profile that does not exist, SSP will reject subsequent license requests for that channel.
If the channel does not include a profile identifier, then default values are applied for each usage rule as defined in the "Default" UR Profile.
If the channel definition includes content tracks (e.g., Audio, SD, HD, etc), a UR Profile ID can be assigned at the track level. Otherwise the profile at the channel level will apply.

A channel definition request including a explicit list of usage rules will be rejected by IMS. Use UR Profile instead.

3.3. Overriding UR Profiles per Device Model

SSP supports overriding OTT UR Profiles per device model. This feature allows tweaking the usage rules applied when consuming content on a specific device model. Combined with the profile minimum security level, the feature also enables preventing a particular device model from acquiring licenses for contents using a specific UR Profile. This feature requires a specific configuration applied by NAGRA operational teams.

3.3.1. HDCP Override for Widevine devices

Certain Android mobile devices do not support HDCP enforcement at DRM level, while they do not have digital output. To avoid blocking license delivery to those devices, a list of Widevine DRM system IDs can be configured in the system to skip the HDCP enforcement rule in the license.

4. Generic Usage Rules Description (Deprecated)

Before introducing "DRM specific usage rules profiles", SSP did support "generic usage rules" letting usage rules being defined once per content and automatically converted into DRM specific usage rules on the fly by SSP.

Generic usage rules from ContentAuthZ token definition	Description	Profile "Test"	Profile "SD"	Profile "HD"	Profile "UHD"	Profile "default" (default system values)
minLevel	Device security level. Definition and usage: (23.48) Device Security Level Management.	0	1	1	3	1
analogCappingResolution	Specifies how the video is downscaled before being sent to analog output.	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS
digitalOnly	When true, no analog output is authorized.	FALSE	FALSE	TRUE	TRUE	TRUE
hdcp	When true, digital output protected by HDCP is authorized.	TRUE	TRUE	TRUE	TRUE	TRUE
hdcpType	Specifies if HDCP version can be downgraded (TYPE_0) during HDCP key negotiation or not (TYPE_1).	TYPE_0	TYPE_0	TYPE_0	TYPE_1	TYPE_1
imageConstraint	When true, video is downscaled before being sent to analog outputs.	FALSE	FALSE	FALSE	FALSE	FALSE
uncompressedDigitalCappingResolution	Specifies how video is downscaled before being sent to uncompressed digital output. Applies only if hdcpType is TYPE_1 (hdcp 2.2) and the device is only protected for TYPE_0 (hdcp 1.0).	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS
deviceCappingResolution	Specifies how the video is downscaled before being sent to any output.	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS	NO_RESTRICTIONS
unprotectedAnalogOutput	When true, video is authorized to be sent unprotected to analog output.	TRUE	TRUE	FALSE	FALSE	FALSE
unprotectedDigitalOutput	When true, video is authorized to be sent unprotected to digital output. In this case the HDCP flags are ignored.	TRUE	TRUE	FALSE	FALSE	FALSE
watermarkingEnabled	When true, the device is authorized to apply watermarking on the video.	TRUE	TRUE	TRUE	TRUE	TRUE
airplayOutput	When true, video is authorized to be played on an external device connected using AirPlay. Applies only to devices using FairPlayStreaming.	TRUE	TRUE	TRUE	FALSE	FALSE