After reading the whitepaper and going through the specs, I got the impression that the Mobile Rights Voucher and the MMRC object with the encrypted content object would be separated in the future. This makes a lot of sense - unlike the current situation that the voucher with the encryption key and the content in the same data transaction (the .mm file) which makes the encryption pretty useless. I also understand that this would be the case when a user forwards an object and the recipient goes to fetch his/her voucher to actually activate/save the object.
Now what I don't understand is that it seems like there is no challenge/response or mechanism or phone-assigned content id (or a phone-specific unique id) anywhere that would allow the content encryption key to be extracted only by a specific phone. What this means is that when the content is given out the first time, it is unlocked with a voucher that can easily be copied (slightly modified of course) to redistribute the content at will by creating fake vouchers.
The only way to prevent this is of course to "lock in" each voucher to a specific phone.. either with public key crypto (phone gives out its public key and we encrypt the content key with it) or with a checksum type mechanism. There is evidence of neither yet the white paper refers to "Using personalized vouchers and encrypted content will..." and "each content object must be hacked personally for each terminal". This implicates that something like public key crypto with phone-specific keys would be in place.
Summa summarum.. is there a way CURRENTLY to craft a .mm file so that the file can be downloaded (and installed) by a single phone only? And (as I suspect) if not, when/how would this be available?
Or is the idea simply to put in enough complexity that if this DRM scheme is circumvented, it requires enough effort and knowledge that it will be a clear case of copyright infringement and easily prosecutable?
CTO, Exomi LLC