Announcement

Collapse
No announcement yet.

Dolby to issue a patch to extend media block public certificates beyond November 2025

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    And you could simply stop sending out new KDMs to anyone owning compromised hardware without the necessary mitigations installed.

    The old idea was that it's good to have certificates expire, as the bad ones will eventually expire and won't get renewed. I think in the modern day and age, where we live from one zero-day exploit to the other, that's pretty much b.s. Bad certificates, those being used to encrypt your internet traffic for example, need to be put on CRLs immediately and can't wait until they expire. Machine certificates should live as long as the machine lives. Once a particular machine gets compromised, that certificate simply needs to be blacklisted.

    Comment


    • #17
      How does one find the expiration date of the cert on the DOREMI IMB and on the DSS100 I cant find it in any of the folders or logs

      Comment


      • #18
        I don't think you can by looking at it - suggest you drop Dolby an email. I'm guessing it was a slip of the keyboard, but for any newbies reading, the certificate we're talking about is in the DSP100 (the media block), not the DSS.

        The Doremi IMB has the November 2025 expiration date, and this will be extended by the patch that Dolby say they will come out with in good time for us to fix the affected units.

        The Dolby bulletin said that none of the media blocks for the DSS system (DSP100, cat862, and cat745) are affected by this recertification program, because they expire many years ahead (or some such wording). But it didn't give the actual date.

        Comment


        • #19
          These DCI certs are standard x509 certs - you can use online services, copy/paste the cert into them, and voila:

          https://www.sslshopper.com/certificate-decoder.html


          image_1040.png

          It should be the leaf cert for the media block. Typically the file is called <serial>.cert.sha256.pem or similar. If you find multiple certs in a file, that is usually a full chain. The leaf is usually the last in that file, so copy/paste only that final block.

          From my experience, all device types share a common expiration date, no matter when they have been manufactured or sold. E.g. all Dolphin based Doremi media blocks expire late 2025. DSP100 expires 2033. But e.g. a Doremi IMS2000 still sold now on special order also expires late 2025 - that's a bit premature. Seems to be a bad Doremi legacy. The IMS3000 is genuine Dolby and expires later.
          Our Sony media block expires 2043. Well before Sony left the building.
          Some early devices expired very early - like 2012 or so. These were probably prototype or demo units without all the security measures working. But there were others as well: http://www.film-tech.com/ubb/f16/t002726.html


          - Carsten
          Last edited by Carsten Kurz; 06-03-2021, 05:34 PM.

          Comment


          • #20
            If you want to do it on the Linux command-line, pipe the command through "less" or "more" to read the whole of it:

            openssl x509 -in certificate-file.pem -text -noout | less

            or

            openssl x509 -in certificate-file.pem -noout -text | more

            Alternatively, you can dump it to a file:

            openssl x509 -in certificate-file.pem -noout -text > /tmp/output-file.txt

            You can then view the file or copy it to another machine to view it there.

            Many of those root certificates were created around the time when the first DCI machines were released. When they put in an expiration date 20 years about the future, they thought they had kicked the can down the road sufficiently far... When they programmed software back in the 70s, 80s and even in the early 90s, a lot of people didn't care about the year 2000 either...

            Then again, as long as the companies that created those products are still around, they can still fix this via a simple software update. The question is, how many years are they going to give you...?

            Comment


            • #21
              I understand why the year 2000 issue came up - but when generating those certificates, what stopped the companies to put 2099 instead of 2025? I agree that in 2010 the year 2025 for a computer-based equipment seemed far away. But selecting something a but further away in time would have not really caused any trouble - besides some unsold new models. So, isn't that planned obsolescence?

              Comment


              • #22
                I wrote to GDC to see if they have the same 2025 problem and what they were going to do to rectify it.

                Comment


                • #23
                  I wouldn't care if Doremi had chosen 2025 when they started selling Dolphins back in 2007 or so. But why didn't they adjust the expiration date later on?


                  Again, there is that Qube media block which received a certificate that was only valid for for a few years from introduction, and then they had to extend it year by year - until, 5-6 years in the life time of the product, they would not extend the cert any further, and didn't even offer a replacement. Nuts.

                  I mean, what if a company leaves the market or goes bankrupt?


                  As GDC is not sold in germany, I have never seen a GDC certificate, so, I have no idea how long they last.

                  Last edited by Carsten Kurz; 06-04-2021, 08:19 AM.

                  Comment


                  • #24
                    Originally posted by Marco Giustini View Post
                    I understand why the year 2000 issue came up - but when generating those certificates, what stopped the companies to put 2099 instead of 2025? I agree that in 2010 the year 2025 for a computer-based equipment seemed far away. But selecting something a but further away in time would have not really caused any trouble - besides some unsold new models. So, isn't that planned obsolescence?
                    Like indicated before:

                    1. It's considered good practice to keep certificate validity short. The idea is that bad apples will eventually disappear due to their certificates expiring.
                    2. Some software doesn't accept certificates with extreme "valid until" dates... Modern browsers for example, reject any certificate with a validity of 18 months or longer...

                    Also, like indicated before by me, I don't think those two reasons make sense when it comes down to machine or host certificates.

                    Comment


                    • #25
                      GDC had some older SX-2000 SDI media blocks with certificates that expired last year. Around last August or September I refurbished four used SX-2000s that we'd had on the shelf for years, and which my boss then managed to sell. We bought software warranties for them, and were told that we needed to install a certificate update patch, which they emailed us. Can't remember how long that extended them for, if it ever told me in the first place. I do remember that I had to update the firmware from a pre-DCI version to a DCI version before the servers would let me install the extension patch.

                      Comment


                      • #26
                        Originally posted by Leo Enticknap View Post
                        GDC had some older SX-2000 SDI media blocks with certificates that expired last year. Around last August or September I refurbished four used SX-2000s that we'd had on the shelf for years, and which my boss then managed to sell. We bought software warranties for them, and were told that we needed to install a certificate update patch, which they emailed us. Can't remember how long that extended them for, if it ever told me in the first place. I do remember that I had to update the firmware from a pre-DCI version to a DCI version before the servers would let me install the extension patch.
                        I am awaiting their response as to when they actually expire based on the model #. I have not had any go ding yet, but my customers need to know if and when this is going to occur so they don't get caught. I wil also post it here...

                        Comment


                        • #27
                          I heard back from GDC today about the certificates. The expiration dates are pretty much the same. All one has to do is to be sure the firmware in a given server is up to date and GDC will remote in and load a new Media Block certificate. Much the same way they do it when the certificate in the server has to be matched after a media block replacement. Pretty simple...

                          Comment


                          • #28
                            Mark, do have a GDC cert available, the SHA256.PEM file etc.?

                            Comment


                            • #29
                              Originally posted by Carsten Kurz View Post
                              Mark, do have a GDC cert available, the SHA256.PEM file etc.?
                              No.... No reason to have one here. I pretty much rely on them for the dates they go ding and need to be replaced..

                              Comment

                              Working...
                              X