FAQ

General Questions

Questions for Adopting Marlin Technology

_________________________________________________________________________

General Questions

What is the MTMO’s role in Marlin?

The MTMO serves four key roles in Marlin:

  • grants non-patent IPR for commercial uses of Marlin technology;
  • provides key management and certificate services for Marlin products and services;
  • enforces compliance and robustness rules for Marlin products and services;
  • operates renewability services for the Marlin ecosystem.



Top of Page


What is the MTMO’s relationship to the MDC? Why are they separate entities?

The MTMO and MDC (Marlin Developer Community) are separate entities specifically to keep technology development activities distinct and independent from the day-to-day activities associated with running a key management and trust services organization.

The MDC enables technology development to support the rollout of the Marlin ecosystem. It does this by developing and publishing the Marlin specifications, community code, tools, conformance test and development keys, and white papers for parties interested in evaluating and testing Marlin technology.

Note: All specifications and code available through the MDC are intended for internal and non-commercial purposes only.

The MTMO is the operational entity that grants commercial licenses for Marlin technology, and implements the Marlin trust model (including key management and certificate services) and renewability. The MTMO licensees have access to compliance and robustness rules for achieving certification, and other valuable tools and documents.

Note: Potential adopters of Marlin DRM, including device and service providers, are encouraged to evaluate Marlin technology before licensing the right to commercially deploy it.

For a more detailed division of labor between the 2 entities, see below

Top of Page


Top of Page


What benefits does the MTMO provide to adopters of Marlin technology?

The MTMO provides a single trust management infrastructure that ensures interoperability between Marlin-compliant products and services. This allows renewable security to be implemented with minimum impact to consumers, client and service providers.

Top of Page


How does the MTMO enable interoperability?

The MTMO enables interoperability through:

  • its ability to trust Marlin identities: the MTMO guarantees the certificates of principals used in all implementations are signed by common roots of trust and are generated according to trustable procedures. Any one entity can authenticate and trust the authenticity of any other entity by following the certificate chain to the common roots
  • cryptographic mechanisms: the MTMO ensures that all keys and certificates adhere to a common specification
  • compliance of implementations with a set of common specifications
  • the use of a singly-rooted PKI (Public Key Infrastructure) for device and service authentication
  • a reporting body for keys and devices that are compromised.



Top of Page


How does the MTMO handle security breaches of devices and services?

Marlin is designed to support a variety of mechanisms that may be applied in the event of a security breach. These include revocation of devices and services, exclusion from content, and shunning access to services. The MTMO also employs both legal recourse and contractual remedies articulated in the MTMO agreements.

Top of Page


What are the key design objectives of the Marlin trust model?

The Marlin trust model consists of a single root of trust and delegated Certificate Authorities (CAs). The MTMO runs these trust anchors to allow interoperability between Marlin implementations.


Top of Page


What are the benefits of a delegated Certificate Authority (CA)?

The MTMO allows for the delegation of key management to adopters. The benefit of a delegated CA is that adopters can control the cost structure of key management either by establishing a CA in-house, outsourcing it to a service provider, or leveraging existing systems. This also allows adopters to design their own delegated trust hierarchy to meet individual business needs. For example, a large device manufacturer can design its trust hierarchy to have each geographical division be in charge of its own delegated CA; each geographical division can then delegate the CA responsibility to different sub-product divisions if the adopter chooses to. Alternatively, the device manufacturer can choose to have just one CA for all its devices and order all the device keys from a Listed Trust Service Provider.

Top of Page


How are keys and certificates provided for devices, applications, and services?
To acquire keys and certificates, an adopter must sign the appropriate MTMO agreement (for device or service provider) and pay the annual fee. Adopters have the option to generate their own keys by signing the Trust Service Provider Agreement, or to order them through a Listed Trust Service Provider. Client credentials (for devices or PC-software clients) can be provisioned either online via a service provider’s Personalization Server or at a factory before they hit the market. Server credentials must be manually configured by a service provider’s DRM administrators or developers.

Top of Page


How does the MTMO issue development keys and test keys?

To encourage the rapid adoption of Marlin, the MTMO provides the Development Trust Infrastructure. There are two parts to the test infrastructure. First, adopters can download from the website a set of Common Test Keys that includes a test root, test Certification Authority, and sample credentials for services and clients. Later in development, an adopter can order a set of Adopter Test Keys. The Adopter Test Keys are from the same test root, and the values in the certificates are set by the Adopter to match what will be implemented in production.
Top of Page


What is a Listed Trust Service Provider?

A Listed Trust Service Provider is an entity that has executed the Marlin Trust Service Provider Agreement. A Listed Trust Service Provider is authorized to generate “Production Provisioning Packets”, ie. keys and certificates for Marlin adopters (Clients and Service Providers) that do not wish to generate their own Marlin key material.

Top of Page

Questions for Adopting Marlin Technology

How can I get a commercial license to implement Marlin technology as a Client Adopter or Service Provider Adopter?

  1. As a potential adopter, you will need to fill out the Request for Agreement Form in order to download the Client Agreement (CA) or Service Provider Agreement (SPA);
  2. You will receive a copy of the agreement that you requested;
  3. After filling in the contact information and signing the agreement you can send it by:
  • Emailing a scanned copy of the signed pages to: [email protected]
  • Faxing a copy of the signed pages to: +1 503-644-6708
  • Couriering or mailing it to: 3855 SW 153rd Drive, Beaverton OR 97006 – USA Note: If the agreement is couriered or mailed then please send 2 copies;
  1. We will countersign the agreement and re-send a copy to the assigned contact person;
  2. We will send you an invoice for the annual MTMO fee (the current fee for a Client Adopter is $20,000 and for a Service Provider Adopter is $10,000);
  3. We will also send you information on Listed Trust Service Providers you can contract for key management services (currently, Seacert is the sole provider of this service);
  4. Upon receiving payment, we will send an email acknowledgement to the contact person;
  5. We will also send you a user identity and password; with this, you can access the protected pages of the MTMO website where you will find useful documents, Common Test Keys, and tools;
  6. Once you have completed the Smartcard request form and sent it to us at [email protected]; we will courier a customized smartcard to your specified address.
  7. We will then send you a Getting Started document;
  • If you are a Client adopter, we will send you a company-specific Starfish key tree assignment and the certificate for the Trust Anchor (for you to burn into your devices).
  • If you are a Service provider, we will send you a Service Provider ID (only for IPTV ES) and the certificate for the Trust Anchor (for you to burn into your service).
  1. If you wish to generate your own keys, you must sign the Marlin Trust Service Provider Agreement; if you wish to order them, you must contract with one of the Listed Trust Service Providers

Note: If you plan to sell devices and services based on Marlin technology, you will need to sign both the Client and Service Provider Agreement.

Top of Page


What are the anticipated costs for adopting Marlin to Client devices?

The current fee schedule can be found in Exhibit D (p. 99) of the Marlin Client agreement. It includes the following:

  1. Annual Administration Fees. The following Annual Administration Fees apply:
  • Client: US$ 20,000.00 per year
  • Client with Component Manufacturer Addendum: US$ 15,000.00 per year
  1. Marlin Certification Fees. As provided in Section 4.2 of the Client Agreement Marlin Certification Fees shall be paid by Client.
  • US$ 1,500.00 per Acknowledgement for Compliance Testing under Section 3.2(b)
  • Note: Marlin Certification Fees do not apply prior to the Certification Requirement Date. No such Certification Requirement Date has been set at this moment
  1. Delegate Certificate Authority Fees (optional certificate). This is mentioned in Section 4.3 of the Client Agreement.
  • US$ 3,000.00 per single set of DCA Certificates for applicable specification per request
  • Note: If you use a Listed Trust Service Provider, you may not need your own DCA certificate.
  1. Security Operation Fees. As mentioned under Section 4.4 of the Client Agreement,Security Operation Fees shall be paid by Client as the case may be.
  • US$ 0.01 per Provisioning Packet generated for Client
  • Note: If you use a Listed Trust Service Provider for generating your keys, this fee may be paid to the MTMO by the Trust Service Provider on your behalf.
  1. Smart Card and B2B Certification Fees: Smart cards, and the certificates installed on them, are used for secure communications with the MTMO and Listed Trust Service providers. Section 4.5 of the Client Agreement specifies that a number of smart cards and certificates are provided without a fee. In practice, this number suffices for normal operations. Should you need more cards and / or certificates, the following fees apply:
  • US$ 350 for a certificate with a smart card
  • US$ 250 for a certificate without a smart card



Top of Page


What are the anticipated costs for adopting Marlin as a Service Provider?

The current fee schedule can be found in Exhibit D (p. 68) of the Marlin Service Provider Agreement. It includes the following:

  1. Annual Administration Fees. The following Annual Administration Fees apply:
  • Service Provider: US$ 10,000.00 per year
  • Service Provider with Service Element Provider Addendum: US$ 5,000.00 per year
  1. Marlin Certification Fees. As provided in Section 4.2 of the Service Provider Agreement, Marlin Certification Fees shall be paid by Service Provider.
  • US$ 1,500.00 per Acknowledgement for Compliance Testing under Section 3.2(b)
  • Note: Marlin Certification Fees do not apply prior to the Certification Requirement Date. No such Certification Requirement Date has been set at this moment
  1. Delegate Certificate Authority Fees (optional certificate). This is mentioned in Section 4.3 of the Service Provider Agreement.
  • US$ 3,000.00 per single set of DCA certificates for applicable specification per request
  • Note: If you use a Listed Trust Service Provider, you may not need your own DCA certificate.
  1. Security Operation Fees. As mentioned under Section 4.4 of the Service Provider Agreement, the following Security Operation Fees shall be paid by Service Provider
  • US$ 300 for up to 10 Product Provisioning Packets generated for Service Provider
  • Note: If you use a Listed Trust Service Provider for generating your keys, this fee may be paid to the MTMO by the Trust Service Provider on your behalf.
  1. Smart card and B2B Certification Fees. Smart cards, and the certificates installed on them, are used for secure communications with the MTMO and Listed Trust Service Providers. Section 4.5 of the Service Provider Agreement specifies that a number of smart cards and certificates are provided without a fee. In practice, this number suffices for normal operations. Should you need more cards and / or certificates, the following fees apply:
  • US$ 350 for a certificate with a smart card
  • US$ 250 for a certificate without a smart card



Top of Page


What license agreement do I need to adopt Marlin technology (including Marlin BB, IPTV-ES) or MS3 technology?

If you want to adopt Marlin and/or MS3 technology to client devices, you must execute Marlin Client Agreement (CA).

If you want to adopt Marlin technology as a service provider, you must execute Marlin Service Provider Agreement (SPA)

If you want to adopt MS3 technology as a service provider, you must execute Marlin Simple Secure Streaming Service Provider Agreement (MS3 SPA)

Marlin Specification
(Marlin-BB, IPTV-ES)
MS3
Specification
ClientServiceClientService
CA AdopterXX
SPA AdopterX
MS3 SPA AdopterX

Top of Page


What are the anticipated costs for adopting Marlin as an MS3 (Marlin Simple Secure Streaming) Service Provider?

There are no MTMO fees associated with Signing the MS3 Service Provider Agreement.

Top of Page


How do I sign up as a Client Component Manufacturer or Service Element Provider?

  1. As a potential adopter, you will need to fill out the Request for Agreement Form in order to download the Client Agreement (CA) or Service Provider Agreement (SPA);
  2. You will receive a copy of the agreement that you requested;
  3. After filling in the contact information, signing the agreement, and filling out Exhibit C, you can send it by:
  • Emailing a scanned copy of the signed pages to: [email protected]
  • Faxing a copy of the signed pages to: +1 503-644-6708
  • Couriering or mailing it to: 3855 SW 153rd Ave, Beaverton, OR 97006 – USA

Note: If the agreement is couriered or mailed then please send 2 copies;

  1. We will countersign the agreement and re-send a copy to your assigned contact person;
  2. We will send you an invoice for the annual MTMO fee (the current fee for a Component Manufacturer Adopter is US$ 15,000, and Service Element Provider is US$ 5,000);
  3. Upon receiving payment, we will send you an email acknowledgement to your assigned contact person;
  4. You will then receive access to the Common test keys, the Conformance test specification, and other information

Note: As a Component Manufacturer or Service Element Provider adopter, you will not get production keys.

Top of Page


If I am a Client Adopter licensee, and subcontract with a hardware manufacturer to provide components for my Marlin implementation, does my subcontractor need to sign the Client Adopter agreement as a component manufacturer?

No. Your subcontractor does not need to sign the component manufacturer addendum as long as:

  • The hardware manufacturer is not providing you with a licensed component, as described in Sect. 1.62 of the Client Agreement:

“Licensed Component(s)” means a component(s), such as an integrated circuit, circuit board, or software module that (i) is manufactured or distributed under valid Marlin Client Agreement; (ii) is designed solely to be assembled into a Licensed Product or Robust Licensed Component, and (iii) embodies some or all portion of the Marlin Specification, but which by itself is neither Compliant nor Robust.

  • The hardware manufacturer is subcontracted by you, with a contractual agreement that adheres to Section 2.1 (f) of the Client Adopter Agreement, whereby the:

“Client may conclude a written, binding agreement with any such subcontractor that effectively imposes on that entity such obligations to ensure that neither Client nor its subcontractor commits any breach of this Agreement, and may provide therein that the MTMO is a third party beneficiary of all subcontractors’ obligations imposed pursuant to this Section, but that the MTMO has no obligation whatsoever to subcontractor. Client shall take such actions as are reasonably necessary to secure compliance of its subcontractor with Clients obligations imposed under this Agreement, and shall be fully responsible under this Agreement for any breach or failure thereof by its subcontractor as if such breach or failure were the direct act of Client. Client acknowledges that the MTMO’s third party beneficiary rights, if any, with respect to such breaches or failures of its subcontractor do not in any way limit or diminish Client’s obligations under this Agreement or this Section, including without limitation the immediately preceding sentence.”

Top of Page


What can I expect to get when I sign the Marlin Component Manufacturer Addendum instead of the full Marlin Client Adopter agreement?

Client LicenseeComponent Manufacturer
Development Trust Infrastructure access
Conformance Test Specifications
Access to member-only tools & information
Marlin Specifications
Production Trust Infrastructure
Development Trust Infrastructure
Access to Production Keys
Sell Licensed Product
Sell Licensed Components to Clients
Annual Fee$20K$15K
 
Top of Page


What can I expect to get when I sign the Marlin Service Element Provider Addendum instead of the full Marlin Service Provider agreement?
 

Service Provider LicenseeService Element Provider
Development Trust Infrastructure
Conformance Test Specifications
Access to member-only tools & information
Marlin Specifications
Production Trust Infrastructure
Development Trust Infrastructure
Access to Production Keys
Sell Licensed Service
Sell Licensed Service Elements to Service Providers
Annual Fee$10K$5K

Top of Page


If I have signed a Marlin Client or Service Provider Agreement, how can I contract with Seacert to provide trust services?

  1. Once you have signed a Marlin Client or Service Provider Agreement, you will be informed of Listed Trust Service Providers you can contract for key management services (currently, Seacert is the sole provider of this service);
  2. You can request the Seacert agreement by signing the request form at: http://www.seacert.com/signup/index.html; if interested, Seacert provides a customized copy with your company information
    Note: Seacert agreements will only be sent out to a corporate email address.
  3. If you decide to contract with Seacert, please sign the Seacert agreement, and send it by courier to: 955 Stewart Drive, Sunnyvale, CA 94085 — USA
  4. A Seacert representative will send a countersigned copy of the agreement to the assigned contact person. You have the choice to pay the $5,000 new account set up fee upfront or with the first order.
  5. The contact person will receive a user ID and password for accessing the protected pages of the Seacert website; here you can get information on filling out orders to provide cryptographic objects you will need to implement Marlin technology.
  6. When placing order form, payment must be received before order will be processed.



Top of Page


If I choose to set up my own Delegated Certificate Authority (DCA) rather than contracting with a Listed Service Provider, are there any additional agreements I need to sign?

Yes, you would have to sign the Trust Service Provider Agreement. This agreement can be obtained by filling out the Request for Agreement Form. The Annual Administration Fee associated with this agreement is US$ 20,000

Top of Page


If I choose to set up my own Delegated Certificate Authority (DCA) and do my own provisioning, what are the additional requirements I should anticipate?

The Trust Service Provider Agreement provides the detail of all obligations of a DCA. You can download and review a copy of the Trust Service Provider Agreement using the Request for Agreement/Documentation download form.

Top of Page


How can I get my Marlin-based device or service implementation designated as being Marlin compliant?

For a device or service to be considered Marlin compliant, as a client or service provider adopter you must comply with:

  • The specifications (e.g.l Marling Broadband, Marlin IPTV-ES)
  • The applicable Conformance specifications provide test definitions to help establish if an implimentation is conformant to those specifications
  • Robustness rules
  • Compliance rules
  • Trust Management Policies



Conformance Specifications

  • Conformance means that your device or service meets the applicable MUST, MUST NOT, REQUIRED, SHALL and SHALL NOT statements in the Marlin specification you have implemented;
  • You can download the Conformance Test Specifications from the MDC at: Marlin Developer Community. This site hosts Conformance Test Specifications for Marlin Broadband and IPTV-ES;
  • You Adopters can download the Conformance Test Procedures from the MTMO at www.marlin-trust.com/operations. Procedures for IPTV-ES and Marlin Broadband are provided;
  • You must submit the Short Form Robustness Questionnaire to the MTMO, and keep a copy of the Long Form Robustness Questionnaire on file at your company. A Work version of these Affidavits and Questionnaires can be downloaded by Adopters from: www.marlin-trust.com/operations
  • The MTMO will return to you an Acknowledgment of Conformance Affidavit.



Compliance Rules

  • Compliance rules are included in Exhibit A of the Client Adopter Agreement or Service Provider Agreement and govern the permitted outputs and imports in your device or service implementation, for example, how audio and/or audiovisual content can be rendered, imported and/or exported;
  • The Affidavit mentioned above also covers Compliance Rules



Robustness Rules

  • Robustness rules are included in Exhibit B of the Client Agreement or Service Provider Agreement and govern level of protection required in your device or service implementation, for example, how well keys must be protected;
  • You must submit the Short Form Robustness Questionnaire to the MTMO, and keep a copy of the Long Form Robustness Questionnaire on file at your company. A Word version of these Affidavits and Questionnaires can be downloaded from www.marlin-trust.com/operations
  • You will receive from MTMO an Acknowledgment of Robustness Checklist.

The Common Test Keys are available for download by Adopters from: www.marlin-trust.com/operations. The Common Test Keys are useful for testing the above requirements.

Top of Page


If I have signed the Component Manufacturer or Service Element Provider addendum, can I still get certified for Marlin compliance?

If you are a Marlin Component Manufacturer or Service Element Provider adopter, then the Licensed Component or the Licensed Service Element does not need to test for conformance and compliance according to the Marlin Client adopter and Service provider agreements.

Top of Page


Where can I learn more about Marlin?

To learn about the Marlin Technology, please refer to the Marlin Community website.

Top of Page