| ERRATA POSTING FOR SPECIFICATION VERSION 1.0|
|Erratum ||Spec 1.0 Page ||Sections Affected ||Description
||9.4.1 Item (2) and 18.104.22.168.1 Item (7).
||Both sections (which have to do with projector SPB requirements) incorrectly reference "9.7.3 Subtitle Encryption" rather than "9.5.2 Robustness".
||For clarification, subtitle decryption is expected to be performed in the server or the Image Media Block.
It is not expected that subtitle decryption will be
performed in the projector post-Image Media Block
or post-Link Decryptor Block. See also footnote 19.
||22.214.171.124 Table 9
||Incorrect Calculated Table Values - See Detail Here
NOTE: this has been revised in next errata
||It is clarified that Section 126.96.36.199.3 item (2) refers to
an integrated IMB/Projector implementation (as
opposed to an integrated IMB/server implementation)
and should be considered part of item (4).
||Section 188.8.131.52.6 should clarify that in the case
where the Projector and companion SPB are
inseparable, a single Digital Cinema Certificate shall
represent both the Projector and its companion SPB
(Image Media Block or Link Decryptor Block). This
change follows Erratum 10 - "single digital
certificate per SPB" constraint in Section 9.5.1.
||184.108.40.206.4 Table 15
||Table 15 Category 1 "operational messages" of
Section 220.127.116.11.4 are not considered security
messages. Therefore, following the requirements of
Section 18.104.22.168.3 #9, operational messages shall not
use TCP port 1173. Operational messages shall
follow other stated RRP requirements, and operate
||The 'no FM mark' state described in Section 22.214.171.124
item 3a shall not be indicated by a default key, but
shall be indicated by the 'ForensicMarkFlagList'
element of the KDM. All other references to such
default key in Section 126.96.36.199 (or other sections as
applicable) shall similarly accept the 'no FM mark'
indicator as being this KDM element.
||Item (9) of Section 188.8.131.52.1 shall be replaced as
follows: "The Image Media Block shall internally
store at least twelve (12) months of typical log data
accumulation for the auditorium in which it is
installed, including log data collected from the
associated remote SPBs."
||184.108.40.206.7 Table 34
||The "Log Messages/Log Management" class (Table
34) was designed to provide a record of log upload
events. Since stored logs are not deleted from the
SPB after uploads (but remain for twelve months),
this record class is not required.
||The first paragraph of Section 9.5.1 shall be changed
to indicate that a) each SPB carry "exactly one"
Digital Cinema certificate, and b) SEs contained
within an SPB shall share this one certificate (with
their roles appropriately noted as stated). Footnote
28 is no longer needed. In addition, the reference to
RFC2459 shall be changed to RFC3280 (RFC 3280
||"Secure Silicon" (item (a) of the first bullet, Section
220.127.116.11) shall only be required to meet FIPS 140-2
level 3 row (area) five: "physical security
||The reference in the last sentence of this section is
incorrect and should be "18.104.22.168 - SPB Firmware
||Delete the second bullet point (Nr3).
(FIPS processes are eased by
separating FIPS roles and authentication from DCI
device/operator roles and authentication. The former
is addressed by vendors as part of FIPS
documentation, the latter is addressed by the TLS
authentication and AuthorityID requirements of
||Table 37 does not reflect the most current FIPS
140-2 table, and shall be considered informative
(refer to FIPS 140-2 publications for the most
current version of this table).
||Section 22.214.171.124 shall be re-titled "Critical Security
Parameters and D-Cinema Security Parameters".
Items #6 (forensic marking parameters) and #8 (log
data/parameters) shall not be classified as FIPS
140-2 Critical Security Parameters (CSP), but shall
be classified as "D-Cinema Security Parameters".
Item #9 shall be replaced with: 'D-Cinema Security
Parameters (DCSP) shall at all times be protected
by a type 1 SPB perimeter (except where log data is
extracted per Section 126.96.36.199)'
||The information requirements of bullet two shall
include time/date and version number information
associated with any firmware change, in addition to
the authority figure. The requirements for FIPS Level
3 audit/recording of bullet four are encouraged but
shall be optional.
||For clarification, subtitle decryption is expected to
be performed in the server or the Image Media
Block. It is not expected that subtitle decryption will
be performed in the projector post-Image Media
Block or post-Link Decryptor Block. If subtitle
decryption does not take place in the Image Media
Block or server (such that subtitle decryption keys
must be exported from the IMB and transported to
the subtitle decryptor location), subtitle decryption
keys shall be transported to the subtitle decryptor
via the standard 'KeyLoad' Intra-Theater Message
(ITM - see Section 9.4.5) operating under TLS.
||The following sentence shall be appended to the end
of the first bullet of Section 9.5.6: 'In particular, such
firewall protection shall prevent (filter)
communications to or from any port 1173, other than
directly between security equipment within a single
||Though intended to specify key generation
requirements for both symmetric and asymmetric
cryptographic needs, the stated RFC 3447 covers
only the latter (RSA keys). Symmetric key
generation shall be per ANSI X9.31