Abstract: This document describes policies for digital rights management that enable distribution of full-function versions of applications that, while fully functional, have functions limited by an associated policy. A policy may be replaced or updated, thereby enabling use of previously limited functions without distribution of another version of the application.

Abstract: Metering is enabled through an arrangement in which a metering certificate is communicated to a mobile device using an over-the-air protocol. A metering trigger provides the metering certificate that includes a location to which metering data is posted by the mobile device and a public key of a public-private key pair, or alternatively provides a link to such metering certificate. A metering helper passes the metering certificate to a DRM system on the mobile device which collects metering data associated with the metering ID and uses the public key to encrypt the metering data into a metering challenge. The metering helper posts the metering challenge to the location. The metering service extracts the metering data from the metering challenge using a private key and generates a metering response that is received by the metering helper which prompts the DRM system to reset at least a portion of a data store in which the metering data is stored.

Abstract: A method is provided for a computing device to copy (burn) a playlist of tracks to a portable medium, where each track corresponds to a piece of digital content. At least one of the pieces of content is rights-management (RM) protected and accordingly is burned to the portable medium only in accordance with a corresponding digital license.

Abstract: A digital license is migrated from a source platform to a target platform. At the source platform, a migration image is produced to include the license and corresponding data therein, and the license is deleted from such source platform. At the target platform, permission is requested from a centralized migration service to migrate the license in the migration image to the target platform. The migration service determines whether to permit migration of the license based on predetermined migration policy. Upon receiving the requested permission as a response from the migration service, the migration image is applied to the target platform by un-tying the license from the source platform and re-tying the license to the target platform.

Abstract: A header object for a data file is comprised of sub-objects which specify properties of the data stream and contains information needed to properly verify and interpret the information within the data object. In order to allow the protection of any set of sub-objects without requiring that the sub-objects follow any specific ordering, a new sub-object is introduced which includes region specifiers identifying regions within sub-objects and verification information for those regions. This new sub-object in the header object allows the modification of non-protected regions and reorganization of sub-objects in a header without invalidating verification information.

Abstract: To render content on a medium, a device obtains a table from the medium, obtains a private key of the device (PR-PD), indexes into an entry of the table based thereon, obtains (PU-PD(RND)) from the indexed-into entry of the table, and applies (PR-PD) to (PU-PD(RND)) to expose a random key (RND). Then, the device obtains (RND(PR-PM)) from the table, applies (RND) to (RND(PR-PM)) to expose a private key of the medium (PR-PM), obtains (PU-PM(KD)) from the license, applies (PR-PM) to (PU-PM(KD)) to expose a content key (KD), obtains (KD(content)) from the storage medium, applies (KD) to (KD(content)) to expose the content.

Abstract: A sequence of content keys are shared between a receiver of pieces of digital content and a computing device upon which the content is to be rendered. The receiver encrypts each piece of content according to a corresponding content key in the sequence and forwards the encrypted content to the computing device and the computing device decrypts the encrypted content according to the corresponding content key. The receiver initially transmits to the computing device an initialization digital license with an initial content key (CK0) therein. Each of the receiver and the computing device derive a new content key (CKx) in the sequence from the initial content key (CK(0)) in the sequence on an as-needed basis and in a coordinated fashion. The initialization license is required only once for the sequence of content keys, and the receiver need not explicitly communicate (CKx) to the computing device for each piece of content.

Abstract: A source generates a medium key (KM) and a media secret table including a plurality of entries, each entry including (KM) encrypted by a public key (PU-PD) of a plurality of devices, obtains the medium ID of a medium therefrom, generates a content key (KD) for a piece of content, encrypts the content with (KD) to result in (KD(content)), encrypts (KD) with (KM) to result in (KM(KD)), generates a package for the content including (KD(content)), (KM(KD)), the medium ID, and a signature based on at least the medium ID and verifiable with (KM), and copies the generated package and the media secret table to the medium. Thus, a device with the medium and a private key (PR-PD) corresponding to an entry of the media secret table can access and render the content.

Abstract: A method of registering network devices in a digital rights management system (DRMS) includes receiving a digital certificate transmitted by the network device requesting registration and verifying the validity of the certificate. The DRMS may then send cryptographic information to the applying network device. The network device may be authorized for registration via a user interface to the DRMS. The DRMS may conduct a proximity test to determine of the network device is proximate to the DRMS. If the certificate is validated, authorization is received, and the proximity test indicates that the network device is proximate to the DRMS, the network device may be registered. A registered network device is then authorized to play protected digital content.

Abstract: In accordance with one or more aspects, a license for content is retrieved, the license having been previously embedded in the content. A requested action is allowed to be performed with the content only if a standalone license, or both a leaf license and a root license, indicate that the action with the content is permissible. Leaf licenses and/or standalone licenses can be embedded by a source of the content and/or by a target device that receives the content. Additionally, licenses can include one or more rules indicating where a target device that receives the content is to store the licenses.

Abstract: Various embodiments described above can enable referral lists to be used in connection with distributed content to protect a referral infrastructure that is used with such content. In at least some embodiments, referral lists are protected using digital rights management (DRM) techniques. The DRM techniques can be used for a number of purposes including securely establishing a referring consumer, securely maintaining a chain of referring entities through distribution tracking, and maintaining control over the referral lists associated with distributed content. In at least some embodiments, DRM techniques are utilized to protect referral lists that are used in multi-level marketing networks.

Abstract: A request to render encrypted content is received and a chain of licenses corresponding to the content is located. The chain includes a leaf license linked to the content at one end of the chain, a root license at the other end of the chain, and any intermediate licenses therebetween. The leaf license and any intermediate licenses in the chain are each bound to the adjoining license in the chain toward the root license, and the root license is bound to an owner of a private key (PR-U). For each license in the chain, the license is verified and it is confirmed that the license allows the content to be rendered. A decryption key is obtained from the leaf license based on application of (PR-U) to the root license, the obtained key is applied to decrypt the encrypted content, and the decrypted content is rendered.

Abstract: Described herein are one or more implementations for transforming (e.g., transcoding) DRM-protected digital media content while retaining associated DRM-information (e.g., a user license its related information).

Abstract: Portable digital rights for multiple devices is described. In an embodiment, a digital rights management (DRM) system includes a first device with a removable component configured as a token that is associated with a DRM license. The first device also includes a removable memory card that stores protected media content on which the first device can perform actions as permitted by the DRM license. The DRM system also includes a second device that can have the removable component and the removable memory card when removed from the first device and installed in the second device such that the second device can perform the actions on the protected media content as permitted by the DRM license.

Abstract: Techniques enable seamless movement and consumption of licensed digital content amongst multiple devices. In some embodiments, these techniques allow establishment of a domain capable of having multiple member devices. Each member device of the domain typically comprises a content-consuming device such as a personal computer, a portable media player, or the like. These techniques enable a license associated with digital content to bind to a domain rather than an individual device. As such, each member device of the domain may contain a domain identity and, with the identity, may consume the content with use of the license and in accordance with policy described in the license. These tools may also enable a member device to join multiple domains and to contain an identification of each of these multiple domains.

Abstract: Techniques enable creation of a preview license for digital content. In some instances, the preview license indicates that it allows a content-consuming device to consume less than all of the content. This preview license may create a list specifying multiple portions of the digital content that the content-consuming device may consume. These techniques may also present to a device user an offer to purchase rights to consume all of the digital content after consumption of the preview-licensed portion(s). In other instances, a content server may embed the preview license into a content package that contains the digital content, allowing the server to distribute the package to multiple devices. In still other instances, the preview license may be bound to a domain rather than to individual devices. This allows member devices to share the digital content and the preview license, such that each member device may enjoy the preview experience.

Abstract: Techniques enable building a collection of data that defines an asset, with the data possibly having differing data types. These techniques are then capable of assigning arbitrary policy to that asset, regardless of which data types are present within the asset. In addition, these techniques enable packaging of this first asset with one or more additional assets in a self-contained envelope. Each asset within the envelope may similarly include data of differing data types. Furthermore, each of these assets may be assigned a policy that may be different than the policy assigned to the first asset. This envelope, or a collection of envelopes, may then be provided to a content-consuming device to consume the assets in accordance with each asset's specified policy.

Abstract: A header object for a data file is comprised of sub-objects which specify properties of the data stream and contains information needed to properly verify and interpret the information within the data object. In order to allow the protection of any set of sub-objects without requiring that the sub-objects follow any specific ordering, a new sub-object is introduced which includes region specifiers identifying regions within sub-objects and verification information for those regions. This new sub-object in the header object allows the modification of non-protected regions and reorganization of sub-objects in a header without invalidating verification information.

Abstract: A header object for a data file is comprised of sub-objects which specify properties of the data stream and contains information needed to properly verify and interpret the information within the data object. In order to allow the protection of any set of sub-objects without requiring that the sub-objects follow any specific ordering, a new sub-object is introduced which includes region specifiers identifying regions within sub-objects and verification information for those regions. This new sub-object in the header object allows the modification of non-protected regions and reorganization of sub-objects in a header without invalidating verification information.

Abstract: A device renders content on a medium by obtaining a table from the medium, obtaining a device key (DK) of the device and an index value of such (DK), indexing into an entry of the table based on the obtained index value, selecting an encrypted secret from the indexed-into entry, applying the obtained device key (DK) to the selected encrypted secret to expose the secret, and applying the exposed secret to render the content.