MTMO FAQs

MTMO Frequently Asked Questions (FAQs)

1. General FAQs

What is the MTMO’s role in Marlin?

The MTMO serves 4 key roles in Marlin:

grants non-patent IPR for commercial uses of Marlin technology;
provides key management and certificate services for Marlin products and services;
enforces compliance and robustness rules for Marlin products and services;
operates renewability services for the Marlin ecosystem.

What is the MTMO’s relationship to the MDC? Why are they separate entities?

The MTMO and MDC (Marlin Developer Community) are separate entities specifically to keep technology development activities distinct and independent from the day-to-day activities associated with running a key management and trust services organization.

The MDC enables technology development to support the rollout of the Marlin ecosystem. It does this by developing and publishing the Marlin specifications, community code, tools, conformance test and development keys, and white papers for parties interested in evaluating and testing Marlin technology.
Note: All specifications and code available through the MDC are intended for internal and non-commercial purposes only.)

The MTMO is the operational entity that grants commercial licenses for Marlin technology, and implements the Marlin trust model (including key management and certificate services) and renewability. MTMO licensees have access to compliance and robustness rules for achieving certification, and other valuable tools and documents.
Note: Potential adopters of Marlin DRM, including device and service providers, are encouraged to evaluate Marlin technology before licensing the right to commercially deploy it.

For a more detailed division of labor between the 2 entities, click here

What benefits does the MTMO provide to adopters of Marlin technology?

The MTMO provides a single trust management infrastructure that ensures interoperability between Marlin-compliant products and services. This allows renewable security to be implemented with minimum impact to consumers, client and service providers.

How does the MTMO enable interoperability?

The MTMO enables interoperability through:

its ability to trust Marlin identities: the MTMO guarantees the certificates of principals used in all implementations are signed by common roots of trust and are generated according to trustable procedures. Any one entity can authenticate and trust the authenticity of any other entity by following the certificate chain to the common roots
cryptographic mechanisms: the MTMO ensures that all keys and certificates adhere to a common specification
compliance of implementations with a set of common specifications
the use of a singly-rooted PKI (Public Key Infrastructure) for device and service authentication
a reporting body for keys and devices that are compromised.

How does the MTMO handle security breaches of devices and services?

Marlin is designed to support a variety of mechanisms that may be applied in the event of a security breach. These include revocation of devices and services, exclusion from content, and shunning access to services. The MTMO also employs both legal recourse and contractual remedies articulated in the MTMO agreements.

What is the process for getting my Marlin-based implementation certified by the MTMO?

To certify a Marlin-based implementation, a device or service provider must:

become an MTMO adopter by signing the appropriate MTMO license agreement and pay the fees;
satisfy conformance test requirement to the specifications: this means conforming to the Fishnet test suite for the Broadband specification and test vectors for the IPTV-ES specification
meet compliance test criteria; and
fulfill robustness questionnaires

Note: devices and services that are certified by the MTMO do not necessarily guarantee full compliance with all applicable terms and conditions under the MTMO license agreement. The MTMO reserves all rights available under applicable laws and contracts to address any violation and breach.

What are the key design objectives of the Marlin trust model?

The Marlin trust model consists of a single root of trust and delegated Certificate Authorities (CAs). The MTMO runs these trust anchors to allow interoperability between Marlin implementations.

What are the benefits of a delegated Certificate Authority (CA)?

The MTMO allows for the delegation of key management to adopters. The benefit of a delegated CA is that adopters can control the cost structure of key management either by establishing a CA in-house, outsourcing it to a service provider, or leveraging existing systems. This also allows adopters to design their own delegated trust hierarchy to meet individual business needs.
For example, a large device manufacturer can design its trust hierarchy to have each geographical division be in charge of its own delegated CA; each geographical division can then delegate the CA responsibility to different sub-product divisions if the adopter chooses to. Alternatively, the device manufacturer can choose to have just one CA for all its devices and order all the device keys from a PDC (Provisioning Data Center).

How are keys and certificates provided for devices, applications, and services?

To acquire keys and certificates, an adopter must sign the appropriate MTMO agreement (for device or service provider) and pay the annual fee;

Adopters have the option to generate their own keys, or to order them through a PDC (Provisioning Data Center). Client credentials (for devices or PC-software clients) can be provisioned either online via a service provider’s Personalization Server or at a factory before they hit the market. Server credentials must be manually configured by a service provider’s DRM administrators or developers.

How does the MTMO issue development keys and test keys?

To encourage the rapid adoption of Marlin, the MTMO provides the Development Trust Infrastructure. There are two parts to the test infrastructure. First, adopters can download from the website a set of Common Test Keys that includes a test root, several test Certification Authorities, and sample credentials for services and clients. Later in development, an adopter can order a set of Adopter Test Keys. The Adopter Test Keys are from the same test root, and the values in the certificates are set by the Adopter to match what will be implemented in production.

What is a Provisioning Data Center and what is its relationship to the MTMO?

A Marlin Provisioning Data Center (PDC) is a contract service provider for Marlin adopters, that generates batch credentials and provides DCA (Delegated Certification Authority) services. It is registered with the MTMO to receive MTMO-issued credentials on behalf of adopters, and to fulfill their audit, security and reporting requirements.

2. FAQs for Adopting Marlin Technology

How can I get a commercial license to implement Marlin technology as a Client Adopter or Service Provider Adopter?

As a potential adopter, you will go to: http://www.marlin-trust.com/downloads/agreement.html and fill out the Request for Agreement Form in order to download the Client Agreement (CA) or Service Provider Agreement (SPA);

You will receive a copy of the agreement that you requested;

After filling in the contact information, signing the agreement you can send it by:

Emailing a scanned copy of the signed pages to: admin@marlin-trust.com
Faxing a copy of the signed pages to: (408) 616-1626
Couriering or mailing it to: 415-112 N. Mary Ave. #332, Sunnyvale, CA 94085 -- USA Note: If the agreement is couriered or mailed then please send 2 copies;

We will countersign the agreement and re-send a copy to the assigned contact person;

We will send you an invoice for the annual MTMO fee (the current fee for a Client Adopter or Service Provider Adopter is $22,000);

We will also send you information on listed trust service providers you can contract for key management services (currently, Seacert is the sole provider of this service);

Upon receiving payment, we will send an email acknowledgement to the contact person;

We will also send you a user identity and password; with this, you can access the protected pages of the MTMO website where you will find useful documents, Common Test Keys, and tools;

Once you have completed the Smartcard request form and sent it to us at operations@marlin-trust.com; we will courier a customized smartcard to your specified address.

We will then send you a Getting Started document;

If you are a Client adopter, we will send you a company-specific Starfish key tree assignment and the certificate for the Trust Anchor (for you to burn into your devices).

If you are a Service provider, we will send you a Service Provider ID (only for IPTV ES) and the certificate for the Trust Anchor (for you to burn into your service).

You are responsible to comply with obligations in the “Safeguarding the Production Trust Infrastructure” document; if you work with a listed trust service provider (i.e., Seacert), then they will take care of most requirements for you.

Note: If you plan to sell devices and services based on Marlin technology, you will need to sign both the Client Adopter and Service Provider Agreements.

What is the fee schedule if I am a Client Adopter of Marlin technology?

The current fee schedule can be found in Exhibit D (p. 96) of the Marlin Client Adopter agreement. It includes the following:

Annual Administration Fees. As provided in Section 4.1 of the interim Client Adopter agreement.

Client: US$ 22,000.00 per year
Client with Component Manufacturer Addendum: US$ 15,000.00 per year
Marlin Certification Fees. As provided in Section 4.2 of the interim Client Adopter Agreement

Marlin Certification Fees shall be paid by Client.

US$ 1,500.00 per Acknowledgement for Compliance Testing under Section 3.2(b)

Note: Marlin certification fees are not required to be paid prior to the date of certification.
Root Certificate Fees (optional certificate). As mentioned under Section 4.3 of the interim Client Adopter Agreement.

Root Certificate Fee shall be paid by the Client Adopter.

US$ 3,000.00 per single set of DCA certificates for applicable specification per request

Note: If you plan to implement IPTV-ES only and use a listed Trust Service Provider (currently only Seacert), the root certificate fees will be waived.
Security Operation Fees. As mentioned under Section 4.4 of the interim Client Adopter Agreement,

Security Operation Fees shall be paid by Client as the case may be.

US$ 0.01 per Provisioning Packet generated for Client

Note: There are some listed trust service providers (currently only Seacert) who provide the remittance service to MTMO instead of to the Client Adopter.
Routing of Orders and Payments. All fees shall be paid to MTMO or to its order in United States dollars by wire transfer or such other means as MTMO may reasonably specify.

What are the anticipated costs for adopting Marlin as a Service Provider?

1. Annual Administration Fees. As provided in Section 4.1 of the interim Service Provider Agreement, below applicable

Annual Administration Fees shall be paid by Service Provider (excluding its Affiliates).

Service Provider US$ 22,000.00 per year

Service Provider with Service Element Provider Addendum US$ 15,000.00 per year

2. Marlin Certification Fees. As provided in Section 4.2 of the interim Service Provider Agreement

Marlin Certification Fees shall be paid by Service Provider.

US$ 1,500.00 per Acknowledgement for Compliance Testing under Section 3.2(b)

Note: Marlin Certification Fees are not required to be paid before the Certification Requirement Date.

3. Root Certificate Fee (optional certificate). As mentioned under Section 4.3 of the interim Service Provider Agreement

Root Certificate Fee shall be paid by Service Provider.

US$ 3,000.00 per single set of DCA certificates for applicable specification per request

Note: If you plan to only IPTV-ES implementation using listed Trust Service Provider (currently only Seacert), Root Certificate Fees are not required to be paid.

4. Security Operation Fees. As mentioned under Section 4.4 of the interim Service Provider Agreement

Security Operation Fees shall be paid by Service Provider as the case may be.

US$ 0.01 per Provisioning Packet generated for Service Provider

Note: There are some listed trust service provider (e.g. Seacert) who provide the remittance service to MTMO instead of Client Adopter.

5. Routing of Orders and Payments. All fees shall be paid to MTMO or to its order in United

States dollars by wire transfer or such other means as MTMO may reasonably specify.

How do I sign up as a Client Component Manufacturer or Service Element Provider?

1. As a potential adopter, you will go to: http://www.marlin-trust.com/downloads/agreement.html and fill out the Request for Agreement Form in order to download the Client Agreement (CA) or Service Provider Agreement (SPA);

2. You will receive a copy of the agreement that you requested;

3. After filling in the contact information, signing the agreement, and filling out Addendum XX, you can send it by:

· Emailing a scanned copy of the signed pages to: admin@marlin-trust.com

· Faxing a copy of the signed pages to: (408) 616-1626

· Couriering or mailing it to: 415-112 N. Mary Ave. #332, Sunnyvale, CA 94085 -- USA

Note: If the agreement is couriered or mailed then please send 2 copies;

4. We will countersign the agreement and re-send a copy to your assigned contact person;

5. We will send you an invoice for the annual MTMO fee (the current fee for a Component Manufacturer Adopter or Service Element Provider is $15,000);

6. Upon receiving payment, we will send you an email acknowledgement to your assigned contact person;

7. You will then receive access to the Common test keys, the Conformance test specification, and other information you might need to get your part of the solution certified.

Note: As a Component Manufacturer or Service Element Provider adopter, you will not get production keys.

If I am a Client Adopter licensee, and subcontract with a hardware manufacturer to provide components for my Marlin implementation, does my subcontractor need to sign the Client Adopter agreement as a component manufacturer?

No. Your subcontractor does not need to sign the component manufacturer addendum as long as:

the hardware manufacturer is not providing you with a licensed component, as described in Sect. 1.48 of the Client Adopter agreement:

"Licensed Component(s)" means a component(s), such as an integrated circuit, circuit board, or software module that (i) is manufactured or distributed under valid Marlin Client Agreement; (ii) is designed solely to be assembled into a Licensed Product or Robust Licensed Component, and (iii) embodies some or all portion of the Marlin Specification, but which by itself is not Compliant nor Robust.

the hardware manufacturer is subcontracted by Sentivision, with a contractual agreement that adheres to Section 2.1 (f) of the Client Adopter Agreement, whereby the:

"Client shall conclude a written, binding agreement with any such subcontractor that effectively imposes on that entity such obligations to ensure that neither Client nor its subcontractor commits any breach of this Agreement, and shall provide therein that MTMO is a third party beneficiary of all subcontractors’ obligations imposed pursuant to this Section, but that MTMO has no obligation whatsoever to subcontractor. Client shall take such actions as are reasonably necessary to secure compliance of its subcontractor with its obligations imposed thereunder, and shall be fully responsible under this Agreement for any breach or failure thereof by its subcontractor as if such breach or failure were the direct act of Client. Client acknowledges that MTMO’s third party beneficiary rights with respect to such breaches or failures of its subcontractor do not in any way limit or diminish Client’s obligations under this Agreement or this Section, including without limitation the immediately preceding sentence."

What can I expect to get when I sign the Marlin Component Manufacturer Addendum instead of the full Marlin Client Adopter agreement?

	Client Licensee	Component Manufacture
Development Trust Infrastructure access	Yes	Yes
Conformance Test Specifications	Yes	Yes
Access to member-only tools & information	Yes	Yes
Marlin Specifications	Yes	Yes
Production Trust Infrastructure	Yes	No
Development Trust Infrastructure	Yes	No
Access to Production Keys	Yes	No
Sell Licensed Product	Yes	No
Sell Licensed Components to Clients	Yes	Yes
Annual Fee	$22K	$15K

What can I expect to get when I sign the Marlin Service Element Provider Addendum instead of the full Marlin Service Provider agreement?

	Service Provider Licensee	Service Element Provider
Development Trust Infrastructure	Yes	Yes
Conformance Test Specifications	Yes	Yes
Access to member-only tools & information	Yes	Yes
Marlin Specifications	Yes	Yes
Production Trust Infrastructure	Yes	No
Development Trust Infrastructure	Yes	No
Access to Production Keys	Yes	No
Sell Licensed Service	Yes	No
Sell Licensed Service Elements to Service Providers	Yes	Yes
Annual Fee	$22K	$15K

If I have signed a Marlin Client Adopter or Service Provider agreement, how can I contract with Seacert to provide trust services?

1. Once you have signed a Marlin Client Adopter or Service Provider agreement, you will be informed of listed trust service providers you can contract for key management services (currently, Seacert is the sole provider of this service);

2. You can request the Seacert agreement by signing the request form at: http://www.seacert.com/signup/index.html; if interested, Seacert provides a customized copy with your company information

Note: Seacert agreements will only be sent out to a corporate email address.

3. If you decide to contract with Seacert, please sign the Seacert agreement, fill out XX, and send it by courier to: 955 Stewart Drive, Sunnyvale, CA 94085 -- USA

4. A Seacert representative will send a countersigned copy of the agreement to the assigned contact person. You have the choice to pay the $5,000 new account set up fee upfront or with the first order.

5. The contact person will receive a user ID and password for accessing the protected pages of the Seacert website; here you can get information on filling out orders to provide cryptographic objects you will need to implement Marlin technology.

6. When placing order form, payment must be received before order will be processed.

If I choose to set up my own Delegated Certificate Authority (DCA) rather than contracting to Seacert, are there any additional agreements I need to sign?

No, you do not have to sign a separate agreement as the Client Agreement already fully accommodates you provisioning your own devices.

Section 3.3 of the current interim Client Adopter agreement obligates all adopters to conform to the Safeguarding the Production Trust Infrastructure document.
Section 3.5 obligates adopters to permit the MTMO to perform examination and audit procedures which MTMO would be more likely to perform on an adopter provisioning its own devices
Section 6.3 requires handling highly confidential information in acceptable ways.

Note: If you provision your own devices, you will have additional requirements to follow, than if you do not provision your own devices. In the event that you choose not to provision your own devices, you will have to get your contractor to sign Exhibit H.

How can I get my Marlin-based device or service implementation designated as being Marlin compliant?

For a device or service to be considered Marlin compliant, as a client or service provider adopter you must comply with:

Conformance specification/s
Robustness rules
Compliance rules
Trust Management Policies

Conformance Specification/s

Conformance means that your device or service meets the applicable MUST, MUST NOT, REQUIRED, SHALL and SHALL NOT statements in the Marlin specification you have implemented;
You can download the Conformance Test Specifications from the MDC at: http://www.marlin-community.com/developer/participants/downloads.html. This site hosts Conformance Test Specifications for Marlin Broadband and IPTV-ES;
You can download the Conformance Test Procedures from the MTMO at www.marlin-trust.com/operations. Procedures for IPTV-ES and Marlin Broadband are provided;
You must submit a Conformance Affidavit to the MTMO; a template for this Affidavit can be downloaded from: www.marlin-trust.com/operations
The MTMO will return to you an Acknowledgment of Conformance Affidavit.

Robustness Rules

Robustness rules are included in Exhibit B of the Client Adopter Agreement or Service Provider Agreement and govern level of protection required in your device or service implementation, for example, how well keys must be protected;
You must submit to MTMO the Short Form Robustness Questionnaire and keep a copy of the Long Form Robustness Questionnaire within your company;
You will receive from MTMO an Acknowledgment of Robustness Checklist.

Compliance Rules

Compliance rules are included in Exhibit A of the Client Adopter Agreement or Service Provider Agreement and govern the permitted outputs and imports in your device or service implementation, for example, how audio and/or audiovisual content can be rendered, imported and/or exported;
Until an Authorized Certification Authority is named, there is no documentation that must be submitted to MTMO and no documentation that MTMO will issue to you. Keep your documentation on file at your company.

Trust Management Policies

You must adhere to the Trust Management Policies are included in the Marlin Trust Management Document (MTMD), which can be downloaded from: www.marlin-trust.com/operations. There are two separate documents, one for Marlin IPTV-ES and one for Marlin Broadband.

The Common Test Keys are available for download from: www.marlin-trust.com/operations. The Common Test Keys are useful for testing the above requirements.

If I choose to set up my own Delegated Certificate Authority (DCA) and do my own provisioning, what are the additional requirements I should anticipate?

The “Safeguarding the Production Trust Infrastructure” document obligates entities performing delegated certificate authority (DCA) and Provisioning activities to:

Send a specified quarterly report to the MTMO with information used to manage remediation
Subject their operation to a security audit program – either the one defined by the MTMO (based on the standard ISO 21188:2006) or to an AICPA/CICA WebTrust Audit Program (excluding the registration functions)
Create private keys using an HSM (hardware security module) if a commercially available one fulfills the cryptographic requirements of the applicable Marlin Specification or Marlin Trust Management Document.
Handle highly confidential information (e.g., private keys) in acceptable ways.

What does it mean to be a Delegated Certificate Authority (DCA) and provisioning center?

The Delegated Certification Authority (DCA) sits below the Trust Anchor and above the End Entity (Device or Service) in the Trust Management infrastructure A Marlin listed Trust Service provider (e.g., Seacert) typically has a DCA certificate containing its own subject name and uses the associated private key to sign certificates for multiple Client and Service Provider companies. However, a Client/Service Provider may prefer to have a DCA certificate with its own company name. Likewise, the Client/Service Provider may choose to manage the DCA key/certificate itself or have it managed by a Trust Service provider. The entity that holds the private key associated with the DCA certificate is obligated to the requirements listed in the preceding question.

The Provisioning level of the Trust Infrastructure is immediately above the End Entity level and the entity that manages it creates the cryptographic content for Devices and/or Services. The Provisioning Data Center, whether internal to a Client/Service Provider or a Trust Provider, is obligated to the requirements listed in the preceding question. This is because the Provisioning Data Center must manage its own private key as well as create, sign, and encrypt private keys for the End Entities. The DCA level and Provisioning level may be the same entity and same private key/certificate, or they may be separate entities and private keys/certificates.

A Client/Service Provider has three choices for implementing DCA level and the Provisioning level:

1. Obtain services from a Marlin listed Trust Service provider (currently only Seacert).

2. Obtain services from a general Trust Service Provider not listed by MTMO.

3. Operate the internal DCA within the Client’s or Service Provider’s company.

If I have signed the Component Manufacturer or Service Element Provider addendum, can I still get certified for Marlin compliance?

If you are a Marlin Component Manufacturer or Service Element Provider adopter, then the Licensed Component or the Licensed Service Element does not need to test for conformance and compliance according to the Marlin Client adopter and Service provider agreements.

If I am just getting started with Marlin, what is the best way to get up to speed on the technology?

The Marlin Architecture Overview paper is the best place to learn more about the technology. For a high level understanding of what Marlin’s scope and mission are, which companies are behind it, and its value proposition, the Marlin Overview paper will provide this information. The Marlin use cases presentation also covers examples of different uses of Marlin for enhanced content sharing An Implementation guideline paper will be published shortly.