European Digital Reading Lab
Licensed Content Protection (LCP)
EPUB Summit workshop
Laurent Le Meur
Scope of the workshop
● Update the participants on the architecture of Readium LCP, the workflow, the
state of the developments, the agenda, the costs involved;
● Detail the certification process;
● Exchange on the level of protection of Readium LCP;
● Exchange on the level of support of this new DRM by the participants.
DRM = Digital Rights Management
implementation of a
business model (ex.
Protection against wild
Are obligations more than
Complexify access to e-books
Lower interopérability and
Hurt honest sharing
Make archiving an illusion
=> push people to use anti-
What the devil was he doing in that galley?
LCP implémentation decided in november 2015,
launched in january 2016.
Why do we offer our beloved ebooks to the
- Because public libraries need a better solution than
the Adobe DRM
- Because for most publishers, unprotected EPUB is a
- Because the spec is almost ready for 2 years
- Because we have been donated source code to help
Goals of Readium LCP
● Simplicity for the user
● Perfect interoperability in the LCP ecosystem
● No limitation on content accessibility
● Offline access to the documents always possible
● Dynamic update of licenses
● Unlimited access (in time) to the documents
● Family sharing possible
● No centralized server
● Low development costs
● Limited cost of certification
2/ License generation
= + + + + +
Standard rights: start/end datetime,
print (# pages),
copy (# characters),
Choose a passphrase
A user will usually have one passphrase per bookseller or public library.
Must be easy to remember or find.
A hint stored in the license by the licensor will help the user when needed.
It MUST be clear to the user. In a public library, the user ID can be a good choice.
The passphrase will usually be requested only when a protected document is side
loaded in a new device.
4/ Open with a passphrase
Hint User Passphrase
EPUB / LCP Content key Clear content
The passphrase may be acquired automatically and stored in the
app without user action. The user will use the hint to “remember”
the document passphrase.
5/ Dynamic update of the license
● Early return
● Extended lending
● Requires an online connection
● The licensor can track the number of devices opening the document
What is the certification?
● Readium LCP is a DRM ecosystem
● Certification is
○ Guarantee of compliance
○ Guarantee of robustness
○ Guarantee of interoperability
● The specification will be public
● The source code will be open-source (BSD-like)
● But some confidential information will be transferred to the participants to an
○ Root certificate (ITU)
○ Provider certificate
○ Readium LCP 1.0 profile information (unavailable in the specification)
Compliance rules, Robustness rules
● Client and server side
○ Server app must alert if *many* devices use the same license
○ Client app must develop an anti-rollback clock (details to be defined)
○ A certain data type must be protected against a certain type of attack to a certain extent
■ Client app must obfuscate the decryption process
■ Client app must hide Readium LCP confidential information
■ Client app must securely store user keys
■ Server app must protect the provider private key
Q1 2016: development (iOS, MacOS, Android)
Q2 2016: development (iOS, MacOS, Android); first tests; contractual documents;
Q3 2016: interop tests; certificate authority setup
Q4 2016: first certifications; launch