3.2.5 Processing Events and Sequencing Rules

Devices SHOULD implement a Real-Time Clock and refresh it after each specified Refresh Time interval. The ability to properly restrict access to content based on a specific date requires this functionality.

Devices MUST support the policy as described in the content's license to play existing and new Protected content (1).

Cryptographic keys MUST be present as described in section 3.2.1.2 Cryptographic Keys.

Group certificate key pair:  This key pair is shared by all devices of the same model.<1>

The group certificate private key is stored in a manner so that the key is opaque to the user on the device. The group certificate private key is used to sign the device certificate.

Device key pair: This key pair is generated by the device at run time and is used to secure information on the device.

The device public key is stored in the device certificate, and is used by licensing servers to encrypt content keys for licenses that are issued specifically for this device.

The device private key is encrypted and stored in the device certificate. The device private key is used to decrypt the content key in licenses during the decryption process Group Keys.

Fallback certificate key pair: This key pair is also shared by all devices of the same model. <2> This key pair is used for acquiring licenses from versions of Media Rights licensing servers that do not support Media DRM for portable devices.

The version of the fallback public key is stored in the device certificate.

The fallback private key is stored (hidden) on the device and is used to decrypt the content key for those licenses that are issued to the fallback certificate.