Background: It is too easy to do illegal things with copyrighted music and systems that prevent that are often too restrictive (they don't allow you to copy music to other computers that you own, etc). It should be easy to do the right thing and hard to do the wrong thing.
Overview: Use public/private
keys to keep music encrypted until it
reaches the speakers. The music is stored encrypted using a USB key and it playable anywhere the USB key is taken. Once the support is in place it will be easy to buy music, copy it to wherever you want to play it and transfer ownership to a friend. Music becomes tied to a USB key and is playable everywhere that the USB key is supported.
When the user wants to buy music:
They choose the music and the browser sends the public key of the USB key to the web site.
The web site checks the that public key is signed by the certificate authority (CA) and then encrypts the music with the public key.
The user then downloads the music and copies it wherever they desire (hard drive, portable player, work computer, etc).
When the user wants to play the music on the computer:
The playing software asks the digital speakers (whatever is attached to the computer) for its public key and sends that to the USB key with the encrypted music.
The USB key checks that the public key from the speakers is signed by the CA and then decrypts the music and encrypts it with the public key of the speakers and returns the re-encrypted music.
The software sends the re-encrypted music to the digital speakers which decrypts it and plays it.
When the user wants to play the music on the portable player:
The user plugs the USB key into the player and things work basically like how it does on the computer except that the digital speakers (or headphone jack) are built into the player.
When the user wants to give the music to someone else:
The software requests the public key from the friend's USB key and
send it and the music to owner's USB key.
The owner's USB key checks that the public key is signed by the CA and re-crypts the music using the public key.
The music will know only play with the friend's key.
Digital speakers: Provides a public key on demand (that is signed by the certificate authority) and accepts encoded music signed with its public key. Has a small processor to do this and decrypt music (and would only work with formats that it understands). A sound card or home audio system could also take the place of this.
USB key: Provides its public key on demand. Re-crypts music (Decrypts using its provide key and Encrypts using a public key singed by the certificate authority). Has a small processor and a few MB of RAM.
Portable players that accept the USB keys or have built in keys.
The certificate authority would be some group that signs keys of
manufactures of hardware (USB keys, digital speakers, portable
players) once they have certified that the hardware meets the spec
(secure, works well, etc). The Certificate Authority would hopefully be a group that is independent of music makers and just ensures that the spec is followed before signing manufacturer keys -- that way any
company can make a device that complies and new and interesting
devices could be created.
Once real sound is created then it can be copied, but that has always been the case.
The hardest part to getting this to would would be getting portable player manufacturers to support it.
If this works this should satisfy copyright holders by making illegal copying vary hard and would satisfy music listeners by making legal use of music easy. This could also be applied to video (A display would be like a speaker). I understand that there is no way to completely prevent copying. If it
comes out of a speaker then a microphone can record it. :-) I also understand that many of the current solutions put too many restrictions on what the "legal consumer" can do, which is why I thought of this idea
that is more open.
In chatting with a friend he pointed out that the website would have to verify that the USB key presented was actually valid, so it would have to be signed by the CA public key. Therefore websites and USB
keys would have to verify requests to re-encryped with the CA which would present some problems, but could also work (especially if the USB key caches known keys like the speakers and portable player).