For me it seems like the security is not really too excellent with this proposed system. For example if I make my own client to handle the download and send error message after the succesfull download the service thinks that there were a error but my client could still use the downloaded content fully.
Also what is the security model for the download server. For example if I just get the address of the content and deside to download it without informing any other servers here, I could get it totally free..
Have I missed something, or is it really like this ?
3rd party applications are not currently supported on Nokia devices, which have the COD functionality. It is also illegal to build and operate solutions for stealing and redistributing commercial contents. While Nokia takes no responsibility of how our solutions are used or misused we are aiming to help service providers build both secure and easy to use solution. These kind of solutions can be created in almost all cases, so let's keep honest people honest and happy.
The Delivery Server is architected in such a way that it acts as a middleman between the client and the content storage. The client requests the content from the DLS, and the DLS retrieves it from the content storage (using a normal URL and HTTP/HTTPS). The beauty of this approach is that
- the DLS has a control position where it can monitor what devices fetch information, and how often they succeed/fails (with respect to the installation notification). This allows the DLS to enforce client specific policy (i.e. clients that are identified to be rogue can get blacklisted)!
- the Content Storage can easily be set up in a way that allows ONLY the DLS to retrieve the content objects. This can be done using a simple IP-address filtering, or basic authentication, or TLS&certificates.