A KDM (Key Delivery Message) unlocks a given DCP for a single cinema server. This tool is for two kinds of users: filmmakers re-keying their own encrypted DCPs for exhibition, and mastering facilities handling KDM deliveries to client cinemas. Three parties cooperate below — each holds their own private key in their own hardware/browser, and never sees the others'.

1. You Generate an identity in this browser — a three-tier RSA cert chain (root → intermediate → leaf). Private keys never leave the browser.
2. You → DCP Author Send your leaf + intermediate cert to the DCP author. They register the public key.
3. DCP Author For each encrypted DCP, the author wraps the content keys with your public key and signs the result as a DKDM.
4. DCP Author → You Drop the DKDM XML into this page. Only your browser's private key can unwrap it — the server never sees the content keys.
5. Cinema → You The cinema operator gives you their projector's leaf cert. Add it as a recipient.
6. You Issue a KDM. The browser re-wraps the content keys with the projector's public key and signs with your leaf cert, valid for a window you set.
7. You → Cinema Send the KDM XML to the cinema. The projector verifies your signature, unwraps the content keys with its hardware private key, and plays the DCP.

Key insight: the content keys travel through three layers of RSA wrapping (author → you → projector), but never exist in plaintext outside the device currently holding them. This tool is a re-wrapping middleman — it can unlock DCPs you're authorized for and forward access downstream, without ever exposing keys to a network or disk.