"The architecture of the ECI system is defined in the ECI specification ETSI GS ECI 001-1 [1]. The ECI system is based on requirements as defined in the ECI specification ETSI GS ECI 001-2 [2]. The present document specifies the core functionality of an ECI Ecosystem@ including CA/DRM Container@ Loader@ Interfaces and Revocation details. A major advantage and innovation of the ECI Ecosystem@ compared with currently deployed systems@ is a complete software-based architecture for the loading and exchange of CA/DRM systems@ avoiding any detachable hardware modules. Software containers provide a secure (""Sandbox"") environment for either CA or DRM kernels@ hereafter named as ECI Clients@ together with their individual Virtual Machine instances. Necessary and relevant Application Programming Interfaces (API) between ECI Clients and ECI Host ensure that multiple ECI Clients can be operated in a secure operation environment and completely isolated from the rest of the CPE firmware and are specified in full detail. The installation and exchange of an ECI Host as well as multiple ECI Clients is the task of the ECI Loader@ which initially is loaded by a chip loader. ECI Host and ECI Clients are downloaded via the DVB data carousel for broadcast services and/or via IP-based mechanisms from a server in case of broadband access. This process is embedded in a secure and trusted environment@ providing a trust hierarchy for installation and exchange of ECI Host and ECI Clients and thus enabling an efficient protection against integrity- and substitution attacks. For this reason@ the ECI Ecosystem integrates an advanced security mechanism@ which relies on an efficient and advanced processing of control words@ specified as Key Ladder block and integrated in a System-on-chip (SoC) hardware in order to provide the utmost security necessary for ECI compliance. ECI-specific advanced security functions play also a key role in a re-encryption process in case of stored protected content and/or associated with export of protected content to an ECI compliant or non-compliant external device. An advanced Micro DRM system provides the necessary functionality and forms an integral part of such a concept. Advanced security functionality is relevant also in case of revocation of a CPE or a specific ECI Client. Related APIs are specified within the present document@ while advanced security is covered in detail by ETSI GS ECI 001-5-1 [4] and ETSI GS ECI 001-5-2 [8]. A number of APIs characterize the ECI Ecosystem@ guaranteeing communication with relevant entities associated e.g. with ECI Loaders@ import and export of protected content@ advanced security@ decryption and encryption@ local storage facilities and watermarking. Additional APIs are available for ECI Client Man-Machine-Interface (MMI) or for an optional Smart Card reader. Exchange of ECI Clients is initiated by the user or may be requested by a platform operator in case of necessary updates. A minimum of two ECI Clients are supported@ with two additional ECI Clients as far as local storage on a Personal Video Recorder (PVR) is available or for export reasons. The present document covers specification details in the following clauses: The ECI certificate system is specified in clause 5@ covering Certificates for various purposes as for ECI Host Loader@ ECI Client Loader and ECI Operator Certificates@ including definition of these Certificates and associated Revocation List@ their composition into chains and the Root Certificate structure. The ECI Host Loader is subject of clause 6@ where the ECI Host loading process addresses storage of an image@ verification of the image authenticity of the image by the CPE using ECI TA provided authentication data and the subsequent activation of the image@ including specification of file format@ transport protocol and Operator specific revocation of ECI Host Images. Clause 7 covers all specification details with regard to the ECI Client Loader@ based on the fact@ that the ECI Host can download@ store and activate ECI Client Images and accompanying data. The ECI Client loading process can be split up into several steps ranging from discovery process to download and initialization of ECI Clients@ allowing the download process to be performed using data from the broadcast stream or from the internet@ Clause 8 deals with Revocation specification details including functionality to selectively exclude delivery of services to CPEs based on the ECI TA status of the CPE hardware@ the ECI Host@ other Platform Operations and ECI Clients loaded. Detailed specifications of ECI Client interfaces can be found in clause 9@ covering among very comprehensive specification details@ necessary for the ECI eco-system@ APIs for general ECI Host resources@ ECI-specific ECI Host resources@ ECI Host decryption resources@ ECI Host re-encryption resources@ content protection-related resources and ECI Client-to-ECI Client - related resources. Finally clause 10 deals with mandatory and optional ECI Host functionalities. This ECI core specification only applies to reception and further processing of content@ which is controlled by a Conditional Access and/or Digital Rights Management system and has been encrypted by the service provider. Content that is not controlled by a Conditional Access and/or DRM system is not covered by the present document. The present document is intended to be used in combination with a contractual framework (license agreement)@ compliance and robustness rules and appropriate certification process agreements under control of a trust authority@ which are not subject to technical specifications as represented by ECI Group Specifications. Some of these basic aspects can be found in an informative annex to ETSI GS ECI 001-6 [i.11]@ Trust Environment@ which specifies the technical mechanisms and relations concerning a trusted environment."