At least for HDCP, that's exactly how it works. From the HDCP 2.2 spec [1]:
> Device Key Set. An HDCP Receiver has a Device Key Set, which consists of its corresponding Device Secret Keys along with the associated Public Key Certificate.
> Public Key Certificate. Each HDCP Receiver is issued a Public Key Certificate signed by DCP LLC, and contains the Receiver ID and RSA public key corresponding to the HDCP Receiver.
> The top-level HDCP Transmitter checks to see if the Receiver ID of
the connected device is found in the revocation list.
Thanks, that clarifies my confusion about how this could be realistically implemented. I couldn't see a practical way to verify every device on every connection via a central authority without massive scaling and reliability issues, but maintaining a small revocation list that can be cached everywhere media is distributed from seems quite practical.
> Device Key Set. An HDCP Receiver has a Device Key Set, which consists of its corresponding Device Secret Keys along with the associated Public Key Certificate.
> Public Key Certificate. Each HDCP Receiver is issued a Public Key Certificate signed by DCP LLC, and contains the Receiver ID and RSA public key corresponding to the HDCP Receiver.
> The top-level HDCP Transmitter checks to see if the Receiver ID of the connected device is found in the revocation list.
[1]: https://www.digital-cp.com/sites/default/files/specification...