ࡱ >
a _ bjbj͚ : I\I\ 4 4 D p | l ( X @ @ @ @ H = s u u u u u u $ * I L L L @ @ H w w w L @ @ s w L s w w . @ סV a . U _ 0 ( u T b h L L w L L L L L w L L L ( L L L L L L L L L L L L L 4 > r : [MS-RMPR]: Rights Management Services (RMS): Client-to-Server Protocol
Intellectual Property Rights Notice for Open Specifications Documentation
Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies.
Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications.
No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.
Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=214445" Open Specification Promise or the HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=214448" Community Promise. If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting HYPERLINK "mailto:iplg@microsoft.com" iplg@microsoft.com.
Trademarks. The names of companies and products contained in this documentation may be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit HYPERLINK "http://www.microsoft.com/trademarks" www.microsoft.com/trademarks.
Fictitious Names. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than specifically described above, whether by implication, estoppel, or otherwise.
Tools. The Open Specifications do not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments you are free to take advantage of them. Certain Open Specifications are intended for use in conjunction with publicly available standard specifications and network programming art, and assumes that the reader either is familiar with the aforementioned material or has immediate access to it.
Revision Summary
DateRevision HistoryRevision ClassComments07/03/20071.0MajorInitial Availability08/10/20072.0MajorUpdated and revised the technical content.09/28/20072.0.1EditorialRevised and edited the technical content.10/23/20072.1MinorUpdated the technical content.01/25/20082.1.1EditorialRevised and edited the technical content.03/14/20083.0MajorUpdated and revised the technical content.06/20/20084.0MajorUpdated and revised the technical content.07/25/20085.0MajorUpdated and revised the technical content.08/29/20085.0.1EditorialRevised and edited the technical content.10/24/20086.0MajorUpdated and revised the technical content.12/05/20087.0MajorUpdated and revised the technical content.01/16/20098.0MajorUpdated and revised the technical content.02/27/20099.0MajorUpdated and revised the technical content.04/10/200910.0MajorUpdated and revised the technical content.05/22/200911.0MajorUpdated and revised the technical content.07/02/200912.0MajorUpdated and revised the technical content.08/14/200913.0MajorUpdated and revised the technical content.09/25/200914.0MajorUpdated and revised the technical content.11/06/200915.0MajorUpdated and revised the technical content.12/18/200916.0MajorUpdated and revised the technical content.01/29/201017.0MajorUpdated and revised the technical content.03/12/201018.0MajorUpdated and revised the technical content.04/23/201019.0MajorUpdated and revised the technical content.06/04/201020.0MajorUpdated and revised the technical content.07/16/201021.0MajorSignificantly changed the technical content.08/27/201022.0MajorSignificantly changed the technical content.10/08/201023.0MajorSignificantly changed the technical content.11/19/201024.0MajorSignificantly changed the technical content.01/07/201125.0MajorSignificantly changed the technical content.02/11/201126.0MajorSignificantly changed the technical content.03/25/201127.0MajorSignificantly changed the technical content.05/06/201128.0MajorSignificantly changed the technical content.06/17/201128.1MinorClarified the meaning of the technical content.09/23/201128.1No changeNo changes to the meaning, language, or formatting of the technical content.12/16/201129.0MajorSignificantly changed the technical content.03/30/201230.0MajorSignificantly changed the technical content.07/12/201230.1MinorClarified the meaning of the technical content.10/25/201230.2MinorClarified the meaning of the technical content.01/31/201330.2No changeNo changes to the meaning, language, or formatting of the technical content.08/08/201331.0MajorSignificantly changed the technical content.11/14/201332.0MajorSignificantly changed the technical content.02/13/201432.0No changeNo changes to the meaning, language, or formatting of the technical content.05/15/201432.0No changeNo changes to the meaning, language, or formatting of the technical content.
Contents
TOC \f \h \t "DSTOC1-1,1,DSTOC1-2,2,DSTOC1-3,3,DSTOC1-4,4,DSTOC1-5,5,DSTOC1-6,6,DSTOC1-7,7,DSTOC1-8,8,DSTOC1-9,9,DSTOC2-2,2,DSTOC2-3,3,DSTOC2-4,4,DSTOC2-5,5,DSTOC2-6,6,DSTOC2-7,7,DSTOC2-8,8,DSTOC2-9,9,DSTOC3-3,3,DSTOC3-4,4,DSTOC3-5,5,DSTOC3-6,6,DSTOC3-7,7,DST HYPERLINK \l "_Toc386779598" 1 Introduction PAGEREF _Toc386779598 \h 12
HYPERLINK \l "_Toc386779599" 1.1 Glossary PAGEREF _Toc386779599 \h 12
HYPERLINK \l "_Toc386779600" 1.2 References PAGEREF _Toc386779600 \h 14
HYPERLINK \l "_Toc386779601" 1.2.1 Normative References PAGEREF _Toc386779601 \h 14
HYPERLINK \l "_Toc386779602" 1.2.2 Informative References PAGEREF _Toc386779602 \h 16
HYPERLINK \l "_Toc386779603" 1.3 Overview PAGEREF _Toc386779603 \h 17
HYPERLINK \l "_Toc386779604" 1.3.1 Server Enrollment PAGEREF _Toc386779604 \h 18
HYPERLINK \l "_Toc386779605" 1.3.2 Client Bootstrapping PAGEREF _Toc386779605 \h 19
HYPERLINK \l "_Toc386779606" 1.3.3 Template Acquisition PAGEREF _Toc386779606 \h 19
HYPERLINK \l "_Toc386779607" 1.3.4 Online Publishing PAGEREF _Toc386779607 \h 19
HYPERLINK \l "_Toc386779608" 1.3.5 Offline Publishing PAGEREF _Toc386779608 \h 19
HYPERLINK \l "_Toc386779609" 1.3.6 Licensing PAGEREF _Toc386779609 \h 20
HYPERLINK \l "_Toc386779610" 1.4 Relationship to Other Protocols PAGEREF _Toc386779610 \h 20
HYPERLINK \l "_Toc386779611" 1.5 Prerequisites/Preconditions PAGEREF _Toc386779611 \h 20
HYPERLINK \l "_Toc386779612" 1.6 Applicability Statement PAGEREF _Toc386779612 \h 21
HYPERLINK \l "_Toc386779613" 1.7 Versioning and Capability Negotiation PAGEREF _Toc386779613 \h 21
HYPERLINK \l "_Toc386779614" 1.8 Vendor-Extensible Fields PAGEREF _Toc386779614 \h 21
HYPERLINK \l "_Toc386779615" 1.9 Standards Assignments PAGEREF _Toc386779615 \h 21
HYPERLINK \l "_Toc386779616" 2 Messages PAGEREF _Toc386779616 \h 22
HYPERLINK \l "_Toc386779617" 2.1 Transport PAGEREF _Toc386779617 \h 22
HYPERLINK \l "_Toc386779618" 2.2 Common Message Syntax PAGEREF _Toc386779618 \h 22
HYPERLINK \l "_Toc386779619" 2.2.1 Namespaces PAGEREF _Toc386779619 \h 22
HYPERLINK \l "_Toc386779620" 2.2.2 Messages PAGEREF _Toc386779620 \h 23
HYPERLINK \l "_Toc386779621" 2.2.3 Elements PAGEREF _Toc386779621 \h 23
HYPERLINK \l "_Toc386779622" 2.2.3.1 Certificate Element PAGEREF _Toc386779622 \h 23
HYPERLINK \l "_Toc386779623" 2.2.3.2 CertificateChain Element PAGEREF _Toc386779623 \h 24
HYPERLINK \l "_Toc386779624" 2.2.3.3 VersionData Element PAGEREF _Toc386779624 \h 24
HYPERLINK \l "_Toc386779625" 2.2.3.4 string Element PAGEREF _Toc386779625 \h 24
HYPERLINK \l "_Toc386779626" 2.2.3.5 MaximumVersion Element PAGEREF _Toc386779626 \h 24
HYPERLINK \l "_Toc386779627" 2.2.3.6 MinimumVersion Element PAGEREF _Toc386779627 \h 24
HYPERLINK \l "_Toc386779628" 2.2.3.7 URL Element PAGEREF _Toc386779628 \h 24
HYPERLINK \l "_Toc386779629" 2.2.4 Complex Types PAGEREF _Toc386779629 \h 25
HYPERLINK \l "_Toc386779630" 2.2.4.1 ArrayOfXmlNode Complex Type PAGEREF _Toc386779630 \h 25
HYPERLINK \l "_Toc386779631" 2.2.4.2 VersionData Complex Type PAGEREF _Toc386779631 \h 25
HYPERLINK \l "_Toc386779632" 2.2.5 Simple Types PAGEREF _Toc386779632 \h 26
HYPERLINK \l "_Toc386779633" 2.2.6 Attributes PAGEREF _Toc386779633 \h 26
HYPERLINK \l "_Toc386779634" 2.2.7 Groups PAGEREF _Toc386779634 \h 26
HYPERLINK \l "_Toc386779635" 2.2.8 Attribute Groups PAGEREF _Toc386779635 \h 26
HYPERLINK \l "_Toc386779636" 2.2.9 Common Data Structures PAGEREF _Toc386779636 \h 26
HYPERLINK \l "_Toc386779637" 2.2.9.1 Common Certificate and License Structures PAGEREF _Toc386779637 \h 26
HYPERLINK \l "_Toc386779638" 2.2.9.1.1 ISSUEDTIME PAGEREF _Toc386779638 \h 27
HYPERLINK \l "_Toc386779639" 2.2.9.1.2 VALIDITYTIME PAGEREF _Toc386779639 \h 27
HYPERLINK \l "_Toc386779640" 2.2.9.1.3 RANGETIME PAGEREF _Toc386779640 \h 27
HYPERLINK \l "_Toc386779641" 2.2.9.1.4 DESCRIPTOR PAGEREF _Toc386779641 \h 28
HYPERLINK \l "_Toc386779642" 2.2.9.1.5 ISSUER PAGEREF _Toc386779642 \h 28
HYPERLINK \l "_Toc386779643" 2.2.9.1.6 PUBLICKEY PAGEREF _Toc386779643 \h 28
HYPERLINK \l "_Toc386779644" 2.2.9.1.7 DISTRIBUTIONPOINT PAGEREF _Toc386779644 \h 29
HYPERLINK \l "_Toc386779645" 2.2.9.1.8 NAME PAGEREF _Toc386779645 \h 29
HYPERLINK \l "_Toc386779646" 2.2.9.1.9 ADDRESS PAGEREF _Toc386779646 \h 29
HYPERLINK \l "_Toc386779647" 2.2.9.1.10 SECURITYLEVEL PAGEREF _Toc386779647 \h 30
HYPERLINK \l "_Toc386779648" 2.2.9.1.11 ISSUEDPRINCIPALS PAGEREF _Toc386779648 \h 30
HYPERLINK \l "_Toc386779649" 2.2.9.1.12 SIGNATURE PAGEREF _Toc386779649 \h 31
HYPERLINK \l "_Toc386779650" 2.2.9.1.13 ENABLINGBITS PAGEREF _Toc386779650 \h 32
HYPERLINK \l "_Toc386779651" 2.2.9.1.13.1 KeyHeader PAGEREF _Toc386779651 \h 33
HYPERLINK \l "_Toc386779652" 2.2.9.2 Certificate and License Chains PAGEREF _Toc386779652 \h 34
HYPERLINK \l "_Toc386779653" 2.2.9.3 Issuing Certificates PAGEREF _Toc386779653 \h 37
HYPERLINK \l "_Toc386779654" 2.2.9.3.1 DESCRIPTOR PAGEREF _Toc386779654 \h 38
HYPERLINK \l "_Toc386779655" 2.2.9.3.2 ISSUER PAGEREF _Toc386779655 \h 39
HYPERLINK \l "_Toc386779656" 2.2.9.3.3 ISSUEDPRINCIPALS PAGEREF _Toc386779656 \h 42
HYPERLINK \l "_Toc386779657" 2.2.9.3.4 CONDITIONLIST PAGEREF _Toc386779657 \h 46
HYPERLINK \l "_Toc386779658" 2.2.9.3.5 DISTRIBUTIONPOINT PAGEREF _Toc386779658 \h 46
HYPERLINK \l "_Toc386779659" 2.2.9.4 Security Processor Certificate PAGEREF _Toc386779659 \h 46
HYPERLINK \l "_Toc386779660" 2.2.9.4.1 DESCRIPTOR PAGEREF _Toc386779660 \h 47
HYPERLINK \l "_Toc386779661" 2.2.9.4.2 ISSUER PAGEREF _Toc386779661 \h 47
HYPERLINK \l "_Toc386779662" 2.2.9.4.3 DISTRIBUTIONPOINT PAGEREF _Toc386779662 \h 48
HYPERLINK \l "_Toc386779663" 2.2.9.4.4 ISSUEDPRINCIPALS PAGEREF _Toc386779663 \h 49
HYPERLINK \l "_Toc386779664" 2.2.9.5 RMS Account Certificate PAGEREF _Toc386779664 \h 50
HYPERLINK \l "_Toc386779665" 2.2.9.5.1 DESCRIPTOR PAGEREF _Toc386779665 \h 51
HYPERLINK \l "_Toc386779666" 2.2.9.5.2 ISSUER PAGEREF _Toc386779666 \h 51
HYPERLINK \l "_Toc386779667" 2.2.9.5.3 DISTRIBUTIONPOINT PAGEREF _Toc386779667 \h 52
HYPERLINK \l "_Toc386779668" 2.2.9.5.4 ISSUEDPRINCIPALS PAGEREF _Toc386779668 \h 52
HYPERLINK \l "_Toc386779669" 2.2.9.5.5 FEDERATIONPRINCIPALS PAGEREF _Toc386779669 \h 53
HYPERLINK \l "_Toc386779670" 2.2.9.6 Client Licensor Certificate PAGEREF _Toc386779670 \h 54
HYPERLINK \l "_Toc386779671" 2.2.9.6.1 DESCRIPTOR PAGEREF _Toc386779671 \h 55
HYPERLINK \l "_Toc386779672" 2.2.9.6.2 ISSUER PAGEREF _Toc386779672 \h 55
HYPERLINK \l "_Toc386779673" 2.2.9.6.3 DISTRIBUTIONPOINT PAGEREF _Toc386779673 \h 56
HYPERLINK \l "_Toc386779674" 2.2.9.6.4 ISSUEDPRINCIPALS PAGEREF _Toc386779674 \h 57
HYPERLINK \l "_Toc386779675" 2.2.9.7 Publishing License PAGEREF _Toc386779675 \h 57
HYPERLINK \l "_Toc386779676" 2.2.9.7.1 DESCRIPTOR PAGEREF _Toc386779676 \h 59
HYPERLINK \l "_Toc386779677" 2.2.9.7.2 ISSUER PAGEREF _Toc386779677 \h 59
HYPERLINK \l "_Toc386779678" 2.2.9.7.3 DISTRIBUTIONPOINT PAGEREF _Toc386779678 \h 60
HYPERLINK \l "_Toc386779679" 2.2.9.7.4 ISSUEDPRINCIPALS PAGEREF _Toc386779679 \h 61
HYPERLINK \l "_Toc386779680" 2.2.9.7.5 OWNER PAGEREF _Toc386779680 \h 61
HYPERLINK \l "_Toc386779681" 2.2.9.7.6 AUTHENTICATEDDATA PAGEREF _Toc386779681 \h 62
HYPERLINK \l "_Toc386779682" 2.2.9.7.7 POLICYLIST PAGEREF _Toc386779682 \h 62
HYPERLINK \l "_Toc386779683" 2.2.9.7.8 POLICY PAGEREF _Toc386779683 \h 63
HYPERLINK \l "_Toc386779684" 2.2.9.7.9 CONDITIONLIST PAGEREF _Toc386779684 \h 63
HYPERLINK \l "_Toc386779685" 2.2.9.8 Encrypted Rights Data PAGEREF _Toc386779685 \h 64
HYPERLINK \l "_Toc386779686" 2.2.9.8.1 DESCRIPTOR PAGEREF _Toc386779686 \h 65
HYPERLINK \l "_Toc386779687" 2.2.9.8.2 ISSUER PAGEREF _Toc386779687 \h 66
HYPERLINK \l "_Toc386779688" 2.2.9.8.3 DISTRIBUTIONPOINT PAGEREF _Toc386779688 \h 66
HYPERLINK \l "_Toc386779689" 2.2.9.8.4 TIME PAGEREF _Toc386779689 \h 67
HYPERLINK \l "_Toc386779690" 2.2.9.8.5 WORK PAGEREF _Toc386779690 \h 67
HYPERLINK \l "_Toc386779691" 2.2.9.8.5.1 METADATA PAGEREF _Toc386779691 \h 68
HYPERLINK \l "_Toc386779692" 2.2.9.8.5.2 PRECONDITIONLIST PAGEREF _Toc386779692 \h 68
HYPERLINK \l "_Toc386779693" 2.2.9.8.5.3 RIGHT PAGEREF _Toc386779693 \h 68
HYPERLINK \l "_Toc386779694" 2.2.9.8.6 AUTHENTICATEDDATA PAGEREF _Toc386779694 \h 70
HYPERLINK \l "_Toc386779695" 2.2.9.9 Use License PAGEREF _Toc386779695 \h 70
HYPERLINK \l "_Toc386779696" 2.2.9.9.1 DESCRIPTOR PAGEREF _Toc386779696 \h 72
HYPERLINK \l "_Toc386779697" 2.2.9.9.2 ISSUER PAGEREF _Toc386779697 \h 72
HYPERLINK \l "_Toc386779698" 2.2.9.9.3 ISSUEDPRINCIPALS PAGEREF _Toc386779698 \h 72
HYPERLINK \l "_Toc386779699" 2.2.9.9.4 DISTRIBUTIONPOINT PAGEREF _Toc386779699 \h 73
HYPERLINK \l "_Toc386779700" 2.2.9.9.5 OWNER PAGEREF _Toc386779700 \h 74
HYPERLINK \l "_Toc386779701" 2.2.9.9.6 RIGHT PAGEREF _Toc386779701 \h 74
HYPERLINK \l "_Toc386779702" 2.2.9.9.7 POLICYLIST PAGEREF _Toc386779702 \h 75
HYPERLINK \l "_Toc386779703" 2.2.9.9.8 POLICY PAGEREF _Toc386779703 \h 76
HYPERLINK \l "_Toc386779704" 2.2.9.9.9 CONDITION PAGEREF _Toc386779704 \h 76
HYPERLINK \l "_Toc386779705" 2.2.9.9.10 CONDITIONLIST PAGEREF _Toc386779705 \h 77
HYPERLINK \l "_Toc386779706" 2.2.9.10 Rights Policy Template PAGEREF _Toc386779706 \h 77
HYPERLINK \l "_Toc386779707" 2.2.9.10.1 DESCRIPTOR PAGEREF _Toc386779707 \h 78
HYPERLINK \l "_Toc386779708" 2.2.9.10.2 ISSUER PAGEREF _Toc386779708 \h 79
HYPERLINK \l "_Toc386779709" 2.2.9.10.3 DISTRIBUTIONPOINT PAGEREF _Toc386779709 \h 79
HYPERLINK \l "_Toc386779710" 2.2.9.10.4 WORK PAGEREF _Toc386779710 \h 80
HYPERLINK \l "_Toc386779711" 2.2.9.10.4.1 PRECONDITIONLIST PAGEREF _Toc386779711 \h 81
HYPERLINK \l "_Toc386779712" 2.2.9.10.4.2 RIGHTSGROUP PAGEREF _Toc386779712 \h 81
HYPERLINK \l "_Toc386779713" 2.2.9.10.4.2.1 RIGHT PAGEREF _Toc386779713 \h 81
HYPERLINK \l "_Toc386779714" 2.2.9.10.5 AUTHENTICATEDDATA PAGEREF _Toc386779714 \h 82
HYPERLINK \l "_Toc386779715" 2.3 Directory Service Schema Elements PAGEREF _Toc386779715 \h 83
HYPERLINK \l "_Toc386779716" 3 Protocol Details PAGEREF _Toc386779716 \h 84
HYPERLINK \l "_Toc386779717" 3.1 Common Details PAGEREF _Toc386779717 \h 84
HYPERLINK \l "_Toc386779718" 3.1.1 Abstract Data Model PAGEREF _Toc386779718 \h 84
HYPERLINK \l "_Toc386779719" 3.1.1.1 Abstract Types PAGEREF _Toc386779719 \h 84
HYPERLINK \l "_Toc386779720" 3.1.1.1.1 ServerConfiguration ADM Elements PAGEREF _Toc386779720 \h 84
HYPERLINK \l "_Toc386779721" 3.1.1.1.2 TrustedLicensingServer PAGEREF _Toc386779721 \h 86
HYPERLINK \l "_Toc386779722" 3.1.1.1.3 PLCacheEntry PAGEREF _Toc386779722 \h 86
HYPERLINK \l "_Toc386779723" 3.1.1.1.4 ApplicationExclusionEntry PAGEREF _Toc386779723 \h 87
HYPERLINK \l "_Toc386779724" 3.1.1.1.5 DomainAccount PAGEREF _Toc386779724 \h 87
HYPERLINK \l "_Toc386779725" 3.1.1.1.6 FederatedAccount PAGEREF _Toc386779725 \h 87
HYPERLINK \l "_Toc386779726" 3.1.1.1.7 Directory PAGEREF _Toc386779726 \h 87
HYPERLINK \l "_Toc386779727" 3.1.1.1.8 RequestContext PAGEREF _Toc386779727 \h 87
HYPERLINK \l "_Toc386779728" 3.1.1.2 Abstract Variables PAGEREF _Toc386779728 \h 87
HYPERLINK \l "_Toc386779729" 3.1.1.2.1 ServerState PAGEREF _Toc386779729 \h 87
HYPERLINK \l "_Toc386779730" 3.1.1.2.2 StoredConfiguration PAGEREF _Toc386779730 \h 88
HYPERLINK \l "_Toc386779731" 3.1.1.2.3 ServiceConnectionPoint PAGEREF _Toc386779731 \h 88
HYPERLINK \l "_Toc386779732" 3.1.1.2.4 ForestName PAGEREF _Toc386779732 \h 88
HYPERLINK \l "_Toc386779733" 3.1.1.3 Abstract Interfaces PAGEREF _Toc386779733 \h 88
HYPERLINK \l "_Toc386779734" 3.1.1.3.1 GetDirectoryForAccount PAGEREF _Toc386779734 \h 88
HYPERLINK \l "_Toc386779735" 3.1.1.3.2 GetEmailAddressForAccount PAGEREF _Toc386779735 \h 89
HYPERLINK \l "_Toc386779736" 3.1.1.3.3 GetServiceLocationForDirectory PAGEREF _Toc386779736 \h 90
HYPERLINK \l "_Toc386779737" 3.1.1.3.4 GetUserKeyPair PAGEREF _Toc386779737 \h 90
HYPERLINK \l "_Toc386779738" 3.1.1.3.5 SetUserKeyPair PAGEREF _Toc386779738 \h 90
HYPERLINK \l "_Toc386779739" 3.1.2 Timers PAGEREF _Toc386779739 \h 91
HYPERLINK \l "_Toc386779740" 3.1.3 Initialization PAGEREF _Toc386779740 \h 91
HYPERLINK \l "_Toc386779741" 3.1.3.1 Acquiring a Key Pair PAGEREF _Toc386779741 \h 91
HYPERLINK \l "_Toc386779742" 3.1.3.2 Acquiring an SLC Chain PAGEREF _Toc386779742 \h 91
HYPERLINK \l "_Toc386779743" 3.1.3.3 StoredConfiguration Initialization PAGEREF _Toc386779743 \h 91
HYPERLINK \l "_Toc386779744" 3.1.3.4 ServerState Initialization PAGEREF _Toc386779744 \h 92
HYPERLINK \l "_Toc386779745" 3.1.4 Message Processing Events and Sequencing Rules PAGEREF _Toc386779745 \h 93
HYPERLINK \l "_Toc386779746" 3.1.4.1 Authentication PAGEREF _Toc386779746 \h 94
HYPERLINK \l "_Toc386779747" 3.1.4.2 Server Endpoint URLs PAGEREF _Toc386779747 \h 94
HYPERLINK \l "_Toc386779748" 3.1.4.3 Request Context PAGEREF _Toc386779748 \h 95
HYPERLINK \l "_Toc386779749" 3.1.4.4 Service Connection Point PAGEREF _Toc386779749 \h 96
HYPERLINK \l "_Toc386779750" 3.1.4.4.1 RightsManagementServices PAGEREF _Toc386779750 \h 96
HYPERLINK \l "_Toc386779751" 3.1.4.4.1.1 SCP PAGEREF _Toc386779751 \h 96
HYPERLINK \l "_Toc386779752" 3.1.4.5 Fault Codes PAGEREF _Toc386779752 \h 96
HYPERLINK \l "_Toc386779753" 3.1.4.6 Validation PAGEREF _Toc386779753 \h 97
HYPERLINK \l "_Toc386779754" 3.1.4.7 Cryptographic Modes PAGEREF _Toc386779754 \h 97
HYPERLINK \l "_Toc386779755" 3.1.5 Timer Events PAGEREF _Toc386779755 \h 98
HYPERLINK \l "_Toc386779756" 3.1.6 Other Local Events PAGEREF _Toc386779756 \h 98
HYPERLINK \l "_Toc386779757" 3.1.6.1 StoredConfigurationChanged PAGEREF _Toc386779757 \h 98
HYPERLINK \l "_Toc386779758" 3.1.6.2 SLC Expiry PAGEREF _Toc386779758 \h 98
HYPERLINK \l "_Toc386779759" 3.2 ActivationProxyWebServiceSoap Server Details PAGEREF _Toc386779759 \h 99
HYPERLINK \l "_Toc386779760" 3.2.1 Abstract Data Model PAGEREF _Toc386779760 \h 99
HYPERLINK \l "_Toc386779761" 3.2.2 Timers PAGEREF _Toc386779761 \h 99
HYPERLINK \l "_Toc386779762" 3.2.3 Initialization PAGEREF _Toc386779762 \h 99
HYPERLINK \l "_Toc386779763" 3.2.4 Message Processing Events and Sequencing Rules PAGEREF _Toc386779763 \h 99
HYPERLINK \l "_Toc386779764" 3.2.4.1 Activate Operation PAGEREF _Toc386779764 \h 99
HYPERLINK \l "_Toc386779765" 3.2.4.1.1 Messages PAGEREF _Toc386779765 \h 100
HYPERLINK \l "_Toc386779766" 3.2.4.1.1.1 ActivateSoapIn PAGEREF _Toc386779766 \h 100
HYPERLINK \l "_Toc386779767" 3.2.4.1.1.2 ActivateSoapOut PAGEREF _Toc386779767 \h 101
HYPERLINK \l "_Toc386779768" 3.2.4.1.2 Elements PAGEREF _Toc386779768 \h 101
HYPERLINK \l "_Toc386779769" 3.2.4.1.2.1 Activate PAGEREF _Toc386779769 \h 101
HYPERLINK \l "_Toc386779770" 3.2.4.1.2.2 ActivateResponse PAGEREF _Toc386779770 \h 101
HYPERLINK \l "_Toc386779771" 3.2.4.1.2.3 HidXml PAGEREF _Toc386779771 \h 102
HYPERLINK \l "_Toc386779772" 3.2.4.1.2.4 BinarySignature PAGEREF _Toc386779772 \h 102
HYPERLINK \l "_Toc386779773" 3.2.4.1.3 Complex Types PAGEREF _Toc386779773 \h 103
HYPERLINK \l "_Toc386779774" 3.2.4.1.3.1 ActivateParams PAGEREF _Toc386779774 \h 103
HYPERLINK \l "_Toc386779775" 3.2.4.1.3.2 ActivateResponse PAGEREF _Toc386779775 \h 103
HYPERLINK \l "_Toc386779776" 3.2.4.1.3.3 ArrayOfActivateParams PAGEREF _Toc386779776 \h 104
HYPERLINK \l "_Toc386779777" 3.2.4.1.3.4 ArrayOfActivateResponse PAGEREF _Toc386779777 \h 104
HYPERLINK \l "_Toc386779778" 3.2.5 Timer Events PAGEREF _Toc386779778 \h 104
HYPERLINK \l "_Toc386779779" 3.2.6 Other Local Events PAGEREF _Toc386779779 \h 104
HYPERLINK \l "_Toc386779780" 3.3 CertificationWebServiceSoap Server Details PAGEREF _Toc386779780 \h 105
HYPERLINK \l "_Toc386779781" 3.3.1 Abstract Data Model PAGEREF _Toc386779781 \h 105
HYPERLINK \l "_Toc386779782" 3.3.2 Timers PAGEREF _Toc386779782 \h 105
HYPERLINK \l "_Toc386779783" 3.3.3 Initialization PAGEREF _Toc386779783 \h 105
HYPERLINK \l "_Toc386779784" 3.3.4 Message Processing Events and Sequencing Rules PAGEREF _Toc386779784 \h 105
HYPERLINK \l "_Toc386779785" 3.3.4.1 Certify Operation PAGEREF _Toc386779785 \h 105
HYPERLINK \l "_Toc386779786" 3.3.4.1.1 Messages PAGEREF _Toc386779786 \h 108
HYPERLINK \l "_Toc386779787" 3.3.4.1.1.1 CertifySoapIn PAGEREF _Toc386779787 \h 108
HYPERLINK \l "_Toc386779788" 3.3.4.1.1.2 CertifySoapOut PAGEREF _Toc386779788 \h 109
HYPERLINK \l "_Toc386779789" 3.3.4.1.2 Elements PAGEREF _Toc386779789 \h 109
HYPERLINK \l "_Toc386779790" 3.3.4.1.2.1 Certify PAGEREF _Toc386779790 \h 109
HYPERLINK \l "_Toc386779791" 3.3.4.1.2.2 CertifyResponse PAGEREF _Toc386779791 \h 109
HYPERLINK \l "_Toc386779792" 3.3.4.1.3 Complex Types PAGEREF _Toc386779792 \h 110
HYPERLINK \l "_Toc386779793" 3.3.4.1.3.1 CertifyParams PAGEREF _Toc386779793 \h 110
HYPERLINK \l "_Toc386779794" 3.3.4.1.3.2 CertifyResponse PAGEREF _Toc386779794 \h 110
HYPERLINK \l "_Toc386779795" 3.3.4.1.3.3 QuotaResponse PAGEREF _Toc386779795 \h 111
HYPERLINK \l "_Toc386779796" 3.3.5 Timer Events PAGEREF _Toc386779796 \h 111
HYPERLINK \l "_Toc386779797" 3.3.6 Other Local Events PAGEREF _Toc386779797 \h 111
HYPERLINK \l "_Toc386779798" 3.4 LicenseSoap and TemplateDistributionWebServiceSoapServer Server Details PAGEREF _Toc386779798 \h 111
HYPERLINK \l "_Toc386779799" 3.4.1 Abstract Data Model PAGEREF _Toc386779799 \h 111
HYPERLINK \l "_Toc386779800" 3.4.2 Timers PAGEREF _Toc386779800 \h 111
HYPERLINK \l "_Toc386779801" 3.4.3 Initialization PAGEREF _Toc386779801 \h 111
HYPERLINK \l "_Toc386779802" 3.4.4 Message Processing Events and Sequencing Rules PAGEREF _Toc386779802 \h 112
HYPERLINK \l "_Toc386779803" 3.4.4.1 AcquireLicense Operation PAGEREF _Toc386779803 \h 112
HYPERLINK \l "_Toc386779804" 3.4.4.1.1 Messages PAGEREF _Toc386779804 \h 116
HYPERLINK \l "_Toc386779805" 3.4.4.1.1.1 AcquireLicenseSoapIn PAGEREF _Toc386779805 \h 116
HYPERLINK \l "_Toc386779806" 3.4.4.1.1.2 AcquireLicenseSoapOut PAGEREF _Toc386779806 \h 117
HYPERLINK \l "_Toc386779807" 3.4.4.1.2 Elements PAGEREF _Toc386779807 \h 117
HYPERLINK \l "_Toc386779808" 3.4.4.1.2.1 AcquireLicense PAGEREF _Toc386779808 \h 117
HYPERLINK \l "_Toc386779809" 3.4.4.1.2.2 AcquireLicenseResponse PAGEREF _Toc386779809 \h 117
HYPERLINK \l "_Toc386779810" 3.4.4.1.2.3 ApplicationData PAGEREF _Toc386779810 \h 118
HYPERLINK \l "_Toc386779811" 3.4.4.1.3 Complex Types PAGEREF _Toc386779811 \h 118
HYPERLINK \l "_Toc386779812" 3.4.4.1.3.1 ArrayOfAcquireLicenseParams PAGEREF _Toc386779812 \h 118
HYPERLINK \l "_Toc386779813" 3.4.4.1.3.2 ArrayOfAcquireLicenseResponse PAGEREF _Toc386779813 \h 119
HYPERLINK \l "_Toc386779814" 3.4.4.1.3.3 AcquireLicenseParams PAGEREF _Toc386779814 \h 119
HYPERLINK \l "_Toc386779815" 3.4.4.1.3.4 AcquireLicenseResponse PAGEREF _Toc386779815 \h 120
HYPERLINK \l "_Toc386779816" 3.4.4.1.3.5 AcquireLicenseException PAGEREF _Toc386779816 \h 120
HYPERLINK \l "_Toc386779817" 3.4.4.2 AcquireTemplateInformation Operation PAGEREF _Toc386779817 \h 121
HYPERLINK \l "_Toc386779818" 3.4.4.2.1 Messages PAGEREF _Toc386779818 \h 122
HYPERLINK \l "_Toc386779819" 3.4.4.2.1.1 AcquireTemplateInformationSoapIn PAGEREF _Toc386779819 \h 122
HYPERLINK \l "_Toc386779820" 3.4.4.2.1.2 AcquireTemplateInformationSoapOut PAGEREF _Toc386779820 \h 122
HYPERLINK \l "_Toc386779821" 3.4.4.2.2 Elements PAGEREF _Toc386779821 \h 122
HYPERLINK \l "_Toc386779822" 3.4.4.2.2.1 AcquireTemplateInformation PAGEREF _Toc386779822 \h 122
HYPERLINK \l "_Toc386779823" 3.4.4.2.2.2 AcquireTemplateInformationResponse PAGEREF _Toc386779823 \h 123
HYPERLINK \l "_Toc386779824" 3.4.4.2.3 Complex Types PAGEREF _Toc386779824 \h 123
HYPERLINK \l "_Toc386779825" 3.4.4.2.3.1 TemplateInformation PAGEREF _Toc386779825 \h 123
HYPERLINK \l "_Toc386779826" 3.4.4.2.3.2 GuidHash PAGEREF _Toc386779826 \h 124
HYPERLINK \l "_Toc386779827" 3.4.4.3 AcquireTemplates Operation PAGEREF _Toc386779827 \h 124
HYPERLINK \l "_Toc386779828" 3.4.4.3.1 Messages PAGEREF _Toc386779828 \h 125
HYPERLINK \l "_Toc386779829" 3.4.4.3.1.1 AcquireTemplatesSoapIn PAGEREF _Toc386779829 \h 125
HYPERLINK \l "_Toc386779830" 3.4.4.3.1.2 AcquireTemplatesSoapOut PAGEREF _Toc386779830 \h 125
HYPERLINK \l "_Toc386779831" 3.4.4.3.2 Elements PAGEREF _Toc386779831 \h 126
HYPERLINK \l "_Toc386779832" 3.4.4.3.2.1 AcquireTemplates PAGEREF _Toc386779832 \h 126
HYPERLINK \l "_Toc386779833" 3.4.4.3.2.2 AcquireTemplates PAGEREF _Toc386779833 \h 126
HYPERLINK \l "_Toc386779834" 3.4.4.3.3 Complex Types PAGEREF _Toc386779834 \h 127
HYPERLINK \l "_Toc386779835" 3.4.4.3.3.1 ArrayOfGuidTemplate PAGEREF _Toc386779835 \h 127
HYPERLINK \l "_Toc386779836" 3.4.4.3.3.2 GuidTemplate PAGEREF _Toc386779836 \h 127
HYPERLINK \l "_Toc386779837" 3.4.5 Timer Events PAGEREF _Toc386779837 \h 128
HYPERLINK \l "_Toc386779838" 3.4.6 Other Local Events PAGEREF _Toc386779838 \h 128
HYPERLINK \l "_Toc386779839" 3.5 PublishSoap Server Details PAGEREF _Toc386779839 \h 128
HYPERLINK \l "_Toc386779840" 3.5.1 Abstract Data Model PAGEREF _Toc386779840 \h 128
HYPERLINK \l "_Toc386779841" 3.5.2 Timers PAGEREF _Toc386779841 \h 128
HYPERLINK \l "_Toc386779842" 3.5.3 Initialization PAGEREF _Toc386779842 \h 128
HYPERLINK \l "_Toc386779843" 3.5.4 Message Processing Events and Sequencing Rules PAGEREF _Toc386779843 \h 128
HYPERLINK \l "_Toc386779844" 3.5.4.1 AcquireIssuanceLicense Operation PAGEREF _Toc386779844 \h 128
HYPERLINK \l "_Toc386779845" 3.5.4.1.1 Messages PAGEREF _Toc386779845 \h 131
HYPERLINK \l "_Toc386779846" 3.5.4.1.1.1 AcquireIssuanceLicenseSoapIn PAGEREF _Toc386779846 \h 131
HYPERLINK \l "_Toc386779847" 3.5.4.1.1.2 AcquireIssuanceLicenseSoapOut PAGEREF _Toc386779847 \h 131
HYPERLINK \l "_Toc386779848" 3.5.4.1.2 Elements PAGEREF _Toc386779848 \h 131
HYPERLINK \l "_Toc386779849" 3.5.4.1.2.1 AcquireIssuanceLicense PAGEREF _Toc386779849 \h 131
HYPERLINK \l "_Toc386779850" 3.5.4.1.2.2 AcquireIssuanceLicenseResponse PAGEREF _Toc386779850 \h 132
HYPERLINK \l "_Toc386779851" 3.5.4.1.2.3 UnsignedIssuanceLicense PAGEREF _Toc386779851 \h 132
HYPERLINK \l "_Toc386779852" 3.5.4.1.3 Complex Types PAGEREF _Toc386779852 \h 132
HYPERLINK \l "_Toc386779853" 3.5.4.1.3.1 ArrayOfAcquireIssuanceLicenseParams PAGEREF _Toc386779853 \h 133
HYPERLINK \l "_Toc386779854" 3.5.4.1.3.2 ArrayOfAcquireIssuanceLicenseResponse PAGEREF _Toc386779854 \h 133
HYPERLINK \l "_Toc386779855" 3.5.4.1.3.3 AcquireIssuanceLicenseParams PAGEREF _Toc386779855 \h 133
HYPERLINK \l "_Toc386779856" 3.5.4.1.3.4 AcquireIssuanceLicenseResponse PAGEREF _Toc386779856 \h 134
HYPERLINK \l "_Toc386779857" 3.5.4.2 GetClientLicensorCert Operation PAGEREF _Toc386779857 \h 134
HYPERLINK \l "_Toc386779858" 3.5.4.2.1 Messages PAGEREF _Toc386779858 \h 137
HYPERLINK \l "_Toc386779859" 3.5.4.2.1.1 GetClientLicensorCertSoapIn PAGEREF _Toc386779859 \h 137
HYPERLINK \l "_Toc386779860" 3.5.4.2.1.2 GetClientLicensorCertSoapOut PAGEREF _Toc386779860 \h 137
HYPERLINK \l "_Toc386779861" 3.5.4.2.2 Elements PAGEREF _Toc386779861 \h 137
HYPERLINK \l "_Toc386779862" 3.5.4.2.2.1 GetClientLicensorCert PAGEREF _Toc386779862 \h 138
HYPERLINK \l "_Toc386779863" 3.5.4.2.2.2 GetClientLicensorCertResponse PAGEREF _Toc386779863 \h 138
HYPERLINK \l "_Toc386779864" 3.5.4.2.3 Complex Types PAGEREF _Toc386779864 \h 138
HYPERLINK \l "_Toc386779865" 3.5.4.2.3.1 ArrayOfGetClientLicensorCertParams PAGEREF _Toc386779865 \h 138
HYPERLINK \l "_Toc386779866" 3.5.4.2.3.2 ArrayOfGetClientLicensorCertResponse PAGEREF _Toc386779866 \h 139
HYPERLINK \l "_Toc386779867" 3.5.4.2.3.3 GetClientLicensorCertParams PAGEREF _Toc386779867 \h 139
HYPERLINK \l "_Toc386779868" 3.5.4.2.3.4 GetClientLicensorCertResponse PAGEREF _Toc386779868 \h 139
HYPERLINK \l "_Toc386779869" 3.5.5 Timer Events PAGEREF _Toc386779869 \h 140
HYPERLINK \l "_Toc386779870" 3.5.6 Other Local Events PAGEREF _Toc386779870 \h 140
HYPERLINK \l "_Toc386779871" 3.6 EnrollServiceSoap Server Details PAGEREF _Toc386779871 \h 140
HYPERLINK \l "_Toc386779872" 3.6.1 Abstract Data Model PAGEREF _Toc386779872 \h 140
HYPERLINK \l "_Toc386779873" 3.6.2 Timers PAGEREF _Toc386779873 \h 140
HYPERLINK \l "_Toc386779874" 3.6.3 Initialization PAGEREF _Toc386779874 \h 140
HYPERLINK \l "_Toc386779875" 3.6.4 Message Processing Events and Sequencing Rules PAGEREF _Toc386779875 \h 140
HYPERLINK \l "_Toc386779876" 3.6.4.1 Synchronous Enrollment Operation PAGEREF _Toc386779876 \h 140
HYPERLINK \l "_Toc386779877" 3.6.4.1.1 Messages PAGEREF _Toc386779877 \h 141
HYPERLINK \l "_Toc386779878" 3.6.4.1.1.1 EnrollSoapIn PAGEREF _Toc386779878 \h 141
HYPERLINK \l "_Toc386779879" 3.6.4.1.1.2 EnrollSoapOut PAGEREF _Toc386779879 \h 141
HYPERLINK \l "_Toc386779880" 3.6.4.1.2 Simple Types PAGEREF _Toc386779880 \h 142
HYPERLINK \l "_Toc386779881" 3.6.4.1.2.1 RevocationTypeEnum PAGEREF _Toc386779881 \h 142
HYPERLINK \l "_Toc386779882" 3.6.4.1.3 Elements PAGEREF _Toc386779882 \h 142
HYPERLINK \l "_Toc386779883" 3.6.4.1.3.1 Enroll PAGEREF _Toc386779883 \h 142
HYPERLINK \l "_Toc386779884" 3.6.4.1.3.2 RevocationAuthorityInformation PAGEREF _Toc386779884 \h 142
HYPERLINK \l "_Toc386779885" 3.6.4.1.3.3 EnrollResponse PAGEREF _Toc386779885 \h 143
HYPERLINK \l "_Toc386779886" 3.6.4.1.4 Complex Types PAGEREF _Toc386779886 \h 143
HYPERLINK \l "_Toc386779887" 3.6.4.1.4.1 EnrollParameters PAGEREF _Toc386779887 \h 143
HYPERLINK \l "_Toc386779888" 3.6.4.1.4.2 X509Information PAGEREF _Toc386779888 \h 144
HYPERLINK \l "_Toc386779889" 3.6.4.1.4.3 EnrolleeRevocationInformation PAGEREF _Toc386779889 \h 144
HYPERLINK \l "_Toc386779890" 3.6.4.1.4.4 ArrayOfRevocationAuthorityInformation PAGEREF _Toc386779890 \h 144
HYPERLINK \l "_Toc386779891" 3.6.4.1.4.5 RevocationAuthorityInformation PAGEREF _Toc386779891 \h 145
HYPERLINK \l "_Toc386779892" 3.6.4.1.4.6 EnrolleeServerInformation PAGEREF _Toc386779892 \h 145
HYPERLINK \l "_Toc386779893" 3.6.4.1.4.7 EnrollResponse PAGEREF _Toc386779893 \h 145
HYPERLINK \l "_Toc386779894" 3.6.4.1.4.8 ArrayOfString PAGEREF _Toc386779894 \h 146
HYPERLINK \l "_Toc386779895" 3.6.4.2 Asynchronous Enrollment Operation PAGEREF _Toc386779895 \h 146
HYPERLINK \l "_Toc386779896" 3.6.4.2.1 Messages PAGEREF _Toc386779896 \h 147
HYPERLINK \l "_Toc386779897" 3.6.4.2.1.1 Asynchronous Enrollment Request PAGEREF _Toc386779897 \h 147
HYPERLINK \l "_Toc386779898" 3.6.4.2.1.2 Asynchronous Enrollment Response PAGEREF _Toc386779898 \h 148
HYPERLINK \l "_Toc386779899" 3.6.4.2.2 Simple Types PAGEREF _Toc386779899 \h 148
HYPERLINK \l "_Toc386779900" 3.6.4.2.2.1 RevocationTypeEnum PAGEREF _Toc386779900 \h 148
HYPERLINK \l "_Toc386779901" 3.6.4.2.3 Elements PAGEREF _Toc386779901 \h 149
HYPERLINK \l "_Toc386779902" 3.6.4.2.3.1 RevocationAuthorityInformation PAGEREF _Toc386779902 \h 149
HYPERLINK \l "_Toc386779903" 3.6.4.2.4 Complex Types PAGEREF _Toc386779903 \h 149
HYPERLINK \l "_Toc386779904" 3.6.4.2.4.1 EnrolleeCertificatePublicKey PAGEREF _Toc386779904 \h 149
HYPERLINK \l "_Toc386779905" 3.6.4.2.4.2 EnrolleeRevocationInformation PAGEREF _Toc386779905 \h 150
HYPERLINK \l "_Toc386779906" 3.6.4.2.4.3 EnrolleeServerInformation PAGEREF _Toc386779906 \h 150
HYPERLINK \l "_Toc386779907" 3.6.4.2.4.4 ArrayOfRevocationAuthorityInformation PAGEREF _Toc386779907 \h 151
HYPERLINK \l "_Toc386779908" 3.6.4.2.4.5 RevocationAuthorityInformation PAGEREF _Toc386779908 \h 151
HYPERLINK \l "_Toc386779909" 3.6.5 Timer Events PAGEREF _Toc386779909 \h 151
HYPERLINK \l "_Toc386779910" 3.6.6 Other Local Events PAGEREF _Toc386779910 \h 151
HYPERLINK \l "_Toc386779911" 3.7 ServerSoap Server Details PAGEREF _Toc386779911 \h 151
HYPERLINK \l "_Toc386779912" 3.7.1 Abstract Data Model PAGEREF _Toc386779912 \h 151
HYPERLINK \l "_Toc386779913" 3.7.2 Timers PAGEREF _Toc386779913 \h 151
HYPERLINK \l "_Toc386779914" 3.7.3 Initialization PAGEREF _Toc386779914 \h 152
HYPERLINK \l "_Toc386779915" 3.7.4 Message Processing Events and Sequencing Rules PAGEREF _Toc386779915 \h 152
HYPERLINK \l "_Toc386779916" 3.7.4.1 GetLicensorCertificate Operation PAGEREF _Toc386779916 \h 152
HYPERLINK \l "_Toc386779917" 3.7.4.1.1 Messages PAGEREF _Toc386779917 \h 153
HYPERLINK \l "_Toc386779918" 3.7.4.1.1.1 GetLicensorCertificateSoapIn PAGEREF _Toc386779918 \h 153
HYPERLINK \l "_Toc386779919" 3.7.4.1.1.2 GetLicensorCertificateSoapOut PAGEREF _Toc386779919 \h 153
HYPERLINK \l "_Toc386779920" 3.7.4.1.2 Elements PAGEREF _Toc386779920 \h 153
HYPERLINK \l "_Toc386779921" 3.7.4.1.2.1 GetLicensorCertificate PAGEREF _Toc386779921 \h 153
HYPERLINK \l "_Toc386779922" 3.7.4.1.2.2 GetLicensorCertificateResponse PAGEREF _Toc386779922 \h 154
HYPERLINK \l "_Toc386779923" 3.7.4.1.3 Complex Types PAGEREF _Toc386779923 \h 154
HYPERLINK \l "_Toc386779924" 3.7.4.1.3.1 LicensorCertChain PAGEREF _Toc386779924 \h 154
HYPERLINK \l "_Toc386779925" 3.7.4.2 FindServiceLocationsForUser Operation PAGEREF _Toc386779925 \h 154
HYPERLINK \l "_Toc386779926" 3.7.4.2.1 Messages PAGEREF _Toc386779926 \h 156
HYPERLINK \l "_Toc386779927" 3.7.4.2.1.1 FindServiceLocationsSoapIn PAGEREF _Toc386779927 \h 156
HYPERLINK \l "_Toc386779928" 3.7.4.2.1.2 FindServiceLocationsSoapOut PAGEREF _Toc386779928 \h 156
HYPERLINK \l "_Toc386779929" 3.7.4.2.2 Elements PAGEREF _Toc386779929 \h 156
HYPERLINK \l "_Toc386779930" 3.7.4.2.2.1 FindServiceLocationsForUser PAGEREF _Toc386779930 \h 156
HYPERLINK \l "_Toc386779931" 3.7.4.2.2.2 FindServiceLocationsForUserResponse PAGEREF _Toc386779931 \h 157
HYPERLINK \l "_Toc386779932" 3.7.4.2.3 Complex Types PAGEREF _Toc386779932 \h 157
HYPERLINK \l "_Toc386779933" 3.7.4.2.3.1 ArrayOfServiceLocationRequest PAGEREF _Toc386779933 \h 157
HYPERLINK \l "_Toc386779934" 3.7.4.2.3.2 ArrayOfServiceLocationResponse PAGEREF _Toc386779934 \h 158
HYPERLINK \l "_Toc386779935" 3.7.4.2.3.3 ServiceLocationRequest PAGEREF _Toc386779935 \h 158
HYPERLINK \l "_Toc386779936" 3.7.4.2.3.4 ServiceLocationResponse PAGEREF _Toc386779936 \h 158
HYPERLINK \l "_Toc386779937" 3.7.4.2.4 Simple Types PAGEREF _Toc386779937 \h 159
HYPERLINK \l "_Toc386779938" 3.7.4.2.4.1 ServiceType PAGEREF _Toc386779938 \h 159
HYPERLINK \l "_Toc386779939" 3.7.5 Timer Events PAGEREF _Toc386779939 \h 160
HYPERLINK \l "_Toc386779940" 3.7.6 Other Local Events PAGEREF _Toc386779940 \h 160
HYPERLINK \l "_Toc386779941" 3.8 Client Details PAGEREF _Toc386779941 \h 160
HYPERLINK \l "_Toc386779942" 3.8.1 Abstract Data Model PAGEREF _Toc386779942 \h 160
HYPERLINK \l "_Toc386779943" 3.8.1.1 Abstract Elements PAGEREF _Toc386779943 \h 161
HYPERLINK \l "_Toc386779944" 3.8.1.2 Abstract Interfaces PAGEREF _Toc386779944 \h 161
HYPERLINK \l "_Toc386779945" 3.8.2 Timers PAGEREF _Toc386779945 \h 162
HYPERLINK \l "_Toc386779946" 3.8.3 Initialization PAGEREF _Toc386779946 \h 162
HYPERLINK \l "_Toc386779947" 3.8.3.1 SPC Issuer Initialization PAGEREF _Toc386779947 \h 162
HYPERLINK \l "_Toc386779948" 3.8.3.2 Service Locations PAGEREF _Toc386779948 \h 162
HYPERLINK \l "_Toc386779949" 3.8.3.2.1 Locating an RMS Server by Using Active Directory PAGEREF _Toc386779949 \h 162
HYPERLINK \l "_Toc386779950" 3.8.3.2.2 Locating an RMS Server by Using Existing Client Configuration Data PAGEREF _Toc386779950 \h 162
HYPERLINK \l "_Toc386779951" 3.8.3.2.3 Locating an RMS Server by Using Existing Licenses or Certificates PAGEREF _Toc386779951 \h 163
HYPERLINK \l "_Toc386779952" 3.8.3.3 RAC Initialization PAGEREF _Toc386779952 \h 163
HYPERLINK \l "_Toc386779953" 3.8.3.4 CLC Initialization PAGEREF _Toc386779953 \h 163
HYPERLINK \l "_Toc386779954" 3.8.4 Message Processing Events and Sequencing Rules PAGEREF _Toc386779954 \h 163
HYPERLINK \l "_Toc386779955" 3.8.4.1 Client Bootstrapping PAGEREF _Toc386779955 \h 164
HYPERLINK \l "_Toc386779956" 3.8.4.2 Template Acquisition PAGEREF _Toc386779956 \h 165
HYPERLINK \l "_Toc386779957" 3.8.4.3 Online Publishing PAGEREF _Toc386779957 \h 165
HYPERLINK \l "_Toc386779958" 3.8.4.4 Offline Publishing PAGEREF _Toc386779958 \h 166
HYPERLINK \l "_Toc386779959" 3.8.4.5 Licensing PAGEREF _Toc386779959 \h 166
HYPERLINK \l "_Toc386779960" 3.8.5 Timer Events PAGEREF _Toc386779960 \h 166
HYPERLINK \l "_Toc386779961" 3.8.6 Other Local Events PAGEREF _Toc386779961 \h 166
HYPERLINK \l "_Toc386779962" 4 Protocol Examples PAGEREF _Toc386779962 \h 167
HYPERLINK \l "_Toc386779963" 4.1 Publishing Usage Policy Example PAGEREF _Toc386779963 \h 167
HYPERLINK \l "_Toc386779964" 4.2 Accessing Protected Information Example PAGEREF _Toc386779964 \h 169
HYPERLINK \l "_Toc386779965" 4.3 SOAP on DIME Response from Activate Method Example PAGEREF _Toc386779965 \h 171
HYPERLINK \l "_Toc386779966" 4.4 Template Acquisition Example PAGEREF _Toc386779966 \h 175
HYPERLINK \l "_Toc386779967" 4.5 Certificate Examples PAGEREF _Toc386779967 \h 175
HYPERLINK \l "_Toc386779968" 4.5.1 Security Processor Certificate Example PAGEREF _Toc386779968 \h 175
HYPERLINK \l "_Toc386779969" 4.5.2 RMS Account Certificate Example PAGEREF _Toc386779969 \h 177
HYPERLINK \l "_Toc386779970" 4.5.3 Client Licensor Certificate Example PAGEREF _Toc386779970 \h 179
HYPERLINK \l "_Toc386779971" 4.5.4 Publishing License Example PAGEREF _Toc386779971 \h 181
HYPERLINK \l "_Toc386779972" 4.5.5 Encrypted Rights Data Example PAGEREF _Toc386779972 \h 184
HYPERLINK \l "_Toc386779973" 4.5.6 Use License Example PAGEREF _Toc386779973 \h 188
HYPERLINK \l "_Toc386779974" 4.5.7 Rights Policy Template PAGEREF _Toc386779974 \h 190
HYPERLINK \l "_Toc386779975" 5 Security PAGEREF _Toc386779975 \h 194
HYPERLINK \l "_Toc386779976" 5.1 Security Considerations for Implementers PAGEREF _Toc386779976 \h 194
HYPERLINK \l "_Toc386779977" 5.2 Index of Security Parameters PAGEREF _Toc386779977 \h 194
HYPERLINK \l "_Toc386779978" 6 Appendix A: Full WSDL PAGEREF _Toc386779978 \h 195
HYPERLINK \l "_Toc386779979" 6.1 Activation Service WSDL PAGEREF _Toc386779979 \h 195
HYPERLINK \l "_Toc386779980" 6.2 Certification Service WSDL PAGEREF _Toc386779980 \h 198
HYPERLINK \l "_Toc386779981" 6.3 Licensing Service WSDL PAGEREF _Toc386779981 \h 200
HYPERLINK \l "_Toc386779982" 6.3.1 Template Distribution Service PAGEREF _Toc386779982 \h 203
HYPERLINK \l "_Toc386779983" 6.4 Publishing Service WSDL PAGEREF _Toc386779983 \h 206
HYPERLINK \l "_Toc386779984" 6.5 Server Service WSDL PAGEREF _Toc386779984 \h 211
HYPERLINK \l "_Toc386779985" 6.6 Enrollment Cloud Service WSDL PAGEREF _Toc386779985 \h 216
HYPERLINK \l "_Toc386779986" 7 Appendix B: Product Behavior PAGEREF _Toc386779986 \h 221
HYPERLINK \l "_Toc386779987" 8 Change Tracking PAGEREF _Toc386779987 \h 227
HYPERLINK \l "_Toc386779988" 9 Index PAGEREF _Toc386779988 \h 228
1 Introduction
The RMS: Client-to-Server Protocol is used to obtain and issue HYPERLINK \l "z2" certificates and HYPERLINK \l "z3" licenses used for creating and working with HYPERLINK \l "z4" protected content. The RMS: Client-to-Server Protocol uses the SOAP messaging protocol for exchanging information between a client and a server. It consists of five separate interfaces:
S e r v e r S e r v i c e
A c t i v a t i o n S e r v i c e
C e r t i f i c a t i o n S e r v i c e
L i c e n s i n g S e r v i c e
P u b l i s h i n g S e r v i c e
T h e R M S : C l i e n t - t o - S e r v e r P r o t o c o l d e p e n d s o n t h e p r o p e r u s e o f t h e s e i n t e r f a c e s . I n t h e c a s e o f t h e R M S 1 . 0 c l i e n t , a l l f i v e i n t e r f a c e s a r e u s e d . L a t e r client versions (RMS 1.0 SP1, RMS 1.0 SP2, and RMS 2.0) use all but the Activation Service. This specification contains the proper use of all five interfaces.
Sections 1.8, 2, and 3 of this specification are normative and can contain the terms MAY, SHOULD, MUST, MUST NOT, and SHOULD NOT as defined in RFC 2119. Sections 1.5 and 1.9 are also normative but cannot contain those terms. All other sections and examples in this specification are informative.
1.1 Glossary
The following terms are defined in HYPERLINK "[MS-GLOS].pdf" [MS-GLOS]:
Active DirectoryAdvanced Encryption Standard (AES)ASCIIcertificate chaincertification authority (CA)configuration naming context (config NC)Coordinated Universal Time (UTC)Data Encryption Standard (DES)domaindomain accountdomain controller (DC)forestfully qualified domain name (FQDN)globally unique identifier (GUID)little-endianNT LAN Manager (NTLM) Authentication Protocolpolicysecurity identifier (SID)SOAP faultSOAP fault codeSHA-1 hashStock Keeping Unit (SKU)UnicodeUniversal Naming Convention (UNC)
The following terms are specific to this document:
certificate: As used in this document, certificates are expressed in XrML 1.2.
client licensor certificate (CLC) chain: An XrML 1.2 HYPERLINK "[MS-GLOS].pdf" certificate chain that contains an asymmetric signing key pair issued to a user account by an RMS publishing service and binds that user account to a specific computer. The CLC grants the role of a user who can publish protected content.
cloud service: A set of one or more publicly available services that Microsoft operates.
consumer: The user who uses protected content.
content key: The symmetric key used to encrypt content.
creator: The user who creates protected content.
endpoint: A network-specific address of a server process for remote procedure calls. The actual name of the endpoint depends on the RPC protocol sequence being used. For example, for the NCACN_IP_TCP RPC protocol sequence, an endpoint might be TCP port 1025. For more information, see HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=89824" [C706].
hardware ID (HID): A string usually derived from a fingerprint of an individual computer. The HID is an identifier for a computer.
license: An XrML1.2 document that describes usage policy for protected content.
license chain: Similar to a HYPERLINK "[MS-GLOS].pdf" certificate chain, but for a license.
offline publishing: The process of creating protected content and signing the associated publishing license using a previously acquired CLC.
online publishing: The process of creating protected content and contacting a server to have the publishing license signed.
protected content: Any content or information (file, email) that has an RMS usage policy assigned to it and is encrypted according to that policy. Also known as "Protected Information".
publishing license (PL): An XrML 1.2 license that defines usage policy for protected content and contains the content key with which that content is encrypted. The usage policy identifies all authorized users and the actions they are authorized to take with the content, along with any conditions on that usage. The publishing license tells the server what usage policies apply to a given piece of content and grants the server the right to issue use licenses (ULs) based on that policy. The PL is created when content is protected. Also known as an "Issuance License (IL)".
Passport Unique ID (PUID): A unique user name associated with a Microsoft Passport account.
rights policy template: An XrML 1.2 document that contains a predefined usage policy that is used to create the PL when content is protected. Conceptually, a rights policy template (or "template") is a blueprint for a PL, identifying authorized users and the actions they are authorized to take with the content (along with any conditions on that usage). Unlike a PL, a template does not contain a content key or information about the content owner. The content key and information about the content owner are required to be added when the PL for a given piece is created from the template. End users can use a template when protecting a document instead of defining the specifics of the usage policy themselves. When a document is published using a template, the template is used to generate the PL.
RMS account certificate (RAC): An XrML 1.2 HYPERLINK "[MS-GLOS].pdf" certificate chain that contains an asymmetric encryption key pair issued to a user account by an RMS Certification Service. The RAC binds that user account to a specific computer. The RAC represents the identity of a user who can access protected content. The RAC is also known as a "Group Identity Certificate (GIC)".
security processor: A trusted component on the client machine that enforces usage policy. It has exclusive access to the security processor certificate (SPC) private key.
security processor certificate (SPC): An XrML 1.2 HYPERLINK "[MS-GLOS].pdf" certificate chain generated during activation that contains the public key corresponding to the SPC private key. The SPC grants the role of a machine that can be used for working with protected content.
security processor certificate (SPC) private key: A unique private key that is generated at activation time and issued to the machine, either by self-activation or by calling the HYPERLINK \l "z707ffe7616b04ee8b8f663f1f0dfe830" Activate method.
server licensor certificate (SLC): An XrML 1.2 certificate that contains a public key issued to an RMS server by an RMS cloud service (RMS 1.0, RMS 1.0 SP1, and RMS 1.0 SP2) or Self Enrollment (RMS 2.0). The RMS client uses the RMS server's public key to encrypt the usage policy and content key in a publish license.
service connection point (SCP): An object stored in HYPERLINK "[MS-GLOS].pdf" Active Directory that specifies the location of an RMS server.
use license (UL): An XrML 1.2 license that authorizes a user to access a given protected content file and describes the usage policies that apply. Also known as an "End-User License (EUL)".
XrML: The eXtensible rights Markup Language HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90612" [XRML] is a general-purpose, XML-based specification grammar for expressing rights and conditions associated with digital content, services, or any digital resource.
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as described in HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90317" [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.
1.2 References
References to Microsoft Open Specifications documentation do not include a publishing year because links are to the latest version of the documents, which are updated frequently. References to other documents include a publishing year when one is available.
1.2.1 Normative References
We conduct frequent surveys of the normative references to assure their continued availability. If you have any issue with finding a normative reference, please contact HYPERLINK "mailto:dochelp@microsoft.com" dochelp@microsoft.com. We will assist you in finding the relevant information.
[C706] The Open Group, "DCE 1.1: Remote Procedure Call", C706, August 1997, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=89824" https://www2.opengroup.org/ogsys/catalog/c706
[DIME] Nielsen, H. F., Sanders, H., and Christensen, E., "Direct Internet Message Encapsulation (DIME)", February 2002, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=89847" http://xml.coverpages.org/draft-nielsen-dime-01.txt
[FIPS180-2] FIPS PUBS, "Secure Hash Standard", FIPS PUB 180-2, August 2002, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=89868" http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
[MS-ADA1] Microsoft Corporation, " HYPERLINK "[MS-ADA1].pdf" Active Directory Schema Attributes A-L".
[MS-ADA2] Microsoft Corporation, " HYPERLINK "[MS-ADA2].pdf" Active Directory Schema Attributes M".
[MS-ADA3] Microsoft Corporation, " HYPERLINK "[MS-ADA3].pdf" Active Directory Schema Attributes N-Z".
[MS-ADSC] Microsoft Corporation, " HYPERLINK "[MS-ADSC].pdf" Active Directory Schema Classes".
[MS-DTYP] Microsoft Corporation, " HYPERLINK "[MS-DTYP].pdf" Windows Data Types".
[MS-KILE] Microsoft Corporation, " HYPERLINK "[MS-KILE].pdf" Kerberos Protocol Extensions".
[MS-MWBE] Microsoft Corporation, " HYPERLINK "[MS-MWBE].pdf" Microsoft Web Browser Federated Sign-On Protocol Extensions".
[MS-MWBF] Microsoft Corporation, " HYPERLINK "[MS-MWBF].pdf" Microsoft Web Browser Federated Sign-On Protocol".
[MS-NLMP] Microsoft Corporation, " HYPERLINK "[MS-NLMP].pdf" NT LAN Manager (NTLM) Authentication Protocol".
[MS-NTHT] Microsoft Corporation, " HYPERLINK "[MS-NTHT].pdf" NTLM Over HTTP Protocol".
[MS-PAC] Microsoft Corporation, " HYPERLINK "[MS-PAC].pdf" Privilege Attribute Certificate Data Structure".
[NTLM] Microsoft Corporation, "Microsoft NTLM", HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90235" http://msdn.microsoft.com/en-us/library/aa378749.aspx
[PKCS1] RSA Laboratories, "PKCS #1: RSA Cryptography Standard", PKCS #1, Version 2.1, June 2002, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90248" http://www.rsa.com/rsalabs/node.asp?id=2125
[RFC822] Crocker, D.H., "Standard for ARPA Internet Text Messages", STD 11, RFC 822, August 1982, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90497" http://www.ietf.org/rfc/rfc0822.txt
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90317" http://www.rfc-editor.org/rfc/rfc2119.txt
[RFC2616] Fielding, R., Gettys, J., Mogul, J., et al., "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90372" http://www.ietf.org/rfc/rfc2616.txt
[RFC2743] Linn, J., "Generic Security Service Application Program Interface Version 2, Update 1", RFC 2743, January 2000, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90378" http://www.ietf.org/rfc/rfc2743.txt
[RFC3377] Hodges, J., and Morgan, R., "Lightweight Directory Access Protocol (v3): Technical Specification", RFC 3377, September 2002, HYPERLINK "http://go.microsoft.com/fwlink/?LinkID=91337" http://www.ietf.org/rfc/rfc3377.txt
[RFC4178] Zhu, L., Leach, P., Jaganathan, K., and Ingersoll, W., "The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism", RFC 4178, October 2005, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90461" http://www.ietf.org/rfc/rfc4178.txt
[RFC4559] Jaganathan, K., Zhu, L., and Brezak, J., "SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows", RFC 4559, June 2006, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90483" http://www.ietf.org/rfc/rfc4559.txt
[SOAP1.1] Box, D., Ehnebuske, D., Kakivaya, G., et al., "Simple Object Access Protocol (SOAP) 1.1", May 2000, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90520" http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
[SOAP1.2/1] Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J., and Nielsen, H.F., "SOAP Version 1.2 Part 1: Messaging Framework", W3C Recommendation, June 2003, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90521" http://www.w3.org/TR/2003/REC-soap12-part1-20030624
[SOAP1.2/2] Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J., and Nielsen, H.F., "SOAP Version 1.2 Part 2: Adjuncts", W3C Recommendation, June 2003, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90522" http://www.w3.org/TR/2003/REC-soap12-part2-20030624
[UNICODENORMFORMS] Davis, M., "Unicode Normalization Forms", November, 1999, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=93485" http://www.unicode.org/unicode/reports/tr15/tr15-18.html
[WSDL] Christensen, E., Curbera, F., Meredith, G., and Weerawarana, S., "Web Services Description Language (WSDL) 1.1", W3C Note, March 2001, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90577" http://www.w3.org/TR/2001/NOTE-wsdl-20010315
[WSDLExt] Nielsen, H.F., Christensen, E., and Farrell, J., "WS-Attachments", June 2002, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90578" http://xml.coverpages.org/draft-nielsen-dime-soap-01.txt
[XMLNS] Bray, T., Hollander, D., Layman, A., et al., Eds., "Namespaces in XML 1.0 (Third Edition)", W3C Recommendation, December 2009, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=191840" http://www.w3.org/TR/2009/REC-xml-names-20091208/
[XMLSCHEMA1] Thompson, H.S., Beech, D., Maloney, M., and Mendelsohn, N., Eds., "XML Schema Part 1: Structures", W3C Recommendation, May 2001, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90608" http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/
[XMLSCHEMA2] Biron, P.V., and Malhotra, A., Eds., "XML Schema Part 2: Datatypes", W3C Recommendation, May 2001, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90610" http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/
[XRML] ContentGuard, Inc., "XrML: Extensible rights Markup Language Version 1.2", 2001, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=324306" http://contentguard.pendrell.com/content/contact
NoteContact the owner of the XrML specification for more information.
1.2.2 Informative References
[C706] The Open Group, "DCE 1.1: Remote Procedure Call", C706, August 1997, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=89824" https://www2.opengroup.org/ogsys/catalog/c706
[ECMA-335] ECMA International, "Common Language Infrastructure (CLI) Partitions I to VI", ECMA-335, June 2006, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=93453" http://www.ecma-international.org/publications/standards/Ecma-335.htm
[MS-ADTS] Microsoft Corporation, " HYPERLINK "[MS-ADTS].pdf" Active Directory Technical Specification".
[MS-DISO] Microsoft Corporation, " HYPERLINK "[MS-DISO].pdf" Domain Interactions System Overview".
[MS-GLOS] Microsoft Corporation, " HYPERLINK "[MS-GLOS].pdf" Windows Protocols Master Glossary".
[MS-LSAT] Microsoft Corporation, " HYPERLINK "[MS-LSAT].pdf" Local Security Authority (Translation Methods) Remote Protocol".
[MS-RMPRS] Microsoft Corporation, "Rights Management Services (RMS): Server-to-Server Protocol".
[MS-RMSI] Microsoft Corporation, " HYPERLINK "[MS-RMSI].pdf" Rights Management Services (RMS): ISV Extension Protocol".
[MSDN-TaskSch] Microsoft Corporation, "Task Scheduler", HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90142" http://msdn.microsoft.com/en-us/library/aa383614.aspx
[MSKB2627272] Microsoft Corporation, "AD RMS update to increase key lengths", HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=233084" http://support.microsoft.com/kb/2627272
[RFC2251] Wahl, M., Howes, T., and Kille, S., "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997, HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90325" http://www.ietf.org/rfc/rfc2251.txt
1.3 Overview
The RMS: Client-to-Server Protocol provides support for information protection through content encryption and fine-grained HYPERLINK "[MS-GLOS].pdf" policy definition and enforcement. In doing so, the RMS: Client-to-Server Protocol enables end users to create and access protected information. This specification defines the RMS: Client-to-Server Protocol, which is a SOAP-based protocol that uses HTTP 1.1 as its transport.
Figure 1: Rights management roles
The Rights Management Services (RMS) system involves four active entities: the HYPERLINK \l "z9" creator, the HYPERLINK \l "z7" consumer, the server, and the HYPERLINK \l "z6" cloud service.
The server is required to undergo a bootstrapping process to begin functioning in the RMS system. This process results in a signed HYPERLINK \l "z22" server licensor certificate (SLC) for the server. In RMS 1.0, RMS 1.0 SP1, and RMS 1.0 SP2 servers, this operation involves contacting the cloud service. In RMS 2.0, this operation is done entirely offline. The creator and consumer contact the server for a bootstrapping process to acquire the HYPERLINK \l "z18" RMS account certificate (RAC) and HYPERLINK \l "z5" client licensor certificate (CLC) that are necessary to participate in the RMS system.
The creator builds a document and chooses an access policy for that document, either by creating it directly or by using a HYPERLINK \l "z17" rights policy template to apply a predefined access policy. The creator then encrypts the document using a randomly generated HYPERLINK \l "z8" content key and binds both this key and the access policy to that document in the form of a HYPERLINK \l "z15" Publishing License (PL).
The consumer, upon receiving the document from the creator and opening it, supplies the server with the PL and the RMS account certificate (RAC) that was acquired during bootstrapping. If the consumer is allowed access according to the access policy in the PL, the server issues the consumer a HYPERLINK \l "z24" use license (UL) that specifies the access policy for the consumer and binds the content decryption key to the consumer's RAC. The RAC key is encrypted by the key of a trusted software module called the HYPERLINK \l "z19" security processor. When the consumer attempts to access the document, the security processor decides whether the requesting application on the consumer machine is capable of enforcing the access policy. If so, it supplies plain text of the document to the application along with the policy that the application is to enforce. If not, access to the content is denied.
A client can play the role of a creator, a consumer, or both, depending on implementation. The client is responsible for requesting certificates, licenses, and policies from the server. It is further responsible for enforcing authorization policies as they apply to protected information and encrypting or decrypting content as appropriate. The RMS 2.0 client HYPERLINK \l "z29" <1> can fetch rights policy templates from an RMS 2.0 server.
The cloud service role in the RMS: Client-to-Server Protocol is responsible for providing enrollment services to RMS 1.0, RMS 1.0 SP1, and RMS 1.0 SP2 servers. Enrollment is a one-time bootstrapping process to begin functioning in the RMS system; the result of which is receiving a signed SLC for the server. RMS 2.0 servers perform self-enrollment and do not contact the cloud service. The cloud service also provides activation services to RMS 1.0 clients. This is accomplished by binding an encryption key pair to the machine by way of the security processor and its HYPERLINK \l "z20" SPC. Activation in RMS 1.0 SP1, RMS 1.0 SP2, and RMS 2.0 is performed by the client without contacting the cloud service. The cloud service role is not used in RMS 2.0.
The server role in the RMS: Client-to-Server Protocol is responsible for issuing certifications, keys, and authorization policies, and for signing these issued certificates and policies with keys it holds in escrow. It is further responsible for evaluating and issuing authorization policies based upon identity credentials the client provides in protocol requests.
The RMS: Client-to-Server Protocol consists of a number of service HYPERLINK \l "z10" endpoints, and each endpoint provides one or more remote procedures that are related in function to each other. The web server implementation identifies and services the endpoints, and the web server describes the endpoint's interface using the Web Services Description Language ( HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90577" [WSDL]), which is analogous to a COM IDL.
The remote procedures are called to:
A c q u i r e o r e x c h a n g e c e r t i f i c a t e s .
R e q u e s t a n a u t h o r i z a t i o n p o l i c y f o r p r o t e c t e d i n f o r m a t i o n .
A u t h o r a n a u t h o r i z a t i o n p o l i c y f o r p r o t e c t e d i n f o r m a t i o n .
D i s c o v e r i n f o r m a t i o n a b o u t t h e s e r v e r o r a u s e r t h a t i s n e c e s s a r y f o r c l i e n t o p e r a t i o n .
M a n a g e the server remotely.
The RMS: Client-to-Server Protocol is stateless, and the methods on the protocol can be called in any order.
1.3.1 Server Enrollment
Server enrollment is an initialization step that the server completes before it services any client requests.
RMS 1.0, RMS 1.0 SP1, and RMS 1.0 SP2 servers make an enrollment request to the cloud service. During enrollment, the server generates its key pair and builds an enrollment request that includes the public key. The server makes the enrollment request to the RMS enrollment cloud service and receives a signed SLC in return.
On RMS 2.0 servers, the server enrollment operation occurs entirely offline.
1.3.2 Client Bootstrapping
Client bootstrapping is a set of initialization steps that clients complete before moving on to either HYPERLINK \l "z13" offline publishing or licensing. Client bootstrapping is not a prerequisite for HYPERLINK \l "z14" online publishing. During client boostrapping, the machine is activated and the user is certified for use in the RMS system. This involves various key/certificate generations and exchanges as explained in section HYPERLINK \l "zf03a13a8d530477b9eea8afe82d2059c" 3.8.4.1.
Client bootstrapping involves the following request and response methods: Activate, Certify, FindServiceLocationsForUser, and GetClientLicensorCert.
1.3.3 Template Acquisition
The RMS 2.0 client HYPERLINK \l "z31" <2> can acquire rights policy templates from an RMS 2.0 server. The client makes an AcquireTemplateInformation request to the server. The server returns information about the available templates. The client makes a subsequent AcquireTemplates request to the server for outdated and missing templates, deleting templates that are no longer present on the server from its local license store. The client then places the newly obtained templates from the server in its local license store.
The following request and response methods are used for template acquisition: AcquireTemplateInformation and AcquireTemplates.
1.3.4 Online Publishing
When publishing, templates can be used to control the rights that a user or group has on a particular piece of content. Online publishing does not require completion of the client bootstrapping steps. When the client is used to protect content, it generates a PL that contains the usage policy and the content key, both of which are encrypted using the server's public key. The PL also contains a reference to a server that can be used to issue ULs from the PL. During online publishing, the client acquires the SLC of the server in order to encrypt the usage policy and content key to the server and build the PL chain.
The following request and response methods are used for online publishing: GetLicensorCertificate and AcquireIssuanceLicense.
1.3.5 Offline Publishing
Offline publishing does not make a call to the server. The client is required to have a valid client licensor certificate (CLC) chain, RAC, and security processor certificate (SPC) to publish offline. For an overview of the bootstrapping process, see sections HYPERLINK \l "z4eb4054d8da54d54805e2ef076b6ef23" 1.3.1 and HYPERLINK \l "zba148d03117a4083ac272b03a804d212" 1.3.2.
When the client is used to protect content, it generates a PL that contains the usage policy and the content key, both of which are encrypted using the server's public key. The PL also contains a reference to a server that can be used to issue ULs from the PL.
During offline publishing, the usage policy and content key are encrypted using the server's public key from the issuer of the CLC. The PL is signed using the CLC private key, and the resultant signed PL chain includes the PL, CLC, and SLC from the CLC chain.
There are no request and response methods used for offline publishing.
1.3.6 Licensing
A UL is required for a user to access protected content. The UL describes the usage policies that apply to the user while accessing a particular protected content file. It also contains the content key encrypted with the user's RAC public key.
The client is required to possess a valid RAC and SPC to access protected content. For an overview of the bootstrapping process, see section HYPERLINK \l "z4eb4054d8da54d54805e2ef076b6ef23" 1.3.1. The client needs a valid PL to acquire a UL for protected content. For more information about publishing and PLs, see sections HYPERLINK \l "ze7a6e2e6a1404269b5dc6b9463d0949f" 1.3.4 and HYPERLINK \l "zbe538767ba26428e9a8573f0d5cad8a1" 1.3.5.
The following request and response method is used for licensing: AcquireLicense.
1.4 Relationship to Other Protocols
The RMS: Client-to-Server Protocol uses the SOAP messaging protocol, as specified in HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90520" [SOAP1.1], for formatting requests and responses. It transmits these messages using the HTTP and/or HTTPS protocols. SOAP is considered the wire format used for messaging, and HTTP and HTTPS are the underlying transport protocols. The content files are downloaded using HTTP 1.1, as specified in HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90372" [RFC2616].
The RMS: Client-to-Server Protocol user certification endpoint uses authentication to determine the requesting user's identity.
The RMS: Client-to-Server Protocol can use the Microsoft Web Browser Federated Sign-On Protocol, as specified in HYPERLINK "[MS-MWBF].pdf" [MS-MWBF], on requests to the licensing or user certification endpoints for providing user authentication. Its extensions are defined in the Microsoft Web Browser Federated Sign-on Protocol Extensions, as specified in HYPERLINK "[MS-MWBE].pdf" [MS-MWBE].
The RMS: Client-to-Server Protocol is composed of Web services using SOAP HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90520" [SOAP1.1] over HTTP or HTTPS HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90372" [RFC2616], for communication.
The following diagram shows the transport stack that the RMS: Client-to-Server Protocol uses.
Figure 2: RMS: Client-to-Server Protocol transport stack
Content download is accomplished using HTTP 1.1 GET Byte Range requests, as specified in HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90372" [RFC2616] section 14.35.
1.5 Prerequisites/Preconditions
The RMS: Client-to-Server Protocol assumes that the client is able to discover the server, either by being able to access the appropriate HYPERLINK "[MS-GLOS].pdf" Active Directory object HYPERLINK \l "z35" <3> or by some other means.
It is assumed that the protected information itself can be distributed in some way, because the RMS: Client-to-Server Protocol is not involved in content distribution.
1.6 Applicability Statement
The RMS: Client-to-Server Protocol is information-protection technology that uses content encryption and use restrictions to safeguard digital information from unauthorized use. RMS is designed for organizations that need to protect sensitive and proprietary information such as financial reports, product specifications, customer data, and confidential email messages. The RMS: Client-to-Server Protocol can be used to help p r e v e n t s e n s i t i v e i n f o r m a t i o n f r o m i n t e n t i o n a l l y o r a c c i d e n t a l l y g e t t i n g i n t o t h e w r o n g h a n d s .
1 . 7 V e r s i o n i n g a n d C a p a b i l i t y N e g o t i a t i o n
T h i s s p e c i f i c a t i o n c o v e r s v e r s i o n i n g i s s u e s i n t h e f o l l o w i n g a r e a s :
S u p p o r t e d T r a n s p o r t s : T h i s p r o t o c o l i s i m p l e m e n t e d o n t o p o f H T T P a n d S O A P , a s s p e c i f i e d i n s e c t i o n H Y P E R L I N K \ l " z c e c 0 c d f d 5 3 8 8 4 3 4 7 a 2 b 7 6 a 9 b f d 5 1 8 9 4 0 " 2 . 1 .
P r o t o c o l V e r s i o n s : T h e R M S : C l i e n t - t o - S e r v e r P r o t o c o l c l i e n t a n d s e r v e r h a v e v e r s i o n s 1 . 0 , 1 . 0 S P 1 , 1 . 0 S P 2 , a n d 2 . 0 . V e r s i o n 2 . 0 i n t r o d u c e d t h e T e m p l a t e D i s t r i b u t i o n s e r v i c e a n d W S D L p o r t t y p e .
S e c u r i t y a n d A u t h e n t i c a t i o n M e t h o d s : T h e S O A P p r o t o c o l p a s s i v e l y s u p p o r t s H Y P E R L I N K " [ M S - G L O S ] . p d f " N T L A N M a n a g e r ( N T L M ) a u t h e n t i c a t i o n o v e r H T T P o r H T T P S , a s s p e c i f i e d i n H Y P E R L I N K " h t t p : / / g o . m i c r o s o f t . c o m / f w l i n k / ? L i n k I d = 9 0 2 3 5 " [ N T L M ] .
L o c a l i z a t i o n : T h e R M S : C l i e n t - t o - S e r v e r P r o t o c o l h a s n o l o c a l i z a t i o n - d e p e n d e n t b e h a v i o r s .
C a p a b i l i t y N e g o t i a t i o n : T h e R M S : C l i e n t - t o - S e r v e r P r o t o c o l s u p p o r t s l i m i t e d c a p a b i l i t y n e g o t i a t i o n v i a t h e V e r s i o n D a t a type that is present on all protocol requests. On a request, the VersionData structure contains a MinimumVersion and MaximumVersion value indicating the range of versions the client is capable of understanding. On a response, the VersionData structure contains a MinimumVersion and MaximumVersion that the server is capable of understanding. HYPERLINK \l "z39" <4>
This protocol can be spread across multiple servers. To determine which servers are capable of specific methods, the client calls the HYPERLINK \l "zeaacb74c196448109cc29ae798a1179a" FindServiceLocationsForUser (section HYPERLINK \l "zeaacb74c196448109cc29ae798a1179a" 3.7.4.2 HYPERLINK \l "zeaacb74c196448109cc29ae798a1179a" ) method in the HYPERLINK \l "zb7e3a49b8a9c47b680003f93c0cf0b6c" Server Service (section HYPERLINK \l "zb7e3a49b8a9c47b680003f93c0cf0b6c" 3.7 HYPERLINK \l "zb7e3a49b8a9c47b680003f93c0cf0b6c" ).
1.8 Vendor-Extensible Fields
This protocol does not contain any vendor-extensible fields. All XML schema are considered nonextensible in the RMS: Client-to-Server Protocol.
1.9 Standards Assignments
The RMS: Client-to-Server Protocol has not been ratified by any standards body or organization.
2 Messages
2.1 Transport
An RMS: Client-to-Server Protocol message MUST be formatted as specified in either HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90520" [SOAP1.1] or HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90521" [SOAP1.2/1]. HYPERLINK \l "z45" <5>
Each RMS Web service MUST support SOAP HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90520" [SOAP1.1] over HTTP HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90372" [RFC2616] over TCP/IP. Each RMS Web service SHOULD support HTTPS for securing its communication with clients. HYPERLINK \l "z47" <6> Each RMS Web service MUST require HTTPS for communication with clients when making a request enabled by the Microsoft Web Browser Federated Sign-on Protocol HYPERLINK "[MS-MWBF].pdf" [MS-MWBF] to the Licensing or Certification Web services.
The URLs specified in section HYPERLINK \l "z1a4c1402d8514da1b88f47f382c5492f" 3.1.4.2 MUST be exposed by the server as endpoints for the HTTP and SOAP over HTTP transports.
To optimize network bandwidth, the client implementation MAY request the reply be compressed by specifying the encoding format in the HTTP Accept-Encoding request-header field as specified in HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90372" [RFC2616] section 14.3. The update server SHOULD encode the reply using the requested format.
2.2 Common Message Syntax
This section contains common definitions used by this protocol. The syntax of the definitions uses XML Schema as defined in HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90608" [XMLSCHEMA1] and HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90610" [XMLSCHEMA2], and Web Services Description Language as defined in HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90577" [WSDL].
This protocol uses curly-braced GUID strings, as specified in HYPERLINK "[MS-DTYP].pdf" [MS-DTYP] section 2.3.4.3.
This protocol uses SID string format syntax as specified in HYPERLINK "[MS-DTYP].pdf" [MS-DTYP] section 2.4.2.1.
2.2.1 Namespaces
This specification defines and references various XML namespaces using the mechanisms specified in [XMLNS]. Although this specification associates a specific XML namespace prefix for each XML namespace that is used, the choice of any particular XML namespace prefix is implementation-specific and not significant for interoperability.
PrefixNamespace URIReferenceshttp://microsoft.com/DRM/AdminServiceshttp://microsoft.com/DRM/CertificationServiceshttp://microsoft.com/DRM/EditIssuanceLicenseServiceshttp://microsoft.com/DRM/LicensingServiceshttp://microsoft.com/DRM/PublishingServiceshttp://schemas.xmlsoap.org/wsdl/http/ HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90577" [WSDL]shttp://www.w3.org/2001/XMLSchema HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90608" [XMLSCHEMA1], HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90610" [XMLSCHEMA2]shttp://schemas.xmlsoap.org/wsdl/soap/ HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90520" [SOAP1.1]shttp://schemas.xmlsoap.org/wsdl/soap12/ HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90521" [SOAP1.2/1], HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90521" [SOAP1.2/2]shttp://schemas.xmlsoap.org/soap/encoding/ HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90520" [SOAP1.1]shttp://schemas.xmlsoap.org/wsdl/ HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90577" [WSDL]2.2.2 Messages
None.
2.2.3 Elements
The following table summarizes the set of common XML Schema element definitions defined by this specification. XML Schema element definitions that are specific to a particular operation are described with the operation.
ElementDescription HYPERLINK \l "z3b9a3021c76548b2914eaf7fa811d091" CertificateEncloses any HYPERLINK \l "z25" XrML certificate parameter that can be represented as a literal. HYPERLINK \l "z328ee37cc01d468390eeb7804ab5705d" CertificateChainContains an array of XML elements used to represent a certificate chain. HYPERLINK \l "zf45258e8aa4745efa28cfd16c08117ca" VersionDataContains versioning information that serves as a declaration of the capability support necessary to understand and process the entire request or response. HYPERLINK \l "z4ca23ec356a7493d83c7ab9f5c562a1b" stringAn extra XML wrapper for the string data type. HYPERLINK \l "z3763b2815b334868bfbdcacf759946cb" MaximumVersionUsed to specify the maximum capability version requirement between client and server. HYPERLINK \l "zdfc1cdfe6b4b4bd98cf0f3109c52669d" MinimumVersionUsed to specify the minimum capability version requirement between client and server. HYPERLINK \l "z4ac81487c8514688af562b8955954cb8" URLDefines the use of the string data type to represent a URL.2.2.3.1 Certificate Element
The Certificate (ArrayOfXmlNode) element encloses any eXtensible Rights Markup Language (as specified in HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90612" [XRML]) certificate parameter that can be represented as a literal within an XML element on the protocol.
2.2.3.2 CertificateChain Element
The CertificateChain (LicensorCertChain) element uses an array of XML elements to represent a certificate chain. This element MUST contain a valid certificate chain, as specified in HYPERLINK \l "zd86176a6933642fd825710e07de714cb" 2.2.9.
2.2.3.3 VersionData Element
The VersionData element contains versioning information that serves as a declaration of the capability support necessary to understand and process the entire request or response.
2.2.3.4 string Element
The string (ArrayOfString) element is an extra XML wrapper for the string data type. This element helps define the string (ArrayOfString) element as an array of ordinary XML strings. This element MUST contain only one literal string.
2.2.3.5 MaximumVersion Element
The MaximumVersion (VersionData) element is used to specify the maximum capability version requirement of the RMS: Client-to-Server Protocol between client and server.
2.2.3.6 MinimumVersion Element
The MinimumVersion (VersionData) element is used to specify the minimum capability version requirement of the RMS: Client-to-Server Protocol between client and server.
2.2.3.7 URL Element
The URL (ServiceLocationResponse) element defines the use of the string data type to represent a URL in the RMS: Client-to-Server Protocol. This element MUST contain a literal string.
2.2.4 Complex Types
The following table summarizes the set of common XML Schema complex type definitions defined by this specification. XML Schema complex type definitions that are specific to a particular operation are described with the operation.
Complex TypeDescription HYPERLINK \l "z958e8c2bf22d48c08262030c2ea37230" ArrayOfXmlNodeContains an array of XML elements used exclusively for exchanging XrML certificates. HYPERLINK \l "za0580f33e29d4eab9ad59d9499b5e723" VersionDataRepresents the capability version of the client and server.2.2.4.1 ArrayOfXmlNode Complex Type
The ArrayOfXmlNode complex type contains an array of XML elements. It is used exclusively for exchanging XrML certificates, each of which MUST be represented as an XML fragment. Each XML fragment is enclosed in the HYPERLINK \l "z3b9a3021c76548b2914eaf7fa811d091" Certificate element. For more information on XrML, see HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90612" [XRML].
2.2.4.2 VersionData Complex Type
The VersionData complex type is used to represent the capability version of the client and server. The version data in this type MUST be represented by using a literal string and MUST conform to the format "a.b.c.d". Subversion value "a" MUST be the most major component of the version, value "b" MUST be the next most major, value "c" MUST be the next most major, and "d" MUST be the minor subversion value.
When a client makes a request, it SHOULD specify "1.0.0.0" as both the MinimumVersion parameter and as the MaximumVersion parameter, unless otherwise specified.
When the server receives a request, it SHOULD compare its capability version to the capability version range the client presents. The server SHOULD reject the request with a Microsoft.DigitalRightsManagement.Core.UnsupportedDataVersionException fault if the MaximumVersion value presented by the client is higher than the highest capability version of the server.
When the server responds to the client, including instances when the server responds with an error HYPERLINK \l "z49" <7>, it SHOULD specify the lowest capability version it can support as the value for the MinimumVersion parameter. The server SHOULD specify the highest capability version it can support as the value for the MaximumVersion parameter.
2.2.5 Simple Types
None.
2.2.6 Attributes
None.
2.2.7 Groups
None.
2.2.8 Attribute Groups
None.
2.2.9 Common Data Structures
This section describes the way the RMS: Client-to-Server Protocol utilizes HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90612" [XRML] for certificates and licenses.
2.2.9.1 Common Certificate and License Structures
This section describes in detail common elements of RMS certificate formats. All elements MUST follow the HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90612" [XRML] schema.
2.2.9.1.1 ISSUEDTIME
The ISSUEDTIME element specifies the time that a certificate or license was generated, expressed in HYPERLINK "[MS-GLOS].pdf" Coordinated Universal Time (UTC). ISSUEDTIME is specified in the XrML Document Type Definition (DTD). All certificates and licenses MUST contain an ISSUEDTIME element.
An ISSUEDTIME element MUST follow this template.
[[- issuedtime -]]
[[- issuedtime -]]: The time at which the certificate or license was generated, expressed in UTC.
2.2.9.1.2 VALIDITYTIME
VALIDITYTIME is an optional element that specifies the time period in which a certificate or license can be used. The certificate or license MUST be considered invalid outside this time period. The time period is a half-closed interval in which the start time is included in the set but the end time is not. A certificate or license SHOULD contain a VALIDITYTIME element.
A VALIDITYTIME element MUST use the following template.
[[- starttime -]][[- endtime -]]
[[- starttime -]]: The beginning of the time interval in which the certificate is allowed to be considered valid, expressed in UTC.
[[- endtime -]]: The end of the time interval in which the certificate is allowed to be considered valid, expressed in UTC.
2.2.9.1.3 RANGETIME
RANGETIME specifies a time condition on the ability to exercise a right that is granted in a certificate or license. The time period is a half-closed interval in which the start time is included in the set but the end time is not.
The RANGETIME element MUST use the following template.
[[- starttime -]][[- endtime -]]
[[- starttime -]]: The beginning of the time period in which a right is allowed to be exercised, expressed in UTC.
[[- endtime -]]: The end of the time period in which a right is allowed to be exercised, expressed in UTC.
2.2.9.1.4 DESCRIPTOR
The DESCRIPTOR element identifies the certificate or license and describes its type. All certificates and licenses MUST contain a DESCRIPTOR element.
The DESCRIPTOR element MUST use the following template.
[[- object -]]
[[- object -]]: An object that identifies the certificate or license. An object is specified in the XrML DTD. Specific content is defined for each certificate and license.
2.2.9.1.5 ISSUER
The ISSUER element describes the entity that issued or signed the certificate or license. All certificates and licenses MUST contain an ISSUER element. The ISSUER element MUST contain an object element that identifies the issuer along with a HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" PUBLICKEY (section HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" 2.2.9.1.6 HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" ) element that contains the issuer's public key.
An ISSUER element MUST use the following template.
[[- object -]]
[[- publickey -]]
[[- optionalinfo -]]
[[- object -]]: An object that identifies the issuer. An object is specified in the XrML DTD. Specific content of the object depends on the certificate or license.
[[- publickey -]]: The issuer's public key contained in a PUBLICKEY element.
[[- optionalinfo -]]: Optional information about the issuer. Specific content is defined for each certificate and license.
2.2.9.1.6 PUBLICKEY
A PUBLICKEY element contains an RSA public key. A PUBLICKEY element MUST use the following template.
RSA
[[- exponent -]]
[[- modulus -]]
[[- exponent -]]: The exponent portion of the public key. This MUST be set to 65537.
[[- key length -]]: The length of the public key in bits, represented as a string. This MUST be a valid key length for the RSA algorithm.
[[- modulus -]]: The modulus portion of the public key. This MUST be a valid modulus for the RSA algorithm.
2.2.9.1.7 DISTRIBUTIONPOINT
A DISTRIBUTIONPOINT element is optional and describes an address or location for a particular service. A certificate or license MAY contain multiple DISTRIBUTIONPOINT elements.
A DISTRIBUTIONPOINT element MUST use the following template.
[[- object -]]
[[- publickey -]]
[[- object -]]: An object that identifies the DISTRIBUTIONPOINT. An object is specified in the XrML DTD. Specific content is defined for each certificate and license.
[[- publickey -]]: MAY be present if the object element of the DISTRIBUTIONPOINT element is of type "Revocation". MUST NOT be present otherwise. If present, this MUST contain one HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" PUBLICKEY (section HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" 2.2.9.1.6 HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" ) element.
2.2.9.1.8 NAME
A NAME element contains a friendly name.
A NAME element MUST use the following template.
[[- name -]]
[[- name -]]: A string. The value of this placeholder depends on the specific application in a certificate or license and is defined explicitly for each certificate and license format.
2.2.9.1.9 ADDRESS
An ADDRESS element contains a URL address.
An ADDRESS element MUST use the following template.
[[- address -]]
[[- type -]]: A string containing a type of address that can take the value of "URL" or "email_alias". The value of this placeholder depends on the specific application in a certificate or license and is defined explicitly for each certificate and license format.
[[- address -]]: A string containing the address. The value of this placeholder depends on the specific application in a certificate or license and is defined explicitly for each certificate and license format.
2.2.9.1.10 SECURITYLEVEL
A SECURITYLEVEL element contains additional information in a name/value pair. A SECURITYLEVEL element MUST follow the XrML DTD.
A SECURITYLEVEL element MUST use the following template.
[[- name -]]: An arbitrary string containing the name of the name/value pair. The value of this placeholder depends on the specific application in a certificate or license and is defined explicitly for each certificate and license format.
[[- value -]]: An arbitrary string containing the value of the name/value pair. The value of this placeholder depends on the specific application in a certificate or license and is defined explicitly for each certificate and license format.
2.2.9.1.11 ISSUEDPRINCIPALS
For a certificate, the ISSUEDPRINCIPALS element describes the role, identity, and key being issued by the certificate. For a license, the ISSUEDPRINCIPALS element describes the principal to which rights are being granted. All certificates and licenses MUST contain an ISSUEDPRINCIPALS element. An ISSUEDPRINCIPALS element MUST contain exactly one principal.
An ISSUEDPRINCIPALS element MUST use the following template.
[[- object -]]
[[- publickey -]]
[[- digest -]]
[[- optionalinfo -]]
[[- enablingbits -]]
[[- object -]]: An object that identifies the principal. An object is specified in the XrML DTD. The value of this placeholder depends on the specific application in a certificate or license and is defined explicitly for each certificate and license format.
[[- publickey -]]: The public key of a principal contained in a HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" PUBLICKEY element. For certificates, this is the public key being issued to the principal. For licenses, this is an existing public key that has already been issued to the principal.
[[- digest -]]: An SPC MUST include a digest element containing a HYPERLINK \l "z11" hardware ID hash. All other certificates and licenses MUST NOT include a digest element here.
[[- optionalinfo -]]: Other information SHOULD be included in the form of HYPERLINK \l "zafe97412f2be42329b7d54735a440a94" SECURITYLEVEL elements.
[[- enablingbits -]]: A publishing license MUST include an HYPERLINK \l "z4b093a0aa16f4f119866eca874b1598a" ENABLINGBITS element that contains the encrypted rights data. All other certificates and licenses MUST NOT include an ENABLINGBITS element here.
2.2.9.1.12 SIGNATURE
The SIGNATURE element contains the cryptographic signature of a license or certificate and is appended to the end of each license or certificate. It is computed from the body element of the license or certificate that it is contained in, including the body tags, and follows the format specified by XrML.
The hash MUST be the HYPERLINK "[MS-GLOS].pdf" SHA1 hash or the SHA256 hash of the body. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the bit length of the issuer's private key, which MUST match the length of the issuer's public key.
A SIGNATURE element MUST use the following template.
RSA PKCS#1-V1.5[[- hashalgorithm -]]
surface-coding
[[- hash -]]
[[- signature -]]
[[- hashalgorithm -]]: The name of the hash algorithm: SHA-1 or SHA256.
[[- hashsize -]]: The size of the hash, in bits.
[[- hash -]]: The hash of the body element, base64-encoded.
[[- size -]]: The size, in bits, of the issuer's private key that was used to compute the signature, represented as a string.
[[- signature -]]: The hash of the body element, encrypted with the issuer's private key, base64-encoded.
2.2.9.1.13 ENABLINGBITS
An ENABLINGBITS element includes a key and a hash encrypted together in a license or certificate. The format for ENABLINGBITS is as follows:
1. Enabling bits in XrML license = Base64Encoded(RawEnablingBits)
2. RawEnablingBits = KPublic(KeyHeader & KSession) + KSession(EnablingBitsHeader + (KeyHeader & K) + Hash)
NoteNotation: 'K(A)' means data 'A' encrypted with key 'K'.
LicenseKPublicKHashed dataPLLicensor (RMS Server) public keySymmetric content key HYPERLINK \l "z6c3049a3836c478ca09c38d14452583e" ISSUEDPRINCIPALS element of PLULRAC public keySymmetric content key HYPERLINK \l "z41829c9f37e145bbaec2567c1c767d24" ISSUER element of ULCLC ChainRAC public keyCLC private keyISSUER element of CLCRACSecurity processor public keyRAC private keyISSUER element of RACK varies depending upon the type of license. The preceding table describes what K and A are for each of the license types that contain enabling bits.
The session key MUST be either a 56-bit HYPERLINK "[MS-GLOS].pdf" Data Encryption Standard (DES) key or a 128-bit, 192-bit, or 256-bit HYPERLINK "[MS-GLOS].pdf" Advanced Encryption Standard (AES) key. The HYPERLINK \l "z0af4de27b7474aff8dafde4b3ee274b3" KeyHeader for the session key describes the key type, size, and block size. For more information about the KeyHeader, see section HYPERLINK \l "z0af4de27b7474aff8dafde4b3ee274b3" 2.2.9.1.13.1.
A new session key is randomly generated each time the client or server has to create enabling bits. The session key is encrypted with the public key (licensor public key, group identity certificate (GIC) public key, or machine public key, depending upon the license type) and this forms the first 1,024 bits of the ENABLINGBITS, assuming a 1,024-bit RSA key was used for the encryption. The size of this equals the size of the RSA key pair encrypting the symmetric key, and since during decryption the size of the private key is already known (from the prologue of the key bits), the size of the encrypted symmetric key is also known.
The session key is used to encrypt the rest of the data in the ENABLINGBITS. The rest of the data includes an enabling bits header, the key header and key, and the hash.
The ENABLINGBITS header is defined as follows.
typedef struct _UDEBHeader
{
DWORD dwVersion;
DWORD dwcbSize;
DWORD dwReserved1;
DWORD dwReserved2;
} UDEBHeader;
The value of dwVersion is 0x00000001 for enabling bits of type "sealed-key" and 0x00000002 for enabling bits of type "sealed-key-v2". In either case, the value is a 32-bit unsigned LE integer.
The size of the header is 128 bits. The value of dwReserved1 and dwReserved2 MUST be 0. The dwcbSize indicates the combined size of the payload and hash. The format of the field is a 32-bit unsigned LE integer.
The key itself will be either an RSA private key or a 56-bit DES or AES (128-bit, 192-bit, or 256-bit) symmetric content key. The KeyHeader in front of the key specifies the key type, size, and algorithm block size.
The hash is a hash of XrML data. The XrML data that is hashed depends on the type of XrML document, as described in the preceding table. The hash is a 160-bit SHA1 hash for enabling bits of type "sealed-key" and a 256-bit SHA256 hash for enabling bits of type "sealed-key-v2".
The ENABLINGBITS header, the payload, and the hash are concatenated and then encrypted with the freshly generated symmetric key. The result of this encryption is then concatenated with the encrypted symmetric key, and the result of this is base64-encoded and can be inserted into the XrML document. The encryption uses PKCS #1 padding for enabling bits of type "sealed-key" and OAEP padding for enabling bits of type "sealed-key-v2".
The ENABLINGBITS element contains the enabling bits in XrML. It MUST follow the XrML DTD and the following template.
[[- sealedkey -]]
[[- type -]]: The type of the enabling bits: "sealed-key" or "sealed-key-v2".
[[- size -]]: The length, in bits, of the enabling bits.
[[- sealedkey -]]: The enabling bits, base64-encoded.
2.2.9.1.13.1 KeyHeader
The KeyHeader for the session key describes the key type, size, and block size for the algorithm as detailed in the following table.
01234567891012345678920123456789301BlobSizeReservedkeySizeInBytesblockSizeInBytesFlagsBlobSize (2 bytes): A 16-bit unsigned, HYPERLINK "[MS-GLOS].pdf" little-endian short integer value. The BlobSize field MUST be the size, in bytes, of the complete KeyHeader plus Key structure.
Reserved (2 bytes): The Reserved field MUST be set to 0xFFFF.
keySizeInBytes (2 bytes): A 16-bit unsigned, little-endian short integer value. The keySizeInBytes field MUST be the symmetric key size in bits. For DES, this MUST be 56. For AES (Rijndael) size MUST be either 128 (the default), 192, or 256 bits.
blockSizeInBytes (2 bytes): A 16-bit unsigned, little-endian short integer value. The BlockSizeInBytes field is the key block size, which varies depending on the cryptographic provider.
Flags (4 bytes): The Flags field is a bit field with the following structure.
01234567891012345678920123456789301000000000000000000CE00000000000AWhere the bits are defined as:
ValueDescriptionE
Electronic Code BookThis bit MUST be set to 1 to indicate the Electronic Codebook (ECB) cipher mode. This bit MUST be set to 0 if Cipher Block Chaining (CBC) cipher mode is used.C
Cipher Block ChainingWhen set to 1, this bit indicates the Cipher Block Chaining (CBC) cipher mode. This bit MUST be set to 0 when the KeyHeader describes a session key.A
AlgorithmThe Algorithm bit MUST be set to 0 if the key is a DES key. The Algorithm bit MUST be set to 1 if the key is an AES key.2.2.9.2 Certificate and License Chains
A certificate or HYPERLINK \l "z12" license chain shows the issuing and trust hierarchy for a given certificate or license. The following diagram explains the relationships between certificates.
Figure 3: Relationships between certificates
For version 1 clients, the SPC chain starts at the SPC leaf node certificate, followed by the version 1 security processor HYPERLINK "[MS-GLOS].pdf" Certification Authority (CA) certificate, followed by the intermediate security processor HYPERLINK "[MS-GLOS].pdf" CA certificate, and terminates at the CA certificate. For version 1 SP1 and newer clients, the SPC chain starts at the SPC leaf node certificate, followed by the SPC Issuer certificate, followed by the security processor CA certificate, followed by the intermediate security processor CA certificate, and terminates at the CA certificate. Certificates in the SPC chain are acquired during client machine activation and are never generated by the server. For more information on client machine activation, see HYPERLINK \l "ze97205f200604dbcb0bc7a5092f89441" 3.8.3.1.
The RAC chain starts at the RAC leaf node certificate, followed by the SLC, followed by the Enrollment Service certificate, followed by the Enrollment CA certificate, terminating at the CA certificate. The CLC chain starts at the CLC leaf node certificate, followed by the SLC, followed by the Enrollment Service certificate, followed by the Enrollment CA certificate, and terminating at the CA certificate.
Certificates in dark boxes (RAC and CLC) are issued by the server. Certificates from the SLC and below are acquired during server enrollment. For more information on server enrollment, see HYPERLINK \l "z3e90cc937fcc4e94b2830538ce4d0e26" 3.6.4.2.1.1.
Certificates in dashed boxes (SLC, version 1 security processor CA certificate, SPC Issuer certificate, security processor CA certificate, intermediate security processor CA certificate, CA certificate, Enrollment Service certificate, and Enrollment CA certificate) are issuing certificates and follow a similar format.
The following diagram explains the relationships between licenses and the certificate in their chains.
Figure 4: Relationships between licenses and certificates
The UL chain starts at the UL leaf node certificate, followed by the SLC, followed by the Enrollment Service certificate, followed by the Enrollment CA certificate, terminating at the CA certificate.
For content published online, the PL chain starts at the PL leaf node certificate and terminates at the SLC. For content published offline, the PL chain starts at the PL leaf node certificate and terminates at the CLC.
The rights policy template is signed by the SLC, but exists as a single-node certificate.
Licenses in dark boxes (UL and online PL) are issued by the server. The offline PL is issued by the client.
Every license and certificate used in an RMS: Client-to-Server Protocol environment consists of a chain of certificates that leads back to a CA certificate. RMS servers provide two chains into which a license or certificate can be nested: a pre-production certificate chain and a production certificate chain. During application development, the pre-production certificate is used to sign custom applications into the pre-production RMS certificate hierarchy. Once an application is ready for production, a production certificate is used to sign the application into the production certificate hierarchy.
Beginning with RMS: Client-to-Server Protocol version 2.0, a process called self-enrollment has been made available. In the self-enrollment process, a self-enrollment certificate and private key are used to automatically create the server licensor certificate. HYPERLINK \l "z51" <8>
2.2.9.3 Issuing Certificates
This section defines the format of issuing certificates. The SLC, version 1 security processor CA certificate, SPC issuer certificate, security processor CA certificate, intermediate security processor CA certificate, CA certificate, Enrollment Service certificate, and Enrollment CA certificate, are all Issuing certificates.
Issuing certificates MUST use the following template.
[[- issuedtime -]]
[[- validitytime -]]
[[- descriptor -]]
[[- issuer -]]
[[- issuedprincipals -]]
[[- workobject -]]
[[- conditionlist -]]
[[- signature -]]
[[- issuedtime -]]: MUST be an HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ISSUEDTIME (section HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" 2.2.9.1.1 HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ) element containing the time the certificate was generated, in UTC. The time MUST fall within the HYPERLINK \l "z7a2f0a6cfabc4eb1851d197f4d5e8e9f" RANGETIME of the issuer's certificate.
[[- validitytime -]]: SHOULD be a HYPERLINK \l "zd98f867eaced43cc8422b70447ff252e" VALIDITYTIME (section HYPERLINK \l "zd98f867eaced43cc8422b70447ff252e" 2.2.9.1.2 HYPERLINK \l "zd98f867eaced43cc8422b70447ff252e" ) element describing the period of validity for the certificate, in UTC. This element SHOULD be present but is optional.
[[- descriptor -]]: MUST be a HYPERLINK \l "z0EC989C50BB042FEA2AF67A68A3B8716" DESCRIPTOR (section HYPERLINK \l "z0EC989C50BB042FEA2AF67A68A3B8716" 2.2.9.3.1 HYPERLINK \l "z0EC989C50BB042FEA2AF67A68A3B8716" ) element describing the certificate.
[[- issuer -]]: MUST be an HYPERLINK \l "z2CE38701BE9E485287CBAE620EEDBB00" ISSUER (section HYPERLINK \l "z2CE38701BE9E485287CBAE620EEDBB00" 2.2.9.3.2 HYPERLINK \l "z2CE38701BE9E485287CBAE620EEDBB00" ) element describing the issuer of the certificate.
[[- issuedprincipals -]]: MUST be an HYPERLINK \l "zF920DCA7ED574C2EB7F84F0DFF7335BE" ISSUEDPRINCIPALS (section HYPERLINK \l "zF920DCA7ED574C2EB7F84F0DFF7335BE" 2.2.9.3.3 HYPERLINK \l "zF920DCA7ED574C2EB7F84F0DFF7335BE" ) element describing the principal and its public key.
[[- workobject -]]: MUST be an OBJECT element that identifies the certificate. Copied verbatim from the OBJECT in the HYPERLINK \l "z0ec989c50bb042fea2af67a68a3b8716" DESCRIPTOR (section HYPERLINK \l "z0ec989c50bb042fea2af67a68a3b8716" 2.2.9.3.1 HYPERLINK \l "z0ec989c50bb042fea2af67a68a3b8716" ) including the same HYPERLINK "[MS-GLOS].pdf" GUID. This OBJECT is described in the DESCRIPTOR (section 2.2.9.3.1) section.
[[- rangetime -]]: MUST be a RANGETIME (section 2.2.9.1.3) element describing the period during which the certificate can be used for issuance.
[[- conditionlist -]]: SHOULD be present in the SLC if alternate revocation information is included. MUST NOT be present in other issuing certificates. If present, this MUST be a HYPERLINK \l "z6c74153ef02745a894236494d321a3ee" CONDITIONLIST (section HYPERLINK \l "z6c74153ef02745a894236494d321a3ee" 2.2.9.3.4 HYPERLINK \l "z6c74153ef02745a894236494d321a3ee" ) element that specifies alternate revocation information.
[[- signature -]]: MUST be a HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" SIGNATURE (section HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" 2.2.9.1.12 HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" ) element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate. The hash MUST be the SHA1 or SHA256 hash of the body. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the length of the issuer's private key, which MUST match the length of the issuer's public key.
2.2.9.3.1 DESCRIPTOR
The DESCRIPTOR element of Issuing certificates describes the type of the certificate and MUST use the following template.
[[- type -]]: MUST contain the literal string from the following table.
CertificateLiteral StringSLCServer-Licensor-CertificateEnrollment Service CertificateServer-Licensor-CertificateEnrollment CA certificateDRM-CA-CertificateVersion 1 security processor CA certificateServer-Licensor-CertificateSPC issuer certificateServer-Licensor-CertificateSecurity processor CA certificateDRM-CA-CertificateIntermediate Security Processor CA CertificateDRM-CA-CertificateCA certificateDRM-CA-Certificate[[- GUID -]]: MUST be a unique GUID that identifies the certificate, represented as a literal HYPERLINK "[MS-GLOS].pdf" ASCII string enclosed in braces.
2.2.9.3.2 ISSUER
The ISSUER element of issuing certificates identifies the issuer of the certificate and MUST use the following template. The contents are generally copied from the principal in the HYPERLINK \l "zf920dca7ed574c2eb7f84f0dff7335be" ISSUEDPRINCIPALS element of the issuer's certificates.
[[- publickey -]]
[[- cps -]]
[[- objecttype -]]: MUST contain the literal string found in the following table, specifying the type of the issuer. This string SHOULD be considered case-sensitive by both the client and the server.
CertificateLiteral stringSLCMS-DRM-ServerEnrollment Service certificateDRM-Certificate-AuthorityEnrollment CA certificateDRM-Certificate-AuthorityVersion 1 security processor CA certificateDRM-Certificate-AuthoritySPC issuer certificateDRM-Desktop-Security-Processor-Certificate-AuthoritySecurity processor CA certificateDRM-Certificate-AuthorityIntermediate security processor CA certificateDRM-Certificate-AuthorityCA certificateDRM-Certificate-Authority[[- idtype -]]: MUST contain the literal string found in the following table, specifying the type of identifier used to identify the issuer.
CertificateLiteral stringSLCMS-GUIDEnrollment Service certificateascii-tagEnrollment CA certificateascii-tagVersion 1 security processor CA certificateascii-tagSPC issuer certificateMS-GUIDSecurity processor CA certificateascii-tagIntermediate security processor CA certificateascii-tagCA certificateascii-tag[[- id -]]: MUST contain the value or literal string from the following tables, identifying the issuer. The [[- GUID -]] placeholder is defined immediately following the two tables.
This table is for RMS servers in the production hierarchy.
CertificateLiteral stringSLC[[- GUID -]]Enrollment Service certificateMicrosoft DRM Production Server Enrollment CAEnrollment CA certificateMicrosoft DRM Production CAVersion 1 security processor CA certificateMicrosoft DRM Production Machine Activation Server CASPC issuer certificate[[- GUID -]]Security processor CA certificateMicrosoft DRM Production Machine Activation Server CAIntermediate security processor CA certificateMicrosoft DRM Production CACA certificateMicrosoft DRM Production RootThis table is for RMS servers in the pre-production hierarchy:
CertificateLiteral stringSLC[[- GUID -]]Enrollment Service certificateMicrosoft DRM ISV Server Enrollment CAEnrollment CA certificateMicrosoft DRM ISV CAVersion 1 security processor CA certificateMicrosoft DRM ISV Machine Activation Server CASPC issuer certificate[[- GUID -]]Security processor CA certificateMicrosoft DRM ISV Machine Activation Server CAIntermediate security processor CA certificateMicrosoft DRM ISV CACA certificateMicrosoft DRM ISV Root[[- GUID -]]: A unique GUID that identifies the issuer of the certificate, represented as a literal ASCII string enclosed in braces. MUST be taken from the object of the principal of the ISSUEDPRINCIPALS of the issuer's certificate.
[[- name -]]: SHOULD be a name element containing the literal string from the following tables, specifying a name for the issuer.
This table is for RMS servers in the production hierarchy:
CertificateLiteral stringSLCMicrosoft DRM Server Enrollment ServiceEnrollment Service certificateMicrosoft DRM Production Server Enrollment CAEnrollment CA certificateMicrosoft DRM Production CAVersion 1 security processor CA certificateMicrosoft DRM Production Machine Activation Server CASPC issuer certificateMicrosoft DRM Production Machine Activation Desktop Security Processor CASecurity processor CA certificateMicrosoft DRM Production Machine Activation Server CAIntermediate security processor CA certificateMicrosoft DRM Production CACA certificateMicrosoft DRM Production RootIf the RMS server has been self-enrolled, the name element's value for the SLC MUST be "Microsoft DRM Server Self Enrollment Service".
This table is for RMS servers in the pre-production hierarchy:
CertificateLiteral stringSLCMicrosoft DRM ISV Server Enrollment ServiceEnrollment Service certificateMicrosoft DRM ISV Server Enrollment CAEnrollment CA certificateMicrosoft DRM ISV CAVersion 1 security processor CA certificateMicrosoft DRM ISV Machine Activation Server CASPC issuer certificateMicrosoft DRM ISV Machine Activation Desktop Security Processor CASecurity processor CA certificateMicrosoft DRM ISV Machine Activation Server CAIntermediate security processor CA certificateMicrosoft DRM ISV CACA certificateMicrosoft DRM ISV Root[[- publickey -]]: MUST be a HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" PUBLICKEY element that contains the issuer's public key. Exponent MUST be set to 65537. Modulus MUST contain the modulus of the issuer's public key. Size MUST be specified in bits and MUST follow this table.
CertificateLiteral stringSLC1024 or 2048Enrollment Service certificate1024 or 2048Enrollment CA certificate2048Version 1 security processor CA certificate1024SPC issuer certificate1024 or 2048Security processor CA certificate1024 or 2048Intermediate security processor CA certificate2048CA certificate2048[[- cps -]]: SHOULD be found in the SLC but MUST NOT be found in any other certificates. The SLC SHOULD contain a HYPERLINK \l "zafe97412f2be42329b7d54735a440a94" SECURITYLEVEL element with the name "Certificate Practice Statement" and value of a URL pointing to a certificate practice statement.
2.2.9.3.3 ISSUEDPRINCIPALS
The ISSUEDPRINCIPALS element of an issuing certificate describes the role, identity, and key the certificate is issuing. It MUST use the following template.
[[- publickey -]]
[[- serverversion -]]
[[- serversku -]]
[[- objecttype -]]: MUST contain the literal string, as listed in the following table, specifying the type of principal the certificate is issuing.
CertificateLiteral stringSLCMS-DRM-ServerEnrollment Service certificateMS-DRM-ServerEnrollment CA certificateDRM-Certificate-AuthorityVersion 1 security processor CA certificateMS-DRM-ServerSPC issuer certificateMS-DRM-Desktop-Security-ProcessorSecurity processor CA certificateDRM-Desktop-Security-Processor-Certificate-AuthorityIntermediate security processor CA certificateDRM-Certificate-AuthorityCA certificateDRM-Certificate-Authority[[- idtype -]]: MUST contain the literal string, as listed in the following table, specifying the type of identifier used to identify the principal.
CertificateLiteral stringSLCMS-GUIDEnrollment Service certificateMS-GUIDEnrollment CA certificateascii-tagVersion 1 security processor CA certificateMS-GUIDSPC issuer certificateMS-GUIDSecurity processor CA certificateMS-GUIDIntermediate security processor CA certificateascii-tagCA certificateascii-tag[[- id -]]: MUST contain the value or literal string, as listed in the following tables, identifying the principal. The [[- GUID -]] placeholder is defined immediately following the two tables.
This table is for RMS servers in the production hierarchy:
CertificateStringSLC[[- GUID -]]Enrollment Service certificate[[- GUID -]]Enrollment CA certificateMicrosoft DRM Production Server Enrollment CAVersion 1 security processor CA certificate[[- GUID -]]SPC issuer certificate[[- GUID -]]Security processor CA certificate[[- GUID -]]Intermediate security processor CA certificateMicrosoft DRM Production Machine Activation Server CACA certificateMicrosoft DRM Production CAThis table is for RMS servers in the pre-production hierarchy:
CertificateStringSLC[[- GUID -]]Enrollment Service certificate[[- GUID -]]Enrollment CA certificateMicrosoft DRM ISV Server Enrollment CA Version 1 security processor CA certificate[[- GUID -]]SPC issuer certificate[[- GUID -]]Security processor CA certificate[[- GUID -]]Intermediate security processor CA certificateMicrosoft DRM ISV Machine Activation Server CACA certificateMicrosoft DRM ISV CA[[- GUID -]]: MUST be a unique GUID that identifies the principal the certificate is issuing, represented as a literal ASCII string enclosed in braces.
[[- name -]]: MUST be present in all issuing certificates except for the SLC. MUST NOT be present in the SLC, except when the server has been self-enrolled and the server name is used for the name element. MUST be a name element containing the literal string, as listed in the following tables, specifying a name for the principal.
This table is for RMS servers in the production hierarchy:
CertificateStringEnrollment Service certificateMicrosoft DRM Server Enrollment ServiceEnrollment CA certificateMicrosoft DRM Production Server Enrollment CAVersion 1 security processor CA certificateMicrosoft DRM Machine Activation ServiceSPC issuer certificateMicrosoft DRM Production Desktop Security Processor Activation CertificateSecurity processor CA certificateMicrosoft DRM Production Machine Activation Desktop Security Processor CAIntermediate security processor CA certificateMicrosoft DRM Production Machine Activation Server CACA certificateMicrosoft DRM Production CAIf the RMS server has been self-enrolled, the name element's value for the Enrollment Service certificate MUST be "Microsoft DRM Server Self Enrollment Service".
This table is for RMS Servers in the Pre-Production hierarchy:
CertificateStringEnrollment Service certificateMicrosoft DRM ISV Server Enrollment ServiceEnrollment CA certificateMicrosoft DRM ISV Server Enrollment CAVersion 1 security processor CA certificateMicrosoft DRM Machine Activation ServiceSPC issuer certificateMicrosoft DRM ISV Desktop Security Processor Activation CertificateSecurity processor CA certificateMicrosoft DRM ISV Machine Activation Desktop Security Processor CAIntermediate security processor CA certificateMicrosoft DRM ISV Machine Activation Server CACA certificateMicrosoft DRM ISV CA[[- address -]]: MUST be present in the SLC only. MUST NOT be present in other issuing certificates. MUST be an address element of type "URL" containing the URL of the server.
[[- publickey -]]: MUST contain the public key being issued. Exponent MUST be set to 65537. Modulus MUST contain the modulus of the public key. Size MUST be specified in bits, as indicated in the following table.
CertificateStringSLC1024 or 2048Enrollment Service certificate1024 or 2048Enrollment CA certificate1024 or 2048Version 1 security processor CA certificate1024SPC issuer certificate1024 or 2048Security processor CA certificate1024 or 2048Intermediate security processor CA certificate1024 or 2048CA certificate2048[[- serverversion -]]: SHOULD be present in the SLC only. MUST NOT be present in other issuing certificates. SHOULD be a HYPERLINK \l "zafe97412f2be42329b7d54735a440a94" SECURITYLEVEL element. The name attribute SHOULD be set to "Server-Version" and the value attribute MAY HYPERLINK \l "z53" <9> be set to a string containing additional version information of the server.
[[- serversku -]]: SHOULD be present in the SLC only. MUST NOT be present in other issuing certificates. SHOULD be a SECURITYLEVEL element. The name attribute SHOULD be set to "Server-SKU" and the value attribute MAY HYPERLINK \l "z55" <10> be set to a string containing additional version information of the server.
2.2.9.3.4 CONDITIONLIST
If the SLC was issued with custom revocation authorities specified, it SHOULD contain a CONDITIONLIST element that describes one or more revocation authorities with its public key.
The CONDITIONLIST element MUST use the following template.
[[- distributionpoint1 -]]
[[- distributionpoint2 -]]
[[- distributionpoint1 -]]: MUST be a HYPERLINK \l "zc58348ea62f347658b8f2c6aaeca20d9" DISTRIBUTIONPOINT (section HYPERLINK \l "zc58348ea62f347658b8f2c6aaeca20d9" 2.2.9.3.5 HYPERLINK \l "zc58348ea62f347658b8f2c6aaeca20d9" ) element that contains the public key of the issuer of the SLC, as specified in DISTRIBUTIONPOINT.
[[- distributionpoint2 -]]: MUST contain at least one DISTRIBUTIONPOINT element that contains the public key of a third-party revocation authority that is allowed to revoke the SLC. If more than one third-party revocation authority is allowed to revoke the SLC, this includes additional DISTRIBUTIONPOINT elements as peers, with one element for each revocation authority, as specified in DISTRIBUTIONPOINT.
2.2.9.3.5 DISTRIBUTIONPOINT
The DISTRIBUTIONPOINT elements in the HYPERLINK \l "z6c74153ef02745a894236494d321a3ee" CONDITIONLIST describe the public keys of revocation authorities who are authorized to revoke the SLC. The DISTRIBUTIONPOINT elements MUST use the following template.
[[- publickey -]]
[[- publickey -]]: MUST be a HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" PUBLICKEY (section HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" 2.2.9.1.6 HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" ) element that contains the public key of the revocation authority.
2.2.9.4 Security Processor Certificate
This section defines the format of the SPC. The SPC is acquired during client initialization and is never generated by the server (section HYPERLINK \l "ze97205f200604dbcb0bc7a5092f89441" 3.8.3.1).
The SPC MUST use the following template.
[[- issuedtime -]]
[[- descriptor -]]
[[- issuer -]]
[[- distributionpoint -]]
[[- issuedprincipals -]]
[[- signature -]]
[[- issuedtime -]]: MUST be an HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ISSUEDTIME (section HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" 2.2.9.1.1 HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ) element containing the time the SPC was generated, in UTC.
[[- descriptor -]]: MUST be a HYPERLINK \l "zd2789cd168294bc08a9be7c554e245ed" DESCRIPTOR (section HYPERLINK \l "zd2789cd168294bc08a9be7c554e245ed" 2.2.9.4.1 HYPERLINK \l "zd2789cd168294bc08a9be7c554e245ed" ) element describing the SPC.
[[- issuer -]]: MUST be an HYPERLINK \l "z5d6b83d1a5f64883bd73668596418b0f" ISSUER (section HYPERLINK \l "z5d6b83d1a5f64883bd73668596418b0f" 2.2.9.4.2 HYPERLINK \l "z5d6b83d1a5f64883bd73668596418b0f" ) element describing the issuer of the SPC.
[[- distributionpoint -]]: MUST be a HYPERLINK \l "z06148aac167c40388458bd13bd0f9962" DISTRIBUTIONPOINT (section HYPERLINK \l "z06148aac167c40388458bd13bd0f9962" 2.2.9.4.3 HYPERLINK \l "z06148aac167c40388458bd13bd0f9962" ) element describing the location of the issuer of the SPC.
[[- issuedprincipals -]]: MUST be an HYPERLINK \l "zd3054e5d53804ef4a499063834d9b3d1" ISSUEDPRINCIPALS (section HYPERLINK \l "zd3054e5d53804ef4a499063834d9b3d1" 2.2.9.4.4 HYPERLINK \l "zd3054e5d53804ef4a499063834d9b3d1" ) element describing the principal and the SPC public key.
[[- signature -]]: MUST be a HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" SIGNATURE (section HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" 2.2.9.1.12 HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" ) element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate.
2.2.9.4.1 DESCRIPTOR
The DESCRIPTOR element of the SPC describes the type of certificate and MUST use the following template.
[[- GUID -]]: MUST be a unique GUID that identifies the certificate, represented as a literal ASCII string enclosed in braces.
2.2.9.4.2 ISSUER
The ISSUER element of the SPC identifies the issuer of the certificate. The contents of the ISSUER element MUST be copied verbatim from the contents of the principal element in the HYPERLINK \l "zd3054e5d53804ef4a499063834d9b3d1" ISSUEDPRINCIPALS element of the SPC issuer.
The ISSUER element MUST use the following template.
[[- cps -]]
[[- publickey -]]
[[- type -]]: Optional string that describes the type of the ISSUER. HYPERLINK \l "z57" <11>
[[- GUID -]]: MUST be a unique GUID that identifies the issuer of the certificate, represented as a literal ASCII string enclosed in braces. MUST be taken from the OBJECT of the PRINCIPAL of the ISSUEDPRINCIPALS element belonging to the issuer's certificate.
[[- name -]]: Optional string that describes the issuer. HYPERLINK \l "z59" <12>
[[- cps -]]: Optional HYPERLINK \l "zafe97412f2be42329b7d54735a440a94" SECURITYLEVEL element. HYPERLINK \l "z61" <13>
[[- publickey -]]: MUST contain the issuer's public key. Exponent MUST be set to 65537. The size attribute of the VALUE element MUST be set to the size of the issuer's public key. The modulus MUST contain the modulus of the issuer's public key.
2.2.9.4.3 DISTRIBUTIONPOINT
The DISTRIBUTIONPOINT element of the SPC describes the location of the issuer of the SPC.
In the case of a version 1 client, the DISTRIBUTIONPOINT element of the SPC MUST point to the RMS Machine Activation cloud service. The URL MUST be either "https://activation.drm.microsoft.com" or "http://activation.drm.microsoft.com". HYPERLINK \l "z63" <14>
In the pre-production hierarchy, the URL MUST be either "https://activation.isv.drm.microsoft.com" or "http://activation.isv.drm.microsoft.com".
In the case of a version 1 SP1, version 1 SP2 or version 2 client, this refers to the client itself. The element MUST use the following XML, where [[activation_location]] is a reference to the location where offline activation occurred. HYPERLINK \l "z65" <15>
2.2.9.4.4 ISSUEDPRINCIPALS
The ISSUEDPRINCIPALS element of the SPC issues the SPC public key. It MUST use the following template.
[[- publickey -]]
[[- hashalgorithm -]]
surface-coding
[[- hash -]]
[[- platform -]]
[[- manufacturer -]]
[[- repository -]]
[[- GUID -]]: MUST be a unique GUID that identifies the principal the certificate is issued to, represented as a literal ASCII string enclosed in braces.
[[- publickey -]]: MUST contain the SPC public key. The exponent MUST be set to 65537. The size attribute of the VALUE element MUST be set to the size of the SPC public key. The modulus MUST contain the modulus of the SPC public key.
[[- hashalgorithm -]]: MUST contain the name of the hash algorithm: SHA1 or SHA256.
[[- hashsize -]]: MUST contain the size of the hash, in bits.
[[- hash -]]: MUST contain a SHA1 or SHA256 hash of HID information.
[[- platform -]]: MUST contain a HYPERLINK \l "zafe97412f2be42329b7d54735a440a94" SECURITYLEVEL element with the name "Platform" and the value of a string that contains the version of the client platform.
[[- manufacturer -]]: MUST contain a SECURITYLEVEL element with the name "Manufacturer" and the value of a string that contains identifying information about the creator of the security processor.
[[- repository -]]: MUST contain a SECURITYLEVEL element with the name "Repository" and the value of a string that contains the version of the security processor.
2.2.9.5 RMS Account Certificate
This section defines the format of the RAC. The server generates the RAC when it responds to a successful Certify request.
The RAC MUST use the following template.
[[- issuedtime -]]
[[- validitytime -]]
[[- descriptor -]]
[[- issuer -]]
[[- distributionpoint-int -]]
[[- distributionpoint-ext -]]
[[- issuedprincipals -]]
[[- federationprincipals -]]
[[- signature -]]
[[- issuedtime -]]: MUST be an HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ISSUEDTIME (section HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" 2.2.9.1.1 HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ) element containing the time the RAC was generated, in UTC.
[[- validitytime -]]: SHOULD be a HYPERLINK \l "zd98f867eaced43cc8422b70447ff252e" VALIDITYTIME (section HYPERLINK \l "zd98f867eaced43cc8422b70447ff252e" 2.2.9.1.2 HYPERLINK \l "zd98f867eaced43cc8422b70447ff252e" ) element describing the period of validity for the RAC, in UTC.
[[- descriptor -]]: MUST be a HYPERLINK \l "zfab714fcae31449689ddb8b12a483fac" DESCRIPTOR (section HYPERLINK \l "zfab714fcae31449689ddb8b12a483fac" 2.2.9.5.1 HYPERLINK \l "zfab714fcae31449689ddb8b12a483fac" ) element describing the RAC.
[[- issuer -]]: MUST be an HYPERLINK \l "za5f7af790a6144e28d207eede58182af" ISSUER (section HYPERLINK \l "za5f7af790a6144e28d207eede58182af" 2.2.9.5.2 HYPERLINK \l "za5f7af790a6144e28d207eede58182af" ) element describing the issuer of the RAC.
[[- distributionpoint-int -]]: SHOULD be a HYPERLINK \l "z22f784015b774460b30da6cc62932fc6" DISTRIBUTIONPOINT (section HYPERLINK \l "z22f784015b774460b30da6cc62932fc6" 2.2.9.5.3 HYPERLINK \l "z22f784015b774460b30da6cc62932fc6" ) element containing the intranet URL address of the server that issued the RAC.
[[- distributionpoint-ext -]]: SHOULD be a DISTRIBUTIONPOINT (section 2.2.9.5.3) element containing the external URL address of the server that issued the RAC.
[[- issuedprincipals -]]: MUST be an HYPERLINK \l "zea84b92d92134a1b96a1fa0c68000214" ISSUEDPRINCIPALS (section HYPERLINK \l "zea84b92d92134a1b96a1fa0c68000214" 2.2.9.5.4 HYPERLINK \l "zea84b92d92134a1b96a1fa0c68000214" ) element describing the principal and the RAC public key.
[[- federationprincipals -]]: MUST be a HYPERLINK \l "z1c3dbfc1f15e448db39b86da8ef47034" FEDERATIONPRINCIPALS (section HYPERLINK \l "z1c3dbfc1f15e448db39b86da8ef47034" 2.2.9.5.5 HYPERLINK \l "z1c3dbfc1f15e448db39b86da8ef47034" ) element that issues the RAC private key to the user account.
[[- signature -]]: MUST be a HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" SIGNATURE element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate. The hash MUST be the hash of the body. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the length of the issuer's private key, which MUST match the length of the issuer's public key.
2.2.9.5.1 DESCRIPTOR
The DESCRIPTOR element of the RAC describes the type of the certificate and MUST use the following template.
[[- GUID -]]: MUST be a unique GUID that identifies the certificate, represented as a literal ASCII string enclosed in braces.
2.2.9.5.2 ISSUER
The ISSUER element of the RAC identifies the issuer of the certificate. The contents of the ISSUER element MUST be copied verbatim from the contents of the principal element in the HYPERLINK \l "zea84b92d92134a1b96a1fa0c68000214" ISSUEDPRINCIPALS element of the issuing server's SLC.
The ISSUER element MUST use the following template.
[[- publickey -]]
[[- serverversion -]]
[[- serversku -]]
[[- GUID -]]: MUST be a unique GUID that identifies the issuer of the certificate, represented as a literal ASCII string enclosed in braces. MUST be taken from the object of the principal of the HYPERLINK \l "z6c3049a3836c478ca09c38d14452583e" ISSUEDPRINCIPALS of the issuer's certificate.
[[- name -]]: In RMS 2.0, this element SHOULD be a string that describes the server's name. This element is not present in RMS 1.0.
[[- address -]]: SHOULD be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "URL" containing the URL of the server.
[[- publickey -]]: MUST contain the issuer's public key. The exponent MUST be set to 65537. The size attribute of the VALUE element MUST be set to the size of the issuer's public key. The modulus MUST contain the modulus of the issuer's public key.
[[- serverversion -]]: SHOULD be a HYPERLINK \l "zafe97412f2be42329b7d54735a440a94" SECURITYLEVEL element. The name attribute SHOULD be set to "Server-Version" and the value attribute MAY HYPERLINK \l "z67" <16> be set to a string containing additional version information of the server.
[[- serversku -]]: SHOULD be a SECURITYLEVEL element. The name attribute SHOULD be set to "Server-SKU" and the value attribute MAY HYPERLINK \l "z69" <17> be set to a string containing additional version information of the server.
2.2.9.5.3 DISTRIBUTIONPOINT
The DISTRIBUTIONPOINT elements of the RAC describe the location of the server that issued the RAC and MUST use the following template.
[[- type -]]: MUST be the type of the DISTRIBUTIONPOINT address. For an intranet address, the type is "Activation". For an external address, the type is "Extranet-Activation".
[[- GUID -]]: MUST be a unique GUID that identifies this DISTRIBUTIONPOINT element, represented as a literal ASCII string enclosed in braces. HYPERLINK \l "z71" <18>
[[- address -]]: MUST be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "URL" containing the URL of the server. For an intranet address, this is the internal URL of the server that issued the RAC. For an extranet address, this SHOULD be the external URL of the server that issued the RAC using a HYPERLINK "[MS-GLOS].pdf" fully qualified domain name (FQDN).
2.2.9.5.4 ISSUEDPRINCIPALS
The ISSUEDPRINCIPALS element of the RAC issues the RAC public key to the user account.
The ISSUEDPRINCIPALS element MUST use the following template.
[[- publickey -]]
[[- RACtype -]]
[[- type -]]: MUST be the type of user account, determined by the authentication scheme. There are three types of authentication: "Windows", "Federation", and "Passport". For a RAC issued by a server that has authenticated the user by an Active Directory account, the type MUST be "Windows". For a RAC issued by a server using the HYPERLINK "[MS-MWBF].pdf" Microsoft Web Browser Federated Sign-On Authentication Protocol [MS-MWBF], the type MUST be "Federation". HYPERLINK \l "z73" <19>
[[- userid -]]: MUST be the identifier of the user. For a RAC issued to a user's Active Directory credentials, this MUST be the user's security ID ( HYPERLINK "[MS-GLOS].pdf" SID). For a RAC issued to a user's MWBF credentials, this MUST be a unique GUID. For a RAC issued to a user's Passport credentials, this MUST be the user's Passport User ID ( HYPERLINK \l "z16" PUID).
[[- emailaddress -]]: A HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element that MUST contain the primary email address associated with the user's account.
[[- emailalias -]]: SHOULD contain an email alias for a Microsoft Web Browser Federated Sign-On Authentication Protocol authenticated user. MAY exist for RACs of type "Federation". MUST NOT exist for RACs of type "Windows" or "Passport". If present, this MUST be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "email_alias" containing an email address. MAY have multiple elements as peers with one element for each email alias.
[[- publickey -]]: MUST contain the RAC public key. The exponent MUST be set to 65537. The size attribute of the VALUE element MUST be set to the size of the RAC public key. The modulus MUST contain the modulus of the RAC public key.
[[- RACtype -]]: MUST describe whether the RAC is considered persistent or temporary. The difference between persistent and temporary RACs is the validity time. The validity time of persistent and temporary RACs is implementation-specific. HYPERLINK \l "z75" <20> A HYPERLINK \l "zafe97412f2be42329b7d54735a440a94" SECURITYLEVEL element with the name "Group-Identity-Credential-Type" with a value of either "Persistent" or "Temporary".
2.2.9.5.5 FEDERATIONPRINCIPALS
The FEDERATIONPRINCIPALS element of the RAC issues the RAC private key to the user account and binds it to the machine by encrypting it with the SPC. It MUST use the following template.
[[- machineobject -]]
[[- enablingbits -]]
[[- platform -]]
[[- manufacturer -]]
[[- repository -]]
[[- machineobject -]]: MUST be an object element that identifies the machine. MUST be copied verbatim from the object in the principal element in the HYPERLINK \l "zd3054e5d53804ef4a499063834d9b3d1" ISSUEDPRINCIPALS element of the SPC, including the same GUID.
[[- enablingbits -]]: MUST be the RAC private key encrypted with the SPC public key, contained within an HYPERLINK \l "z4b093a0aa16f4f119866eca874b1598a" ENABLINGBITS element. The encryption method can be any public key algorithm.
[[- platform -]]: MUST be a HYPERLINK \l "zafe97412f2be42329b7d54735a440a94" SECURITYLEVEL element with the name "Platform" and the value of a string that contains the version of the client platform. MUST be copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the SPC.
[[- manufacturer -]]: MUST be a SECURITYLEVEL element with the name "Manufacturer" and the value of a string that contains identifying information about the creator of the security processor. MUST be copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the SPC.
[[- repository -]]: MUST be a SECURITYLEVEL element with the name "Repository" and the value of a string that contains the version of the security processor. MUST be copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the SPC.
2.2.9.6 Client Licensor Certificate
This section defines the format of the CLC. The server generates the CLC when it responds to a successful HYPERLINK \l "zca15bada302842758f14903062e7c2ed" GetClientLicensorCert request.
The CLC MUST use the following template.
[[- issuedtime -]]
[[- descriptor -]]
[[- issuer -]]
[[- distributionpoint-int -]]
[[- distributionpoint-ext -]]
[[- issuedprincipals -]]
[[- workobject -]]
[[- enablingbits -]]
[[- signature -]]
[[- issuedtime -]]: MUST be an HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ISSUEDTIME (section HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" 2.2.9.1.1 HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ) element containing the time the CLC was generated, in UTC.
[[- descriptor -]]: MUST be a HYPERLINK \l "ze9d4ef2f09294dee8fb980b9acc4f687" DESCRIPTOR (section HYPERLINK \l "ze9d4ef2f09294dee8fb980b9acc4f687" 2.2.9.6.1 HYPERLINK \l "ze9d4ef2f09294dee8fb980b9acc4f687" ) element describing the CLC.
[[- issuer -]]: MUST be an HYPERLINK \l "z472eafd1a9e74cc5b02d3172c29a00ff" ISSUER (section HYPERLINK \l "z472eafd1a9e74cc5b02d3172c29a00ff" 2.2.9.6.2 HYPERLINK \l "z472eafd1a9e74cc5b02d3172c29a00ff" ) element describing the issuer of the CLC.
[[- distributionpoint-int -]]: MUST be a HYPERLINK \l "z6b5486b32f844530991643fb6de2a76f" DISTRIBUTIONPOINT (section HYPERLINK \l "z6b5486b32f844530991643fb6de2a76f" 2.2.9.6.3 HYPERLINK \l "z6b5486b32f844530991643fb6de2a76f" ) element containing the intranet URL address of the server that issued the CLC. The server at this address will issue ULs from content that is published using this CLC.
[[- distributionpoint-ext -]]: SHOULD be a DISTRIBUTIONPOINT (section 2.2.9.6.3) element containing the external URL address of the server that issued the CLC, but this is optional. The server at this address will issue ULs from content that is published using this CLC.
[[- issuedprincipals -]]: MUST be an HYPERLINK \l "zd8677e7b7e8b473584d31857a1dce4ec" ISSUEDPRINCIPALS (section HYPERLINK \l "zd8677e7b7e8b473584d31857a1dce4ec" 2.2.9.6.4 HYPERLINK \l "zd8677e7b7e8b473584d31857a1dce4ec" ) element describing the principal and the CLC public key.
[[- workobject -]]: MUST be an object element that identifies the certificate. Copied verbatim from the object in the DESCRIPTOR (section 2.2.9.6.1), including the same GUID.
[[- rangetime -]]: MUST be a HYPERLINK \l "z7a2f0a6cfabc4eb1851d197f4d5e8e9f" RANGETIME (section HYPERLINK \l "z7a2f0a6cfabc4eb1851d197f4d5e8e9f" 2.2.9.1.3 HYPERLINK \l "z7a2f0a6cfabc4eb1851d197f4d5e8e9f" ) element describing the period during which the certificate can be used for issuance.
[[- enablingbits -]]: MUST be the CLC private key encrypted with the RAC public key, contained within an HYPERLINK \l "z4b093a0aa16f4f119866eca874b1598a" ENABLINGBITS (section HYPERLINK \l "z4b093a0aa16f4f119866eca874b1598a" 2.2.9.1.13 HYPERLINK \l "z4b093a0aa16f4f119866eca874b1598a" ) element.
[[- signature -]]: MUST be a HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" SIGNATURE (section HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" 2.2.9.1.12 HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" ) element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate. The hash MUST be the hash of the BODY. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the length of the issuer's private key, which MUST match the length of the issuer's public key.
2.2.9.6.1 DESCRIPTOR
The DESCRIPTOR element of the CLC describes the type of the certificate and MUST use the following template.
[[- GUID -]]: A unique GUID that identifies the certificate, represented as a literal ASCII string enclosed in braces.
2.2.9.6.2 ISSUER
The ISSUER element of the CLC identifies the issuer of the certificate. The contents of the ISSUER element MUST be copied verbatim from the contents of the principal element in the HYPERLINK \l "z6c3049a3836c478ca09c38d14452583e" ISSUEDPRINCIPALS element of the SLC of the issuing server.
The ISSUER element MUST use the following template.
[[- publickey -]]
[[- serverversion -]]
[[- serversku -]]
[[- GUID -]]: MUST be a unique GUID that identifies the issuer of the certificate, represented as a literal ASCII string enclosed in braces. MUST be taken from the OBJECT of the PRINCIPAL of the ISSUEDPRINCIPALS element of the issuer's certificate.
[[- name -]]: In RMS 2.0, this element SHOULD be a string that describes the server's name. This element is not present in RMS 1.0.
[[- address -]]: SHOULD be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "URL" containing the URL of the server.
[[- publickey -]]: MUST contain the issuer's public key. The exponent MUST be set to 65537. The size attribute of the VALUE element MUST be set to the size of the issuer's public key. The modulus MUST contain the modulus of the issuer's public key.
[[- serverversion -]]: SHOULD be a HYPERLINK \l "zafe97412f2be42329b7d54735a440a94" SECURITYLEVEL element. The name attribute SHOULD be set to "Server-Version", and the value attribute MAY HYPERLINK \l "z77" <21> be set to a string containing additional version information of the server.
[[- serversku -]]: SHOULD be a SECURITYLEVEL element. The name attribute SHOULD be set to "Server-SKU" and the value attribute MAY HYPERLINK \l "z79" <22> be set to a string containing additional version information of the server.
2.2.9.6.3 DISTRIBUTIONPOINT
The DISTRIBUTIONPOINT elements of the CLC describe the location of the server that issued the CLC. The server at these addresses will be used for issuing ULs from content that is published using this CLC.
The DISTRIBUTIONPOINT elements MUST use the following template.
[[- type -]]: MUST be the type of the DISTRIBUTIONPOINT address. For an intranet address, the type is "License-Acquisition-URL". For an external address, the type is "Extranet-License-Acquisition-URL".
[[- GUID -]]: MUST be a unique GUID that identifies this DISTRIBUTIONPOINT element, represented as a literal ASCII string enclosed in braces. HYPERLINK \l "z81" <23>
[[- address -]]: MUST be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "URL" containing the URL of the server. For an intranet address, this is the internal URL of the server that issued the CLC. For an extranet address, this is the external URL of the server that issued the CLC using an FQDN.
2.2.9.6.4 ISSUEDPRINCIPALS
The ISSUEDPRINCIPALS element of the CLC issues the CLC public key to the user account.
The ISSUEDPRINCIPALS element MUST use the following template.
[[- publickey -]]
[[- type -]]: MUST be the type of user account, as determined by the authentication scheme. MUST be copied verbatim from the principal element in the HYPERLINK \l "zea84b92d92134a1b96a1fa0c68000214" ISSUEDPRINCIPALS element of the RAC.
[[- userid -]]: MUST be the identifier of the user. MUST be copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the RAC.
[[- emailaddress -]]: MUST be a HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element that contains the primary email address associated with the user's account.
[[- emailalias -]]: SHOULD contain an email alias for a Microsoft Web Browser Federated Sign-On authenticated user HYPERLINK "[MS-MWBF].pdf" [MS-MWBF]. MAY exist for CLCs issued to RACs of type "Federation". MUST NOT exist for CLCs issued to RACs of type "Windows" or "Passport". If present, this MUST be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "email_alias" containing an email address. MAY have multiple elements as peers with one element for each email alias. MUST be copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the RAC.
[[- publickey -]]: MUST contain the CLC public key. The exponent MUST be set to 65537. The size attribute of the VALUE element MUST be set to the size of the CLC public key. The modulus MUST contain the modulus of the CLC public key.
2.2.9.7 Publishing License
This section defines the format of the PL. PLs generated from offline publishing are built by the client and signed using the CLC. PLs generated from online publishing are built by the client and signed by the server.
The PL SHOULD use the following template.
[[- issuedtime -]]
[[- descriptor -]]
[[- issuer -]]
[[- distributionpoint-int -]]
[[- distributionpoint-ext -]]
[[- issuedprincipals -]]
[[- distributionpoint-ref -]]
[[- workobject -]]
[[- owner -]]
[[- revocationpoint -]]
[[- authenticateddata -]]
[[- exclusionpolicy -]]
[[- inclusionpolicy -]]
[[- signature -]]
[[- issuedtime -]]: MUST be an HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ISSUEDTIME (section HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" 2.2.9.1.1 HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ) element containing the time the PL was generated, in UTC.
[[- descriptor -]]: An optional element describing the policy in the PL. If present, the descriptor MUST be a HYPERLINK \l "zf753314acfc2493d8f09921f88183e38" DESCRIPTOR (section HYPERLINK \l "zf753314acfc2493d8f09921f88183e38" 2.2.9.7.1 HYPERLINK \l "zf753314acfc2493d8f09921f88183e38" ) element.
[[- issuer -]]: MUST be an HYPERLINK \l "z48d93308e9484b93ad085ce7aa632588" ISSUER (section HYPERLINK \l "z48d93308e9484b93ad085ce7aa632588" 2.2.9.7.2 HYPERLINK \l "z48d93308e9484b93ad085ce7aa632588" ) element describing the issuer of the PL.
[[- distributionpoint-int -]]: MUST be a HYPERLINK \l "z9ae1bf514db2491aa51b9514b91365dc" DISTRIBUTIONPOINT (section HYPERLINK \l "z9ae1bf514db2491aa51b9514b91365dc" 2.2.9.7.3 HYPERLINK \l "z9ae1bf514db2491aa51b9514b91365dc" ) element containing the intranet URL address of the server that will issue ULs from this PL.
[[- distributionpoint-ext -]]: MAY be a DISTRIBUTIONPOINT (section 2.2.9.7.3) element containing the external URL address of the server that will issue ULs from this PL.
[[- issuedprincipals -]]: MUST be an HYPERLINK \l "zdfec32914bec4649b669d0b3ef08fac7" ISSUEDPRINCIPALS (section HYPERLINK \l "zdfec32914bec4649b669d0b3ef08fac7" 2.2.9.7.4 HYPERLINK \l "zdfec32914bec4649b669d0b3ef08fac7" ) element describing the principal and the server public key.
[[- distributionpoint-ref -]]: An optional element containing the author's referral information. If present, MUST be a DISTRIBUTIONPOINT (section 2.2.9.7.3) element of type "Referral-Info".
[[- signature -]]: MUST be a HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" SIGNATURE (section HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" 2.2.9.1.12 HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" ) element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate. The hash MUST be the hash of the body. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the length of the issuer's private key, which MUST match the length of the issuer's public key.
[[- workobject -]]: MUST be an object element that identifies the content that the PL applies to. This object SHOULD be created by the application used to create the PL and, therefore, SHOULD contain application-specific information.
[[- owner -]]: MUST be an HYPERLINK \l "z518a0385399349c2b77af3d7c21b0bdb" OWNER (section HYPERLINK \l "z518a0385399349c2b77af3d7c21b0bdb" 2.2.9.7.5 HYPERLINK \l "z518a0385399349c2b77af3d7c21b0bdb" ) element that describes the author of the document.
[[- revocationpoint -]]: An optional field that specifies the location of a revocation list for the PL. If present, MUST be a HYPERLINK \l "z2a75acd6e2ff4099bcd383c915922f0b" CONDITIONLIST (section HYPERLINK \l "z2a75acd6e2ff4099bcd383c915922f0b" 2.2.9.7.9 HYPERLINK \l "z2a75acd6e2ff4099bcd383c915922f0b" ) element.
[[- authenticateddata -]]: MUST be an HYPERLINK \l "z77752c429ce844a8862b222f780eb3a1" AUTHENTICATEDDATA (section HYPERLINK \l "z77752c429ce844a8862b222f780eb3a1" 2.2.9.7.6 HYPERLINK \l "z77752c429ce844a8862b222f780eb3a1" ) element that describes the usage policy issued by the author.
[[- exclusionpolicy -]]: MAY be a POLICYLIST element in an unsigned PL with type "exclusion" that identifies an exclusion policy list that applies to the PL and the information the PL protects. When the PL is signed, this is in the AUTHENTICATEDDATA element.
[[- inclusionpolicy -]]: MAY be a POLICYLIST element in an unsigned PL with type "inclusion" that identifies an inclusion policy list that applies to the PL and the information the PL protects. When the PL is signed, this is in the AUTHENTICATEDDATA element.
2.2.9.7.1 DESCRIPTOR
The DESCRIPTOR element of the PL describes the type of license and MUST use the following template.
[[- GUID -]]: MUST be a unique GUID that identifies the license, represented as a literal ASCII string enclosed in braces.
[[- name -]]: MUST be a HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element giving the name of the policy described in the PL. The text of this element is structured as follows. One or more occurrences of the following structure MUST be present in each NAME element, separated by a semicolon.
LCID [[- lcid -]]:NAME [[- name2 -]]:DESCRIPTION [[- description -]];
[[- lcid -]]: MUST be the HYPERLINK "[MS-GLOS].pdf" LCID describing the language in which the name and description that follow it are encoded.
[[- name2 -]]: MUST be the name of the policy, encoded in the language defined by the [[- lcid -]].
[[- description -]]: MUST be the description of the policy, encoded in the language defined by the [[- lcid -]].
2.2.9.7.2 ISSUER
The ISSUER element of the PL identifies the issuer of the license. The object and HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" PUBLICKEY elements of the ISSUER element MUST be copied verbatim from the principal element in the HYPERLINK \l "zd8677e7b7e8b473584d31857a1dce4ec" ISSUEDPRINCIPALS element of the CLC for offline publishing. The HYPERLINK \l "zafe97412f2be42329b7d54735a440a94" SECURITYLEVEL element is also copied from the HYPERLINK \l "z6c3049a3836c478ca09c38d14452583e" ISSUEDPRINCIPALS element of the issuer, but the values are optional.
The object and PUBLICKEY elements of the ISSUER element MUST also be copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the SLC by the server for online publishing.
The ISSUER element MUST use the following template.
[[- object -]]
[[- publickey -]]
[[- securitylevel -]]
[[- object -]]: MUST be the object element copied verbatim from the principal element in the HYPERLINK \l "zdfec32914bec4649b669d0b3ef08fac7" ISSUEDPRINCIPALS element of the issuer.
[[- publickey -]]: MUST contain the issuer's public key. The exponent MUST be set to 65537. The size MUST be the size of the issuer's public key in bits. The modulus MUST contain the modulus of the issuer's public key.
[[- securitylevel -]]: SHOULD be the SECURITYLEVEL element copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the issuer.
2.2.9.7.3 DISTRIBUTIONPOINT
The DISTRIBUTIONPOINT elements of the PL describe the locations of the server that will be used for issuing ULs based on the PL.
The DISTRIBUTIONPOINT elements MUST use the following template.
[[- type -]]: MUST be the type of the DISTRIBUTIONPOINT address. For an intranet address, the type MUST be "License-Acquisition-URL". For an external address, the type MUST be "Extranet-License-Acquisition-URL". For a reference to the author of the document, the type MUST be "Referral-Info".
[[- GUID -]]: MUST be a unique GUID that identifies this DISTRIBUTIONPOINT element, represented as a literal ASCII string enclosed in braces.
[[- address -]]: MUST be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "URL" containing the URL of the server or an email address when the object type is "Referral-Info". For an intranet address, this is the internal URL of the server that issued the PL. For an extranet address, this is the external URL of the server that issued the PL using an FQDN.
[[- name -]]: MUST be a name for the object. For an object of type "Referral-Info", this element MUST contain the display name of the referral address. For other objects, this element MUST contain the literal string "DRM Server Cluster".
2.2.9.7.4 ISSUEDPRINCIPALS
The ISSUEDPRINCIPALS element identifies a server principal that will issue licenses from this PL. The ISSUEDPRINCIPALS element contains the server public key, as well as the symmetric content key encrypted with the server public key.
The ISSUEDPRINCIPALS element MUST use the following template.
[[- publickey -]]
[[- enablingbits -]]
[[- GUID -]]: MUST be a unique GUID that identifies the server that will issue licenses from this PL, represented as a literal ASCII string enclosed in braces. For an offline-published PL, this MUST be taken from the object of the HYPERLINK \l "za5f7af790a6144e28d207eede58182af" ISSUER element of the CLC. For an online-published PL, this MUST be taken from the object of the principal of the HYPERLINK \l "z6c3049a3836c478ca09c38d14452583e" ISSUEDPRINCIPALS element of the SLC.
[[- name -]]: In RMS 2.0, this element SHOULD be a string that describes the server's name. This element is not present in RMS 1.0. For an offline-published PL, this MUST be taken from the object of the ISSUER element of the CLC. For an online-published PL, this MUST be taken from the object of the principal of the ISSUEDPRINCIPALS element of the SLC.
[[-address -]]: MUST be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "URL" containing the URL of the server. For an offline-published PL, this MUST be taken from the object of the ISSUER element of the CLC. For an online-published PL, this MUST be taken from the object of the principal of the ISSUEDPRINCIPALS element of the SLC.
[[- publickey -]]: MUST contain the server public key. The exponent MUST be set to 65537. The size MUST be the size of the public key, in bits. The modulus MUST contain the modulus of the server public key. For an offline-published PL, this MUST be taken from the HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" PUBLICKEY of the ISSUER element of the CLC. For an online-published PL, this MUST be taken from the PUBLICKEY of the principal of the ISSUEDPRINCIPALS element of the SLC.
[[- enablingbits -]]: MUST contain the symmetric content key encrypted with the server public key, contained within an HYPERLINK \l "z4b093a0aa16f4f119866eca874b1598a" ENABLINGBITS element.
2.2.9.7.5 OWNER
The OWNER element of the PL describes the author of the PL as a formal principal.
The OWNER element MUST use the following template.
[[- type -]]: MUST be the type of user account, as determined by the authentication scheme. For an ID authenticated by an Active Directory account, the type MUST be "Windows". For an ID authenticated by a server using the Microsoft Web Browser Federated Sign-On Protocol HYPERLINK "[MS-MWBF].pdf" [MS-MWBF], the type MUST be "Federation". For an ID authenticated by Passport, the type MUST be "Passport".
[[- emailaddress -]]: MUST be a HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element that contains the primary email address associated with the author's account.
2.2.9.7.6 AUTHENTICATEDDATA
The AUTHENTICATEDDATA element of the PL MUST contain the usage policy defined by the author of the PL. It MUST be encrypted to the server public key, and the encrypted results MUST be base64-encoded.
The AUTHENTICATEDDATA element MUST use the following template.
[[- encryptedrightsdata -]]
[[- encryptedrightsdata -]]: MUST be the usage policy defined by the author of the PL, encrypted to the server public key, and then base64-encoded. For information on the plaintext description (prior to base64 encoding and encryption), see section HYPERLINK \l "ze836a0671f384dacafedd10b1c3a38bc" 2.2.9.8.
2.2.9.7.7 POLICYLIST
The POLICYLIST element of the PL contains zero or more HYPERLINK \l "z06c172d9678f4886a9d671959f987732" POLICY elements.
If no POLICY elements are included, the POLICYLIST element MUST use the following template.
If at least one POLICY element is included, the POLICYLIST element MUST use the following template.
[[- policy -]]
[[- type -]]: MUST be the type of the policies in the list and MUST be either "inclusion" or "exclusion".
[[- policy -]]: MUST be a POLICY element and MAY have additional POLICY elements as peers.
2.2.9.7.8 POLICY
The POLICY element of the PL contains usage policy other than user rights. It MAY be used to define application restrictions, such as version requirements of an application that attempts to access the PL. It is created by the application that creates the PL.
If present, the POLICY element MUST use the following template.
[[- filename -]]: MUST be the file name of the application to which the policy applies.
[[- min -]]: MUST be the minimum version of the application named by [[- filename -]] to be included in this policy.
[[- max -]]: MUST be the maximum version of the application named by [[- filename -]]: to be included in this policy.
2.2.9.7.9 CONDITIONLIST
The CONDITIONLIST element of the PL contains a URL where an XrML revocation list can be retrieved. The revocation list located at the specified URL MUST be a signed XrML document containing a REVOCATIONLIST element as specified in section 3.17 of HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90612" [XRML].
If present, the CONDITIONLIST element MUST use the following template.
[[- publickey -]]
[[- type -]: MUST be the type of the ID of the issuer of the revocation list.
[[- id -]]: MUST be the ID of the issuer of the revocation list.
[[- name -]]: An optional field containing a human-readable name of the revocation list site.
[[- address -]]: MUST be the URL of a location to download a revocation list.
[[- publickey -]]: MUST be a HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" PUBLICKEY element (section HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" 2.2.9.1.6) that contains the public key used to sign the revocation list.
[[- days -]]: The number of days in the time interval for refreshing the revocation list. If this value is zero, the days attribute SHOULD be omitted.
[[- hours -]]: The number of hours in the time interval for refreshing the revocation list. If this value is zero, the hours attribute SHOULD be omitted.
[[- minutes -]]: The number of minutes in the time interval for refreshing the revocation list. If this value is zero, the minutes attribute SHOULD be omitted.
[[- seconds -]]: The number of seconds in the time interval for refreshing the revocation list. If this value is zero, the seconds attribute SHOULD be omitted.
2.2.9.8 Encrypted Rights Data
The contents of the PL's HYPERLINK \l "z77752c429ce844a8862b222f780eb3a1" AUTHENTICATEDDATA element having an ID of "Encrypted-Rights-Data" MUST be an XrML document, as defined in HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90612" [XRML], referred to as Encrypted Rights Data (ERD). The ERD is XrML that defines the rights the author grants. It is encrypted for privacy protection and then base64-encoded. For a PL based on an official rights template, the contents of the ERD are copied verbatim from the rights template. The plaintext ERD MUST use the following template.
[[- issuedtime -]]
[[- descriptor -]]
[[- issuer -]]
[[- distributionpoint-pub -]]
[[- distributionpoint-ref -]]
[[- work -]]
[[- authenticateddata -]]
[[- exclusionpolicy -]]
[[- inclusionpolicy -]]
[[- signature -]]
[[- erdtype -]]: MUST be the type of ERD. If the ERD was generated based on an enterprise rights template, then this value MUST be "Microsoft Official Rights Template". Otherwise this value MUST be "Microsoft Rights Template".
[[- issuedtime -]]: MUST be an HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ISSUEDTIME (section HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" 2.2.9.1.1 HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ) element containing the time the ERD was generated, in UTC.
[[- descriptor -]]: If present, MUST be a HYPERLINK \l "z950c786660f545ae91d087f83bb3e432" DESCRIPTOR (section HYPERLINK \l "z950c786660f545ae91d087f83bb3e432" 2.2.9.8.1 HYPERLINK \l "z950c786660f545ae91d087f83bb3e432" ) element describing the ERD.
[[- issuer -]]: MUST be present for an official rights template and MUST be an HYPERLINK \l "zd968aabc519e4b94803962cc68c8a559" ISSUER (section HYPERLINK \l "zd968aabc519e4b94803962cc68c8a559" 2.2.9.8.2 HYPERLINK \l "zd968aabc519e4b94803962cc68c8a559" ) element describing the issuer of the ERD. The ISSUER SHOULD NOT be present if the [[- erdtype -]] is "Microsoft Rights Template".
[[- distributionpoint-pub -]]: MUST be present for an official rights template and MUST be a HYPERLINK \l "zd2b0375fa946455b9c563c702ba10dfd" DISTRIBUTIONPOINT (section HYPERLINK \l "zd2b0375fa946455b9c563c702ba10dfd" 2.2.9.8.3 HYPERLINK \l "zd2b0375fa946455b9c563c702ba10dfd" ) element containing the URL address of the server that will issue ULs for this ERD.
[[- distributionpoint-ref -]]: An optional element containing the author's referral information. If present, MUST be a DISTRIBUTIONPOINT (section 2.2.9.8.3) element of type "Referral-Info".
[[- work -]]: A HYPERLINK \l "z3cf38d90ac044849b58cbe2ac5813378" WORK element as specified in section HYPERLINK \l "z3cf38d90ac044849b58cbe2ac5813378" 2.2.9.8.5. Contains a unique GUID for the certificate and at least one HYPERLINK \l "z6e702bd51217450988b1df1754468643" RIGHT element. Can also include metadata specifying the owner of the PL and a list of time conditions on the usage policy.
[[- authenticateddata -]]: MAY be one or more HYPERLINK \l "z705cfca1407c4f6396ae351df0e73c5f" AUTHENTICATEDDATA elements as defined in section HYPERLINK \l "z705cfca1407c4f6396ae351df0e73c5f" 2.2.9.8.6.
[[- exclusionpolicy -]]: MAY be a HYPERLINK \l "z4bbb9c3088634f4dbf5a9ef7167d918c" POLICYLIST (section HYPERLINK \l "z4bbb9c3088634f4dbf5a9ef7167d918c" 2.2.9.7.7 HYPERLINK \l "z4bbb9c3088634f4dbf5a9ef7167d918c" ) element in a signed PL with type "exclusion" that identifies an exclusion policy list that applies to the PL and the information the PL protects.
[[- inclusionpolicy -]]: MAY be a POLICYLIST (section 2.2.9.7.7) element in a signed PL with type "inclusion" that identifies an inclusion policy list that applies to the PL and the information the PL protects.
[[- signature -]]: MUST only be present for an official rights template. MUST be a HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" SIGNATURE (section HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" 2.2.9.1.12 HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" ) element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate. The hash MUST be the SHA-1 hash of the body. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the length of the issuer's private key, which MUST match the length of the issuer's public key.
2.2.9.8.1 DESCRIPTOR
The DESCRIPTOR element of the ERD describes the ERD and MUST use the following template.
[[- GUID -]]: MUST be a unique GUID that identifies this HYPERLINK \l "zd2b0375fa946455b9c563c702ba10dfd" DISTRIBUTIONPOINT element, represented as a literal ASCII string enclosed in braces.
[[- name -]]: MUST be a HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element providing the name of the policy described in the ERD. The text of this element is structured as follows. One or more occurrences of the following structure MUST be present in each ERD descriptor, separated by a semicolon.
LCID [[- lcid -]]:NAME [[- name2 -]]:DESCRIPTION [[- description -]];
[[- lcid -]]: MUST be the locale identifier (LCID) describing the language in which the name and description that follow it are encoded.
[[- name2 -]]: MUST be the name of the policy, encoded in the language defined by the [[- lcid -]].
[[- description -]]: MUST be the description of the policy, encoded in the language defined by the [[- lcid -]].
2.2.9.8.2 ISSUER
The ISSUER element of the ERD MUST identify the issuer of the ERD. The object and HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" PUBLICKEY elements of the ISSUER element MUST be copied verbatim from the principal element in the HYPERLINK \l "z6c3049a3836c478ca09c38d14452583e" ISSUEDPRINCIPALS element of the template if it is based on a template.
The object and PUBLICKEY elements of the ISSUER element MUST be copied verbatim from the PRINCIPAL element in the ISSUEDPRINCIPALS element of the CLC if a template is not used.
The ISSUER element MUST use the following template.
[[- object -]]
[[- publickey -]]
[[- object -]]: MUST be an object element copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the issuer.
[[- publickey -]]: MUST contain the issuer's public key. The exponent MUST be set to 65537. The size MUST be the size of the issuer's public key, in bits. The modulus MUST contain the modulus of the issuer's public key.
2.2.9.8.3 DISTRIBUTIONPOINT
The DISTRIBUTIONPOINT element of the ERD describes the location of the server that will be used for issuing ULs based on the ERD. The DISTRIBUTIONPOINT elements MUST use the following template.
[[- type -]]: MUST be the type of the DISTRIBUTIONPOINT address. For an ERD [[- distribution-pub -]] the type is "Publishing-URL". For an ERD [[- distribution-ref -]] the type is "Referral-Info".
[[- GUID -]]: MUST be a unique GUID that identifies this DISTRIBUTIONPOINT element, represented as a literal ASCII string enclosed in braces.
[[- address -]]: MUST be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "URL" containing the URL of the server or an email address when the object type is "Referral-Info".
[[- name -]]: MUST be a name for the object. For an object of type "Publishing-URL", this element contains the text "Publishing Point". For an object of type "Referral-Info", this element MUST contain the display name of the referral address.
2.2.9.8.4 TIME
The TIME element specifies the period of time for which the document or right can be accessed. The element MAY be present.
When present, the element MAY be specified in two ways. One of the following two ways MUST be used if this element is present.
Form 1
[[- fromtime -]]: Specifies the beginning date and time for the document to be considered valid (as in "not expired"). The time is expressed in UTC format.
[[- untiltime -]]: Specifies the end date and time for the document to be considered valid (as in "not expired"). The time is expressed in UTC format.
Form 2
[[- numberofdays -]]: Specifies the number of days from the HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ISSUEDTIME that the document will be considered valid (as in "not expired").
2.2.9.8.5 WORK
The WORK element MUST use the following template.
[[- owner -]]
[[- preconditionlist -]]
[[- right -]]
[[- GUID -]]: MUST be a unique GUID that identifies the certificate, represented as a literal ASCII string enclosed in braces.
[[- owner -]]: An optional element that specifies the owner of the PL. If present MUST be a HYPERLINK \l "z782ada19fa5943a581b553264983164d" METADATA element as specified in section HYPERLINK \l "z782ada19fa5943a581b553264983164d" 2.2.9.8.5.1.
[[- preconditionlist -]]: An optional element that specifies the time conditions on the usage policy. If present MUST be a HYPERLINK \l "zcd564acd88ca462da56f457101299ec4" PRECONDITIONLIST element as specified in section HYPERLINK \l "zcd564acd88ca462da56f457101299ec4" 2.2.9.8.5.2.
[[- right -]]: MUST be one or more HYPERLINK \l "z6e702bd51217450988b1df1754468643" RIGHT elements as specified in section HYPERLINK \l "z6e702bd51217450988b1df1754468643" 2.2.9.8.5.3.
2.2.9.8.5.1 METADATA
The METADATA element of the ERD describes the author of the PL as a formal principal.
The METADATA element MUST use the following template.
[[- type -]]: MUST be the type of user account, as determined by the authentication scheme. For an ID authenticated by an Active Directory account, the type MUST be "Windows". For an ID authenticated by a server using the Microsoft Web Browser Federated Sign-On Protocol HYPERLINK "[MS-MWBF].pdf" [MS-MWBF], the type MUST be "Federation". For an ID authenticated by Passport, the type MUST be "Passport".
[[- emailaddress -]]: MUST be a HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element that contains the primary email address associated with the author's account.
2.2.9.8.5.2 PRECONDITIONLIST
The PRECONDITONLIST element specifies the time conditions on the usage policy. It MUST use the following template:
[[- time -]]
[[- time -]]: MUST be a HYPERLINK \l "zc57623c64f214c419f625f0d6b47fc09" TIME element (section HYPERLINK \l "zc57623c64f214c419f625f0d6b47fc09" 2.2.9.8.4) specifying the time conditions of the policy.
2.2.9.8.5.3 RIGHT
The RIGHT element describes a right assigned to a principal. One or more RIGHT elements MUST be present. The RIGHT element MUST follow one of the two following forms.
Form 1
[[- timecondition -]]
Form 2
<[[- rightname -]] >
[[- timecondition -]]
[[- rightname -]] >
[[- rightname -]]: In form 1, the name of the right MUST be an attribute on a RIGHT element and can be any arbitrary right name. In form 2, the name of the right MUST be the name of the element, and MUST be one of a set of the following reserved values:
V I E W
P R I N T
E D I T
F O R W A R D
V I E W R I G H T S D A T A
[ [ - t i m e c o n d i t i o n - ] ] : M A Y e x i s t t o s p e c i f y a n u m b e r o f d a y s f o r w h i c h t h e r i g h t c a n b e e x e r c i s e d . I f p r e s e n t , t h i s M U S T b e a H Y P E R L I N K \ l " z c 5 7 6 2 3 c 6 4 f 2 1 4 c 4 1 9 f 6 2 5 f 0 d 6 b 4 7 f c 0 9 " T I M E e l e m e n t a s s p e c i f i e d i n section HYPERLINK \l "zc57623c64f214c419f625f0d6b47fc09" 2.2.9.8.4.
[[- type -]]: MUST be the type of identity that possesses the right. Possible identity type values include the following literal strings: "Unspecified", "Windows", or "Internal".
[[- userid -]]: MAY be present if the type is "Windows". If present, MUST be the HYPERLINK "[MS-GLOS].pdf" SID of the identity that possesses the right. If the type is "Internal", MUST be present and contain either "Owner" or "Anyone".
[[- emailaddress -]]: MUST be present if the type is "Unspecified", or if the type is "Windows" and [[- userid -]] is not present. MUST be a HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element that MUST contain the primary email address associated with the identity that possesses the right.
2.2.9.8.6 AUTHENTICATEDDATA
The AUTHENTICATEDDATA element of the ERD contains the usage policy defined by the rights policy template author. For an ERD, this element always represents application-specific data. One or more AUTHENTICATEDDATA elements MAY be present and MUST use the following forms.
If present, the AUTHENTICATEDDATA element MUST use the following template.
[[- value -]]
[[- name -]]: The name of the application-specific control. There are two predefined controls:
VIEWER: Specifies whether the protected document can be opened in a browser.
NOLICCACHE: Specifies whether the use license received from the server should be cached (stored in the client's local store).
[[- value -]]: The value of the application-specific control. For the preceding predefined controls, the value indicates the following:
VIEWER: '0', or when the element does not exist: Do not allow viewing in a browser. '1': Allow viewing in a browser.
NOLICCACHE: '0', or when the element does not exist: Allow UL caching. '1': Do not allow UL caching.
2.2.9.9 Use License
This section defines the format of the UL. The UL names an issued principal via the HYPERLINK \l "z6ae175e372014e1190b969b79ab9f5b0" ISSUEDPRINCIPALS element and then grants a set of rights to that principal, one right per HYPERLINK \l "z5987d1dc641444578aa91ae5f04b55fc" RIGHT element.
The UL SHOULD use the following template.
[[- issuedtime -]]
[[- descriptor -]]
[[- issuer -]]
[[- issuedprincipals -]]
[[- distributionpoint-ref -]]
[[- workobject -]]
[[- owner -]]
[[- revocationpoint -]]
[[- right -]]
[[- condition -]]
[[- exclusionpolicy -]]
[[- inclusionpolicy -]]
[[- signature -]]
[[- issuedtime -]]: MUST be an HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ISSUEDTIME (section HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" 2.2.9.1.1 HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ) element containing the time the UL was generated, in UTC.
[[- descriptor -]]: MUST be a HYPERLINK \l "z9e8d255916984820a213b541edcae948" DESCRIPTOR (section HYPERLINK \l "z9e8d255916984820a213b541edcae948" 2.2.9.9.1 HYPERLINK \l "z9e8d255916984820a213b541edcae948" ) element describing the UL.
[[- issuer -]]: MUST be an HYPERLINK \l "z4f7823f238094a1a81a3350e5df516e5" ISSUER (section HYPERLINK \l "z4f7823f238094a1a81a3350e5df516e5" 2.2.9.9.2 HYPERLINK \l "z4f7823f238094a1a81a3350e5df516e5" ) element describing the issuer of the UL.
[[- issuedprincipals -]]: MUST be an ISSUEDPRINCIPALS (section 2.2.9.9.3) element describing the principal and the user public key for which the UL is issued.
[[- distributionpoint-ref -]]: An optional element containing the author's referral information. If present, MUST be a HYPERLINK \l "zac0d61386c174ceba1e0bc4a4b894e04" DISTRIBUTIONPOINT (section HYPERLINK \l "zac0d61386c174ceba1e0bc4a4b894e04" 2.2.9.9.4 HYPERLINK \l "zac0d61386c174ceba1e0bc4a4b894e04" ) element of type "Referral-Info".
[[- workobject -]]: MUST be an object element that identifies the content to which the UL applies. This object is created by the application used to create the PL that the UL was generated from, and therefore will contain application-specific information.
[[- owner -]]: MAY be an HYPERLINK \l "z66bd736bd5b34fe8b8e420d15ac004d9" OWNER (section HYPERLINK \l "z66bd736bd5b34fe8b8e420d15ac004d9" 2.2.9.9.5 HYPERLINK \l "z66bd736bd5b34fe8b8e420d15ac004d9" ) element that describes the author of the document.
[[- revocationpoint -]]: An optional field that specifies the location of a revocation list for the UL. If present, MUST be a HYPERLINK \l "z8a1ccd45dbfe49b7860843a087fe31fe" CONDITIONLIST (section HYPERLINK \l "z8a1ccd45dbfe49b7860843a087fe31fe" 2.2.9.9.10 HYPERLINK \l "z8a1ccd45dbfe49b7860843a087fe31fe" ) element.
[[- right -]]: MUST be an element, as defined in section HYPERLINK \l "z5987d1dc641444578aa91ae5f04b55fc" 2.2.9.9.6, that defines a right and the principal that possesses the right.
[[- condition -]]: MAY be an element, as defined in section HYPERLINK \l "z3de5f00b0614498993617776969c58c7" 2.2.9.9.9, that defines an excluded OS version span.
[[- exclusionpolicy -]]: MAY be a HYPERLINK \l "z4bbb9c3088634f4dbf5a9ef7167d918c" POLICYLIST (section HYPERLINK \l "z4bbb9c3088634f4dbf5a9ef7167d918c" 2.2.9.7.7 HYPERLINK \l "z4bbb9c3088634f4dbf5a9ef7167d918c" ) element with type "exclusion" that identifies an exclusion policy list that applies to the UL and the information that the UL protects.
[[- inclusionpolicy -]]: MAY be a POLICYLIST (section 2.2.9.7.7) element with type "inclusion" that identifies an inclusion policy list that applies to the UL and the information that the UL protects.
[[- signature -]]: MUST be a HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" SIGNATURE (section HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" 2.2.9.1.12 HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" ) element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate. The hash MUST be the hash of the body. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the length of the issuer's private key, which MUST match the length of the issuer's public key.
2.2.9.9.1 DESCRIPTOR
The DESCRIPTOR element of the UL describes the UL and MUST use the following template.
[[- GUID -]]: MUST be a unique GUID that identifies this HYPERLINK \l "z28b2348318274560a6ff026f127e2c4b" DISTRIBUTIONPOINT element, represented as a literal ASCII string enclosed in braces.
[[- name -]]: MAY be a HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element giving the name of the policy described in the UL.
2.2.9.9.2 ISSUER
The ISSUER element of the UL identifies the issuer of the license. The object and HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" PUBLICKEY elements of the ISSUER element MUST be copied verbatim from the object and PUBLICKEY elements of the ISSUER element in the PL used to generate this UL.
The ISSUER element MUST use the following template.
[[- object -]]
[[- publickey -]]
[[- object -]]: MUST be an object element copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the issuer.
[[- publickey -]]: MUST contain the issuer's public key. The exponent MUST be set to 65537. The size MUST be the size of the issuer's public key, in bits. The modulus MUST contain the modulus of the issuer's public key.
2.2.9.9.3 ISSUEDPRINCIPALS
The ISSUEDPRINCIPALS element of the UL identifies the RAC to which this UL is issued. All rights in the UL are granted to this RAC. The principal element MUST be copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the RAC.
The ISSUEDPRINCIPALS element MUST use the following template.
[[- publickey -]]
[[- type -]]: MUST be the type of user account, determined by the authentication scheme. For a RAC issued by a server that has authenticated the user by an Active Directory account, the type MUST be "Windows". For a RAC issued by a server using Microsoft Web Browser Federated Sign-On authentication HYPERLINK "[MS-MWBF].pdf" [MS-MWBF], the type MUST be "Federation". For a RAC issued by the RMS Account Certification cloud service using Passport authentication, the type is "Passport".
[[- userid -]]: MUST be the identity of the user. For a RAC issued to a user's Active Directory credentials, this MUST be the user's SID. For a RAC issued to a user's Microsoft Web Browser Federated Sign-On credentials, this MUST be a unique GUID. For a RAC issued to a user's Passport credentials, this MUST be the user's PUID.
[[- emailaddress -]]: MUST be a HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element that contains the primary email address associated with the user's account.
[[- emailalias -]]: Contains an email alias for a Microsoft Web Browser Federated Sign-On authenticated user [MS-MWBF]. This element MAY exist for RACs of type "Federation". This element MUST NOT exist for RACs of type "Windows" or "Passport". If present, this MUST be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "email_alias" containing an email address. There MAY be multiple ADDRESS elements as peers with one element for each email alias.
[[- publickey -]]: MUST contain the RAC public key. The exponent is set to 65537. The size MUST be the size of the RAC public key, in bits. The modulus MUST contain the modulus of the RAC public key.
2.2.9.9.4 DISTRIBUTIONPOINT
The DISTRIBUTIONPOINT element of the UL contains the referral information of the author.
The DISTRIBUTIONPOINT elements MUST use the following template.
[[- GUID -]]: MUST be a unique GUID that identifies this DISTRIBUTIONPOINT element, represented as a literal ASCII string enclosed in braces.
[[- name -]]: MUST be a name for the object.
[[- address -]]: MUST be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "URL" containing the URL of a server or an email address.
2.2.9.9.5 OWNER
The OWNER element of the UL describes the author of the PL that was used to create the UL. It grants no rights by itself, whereas the HYPERLINK \l "z5987d1dc641444578aa91ae5f04b55fc" RIGHT element with name OWNER does formally grant the owner rights.
The OWNER element MUST follow this template.
[[- type -]]: MUST be the type of user account, as determined by the authentication scheme. For an ID authenticated by an Active Directory account, the type MUST be "Windows". For an ID authenticated by a server using the Microsoft Web Browser Federated Sign-On Protocol HYPERLINK "[MS-MWBF].pdf" [MS-MWBF], the type MUST be "Federation". For an ID authenticated by Passport, the type MUST be "Passport".
[[- emailalias -]]: MUST be a HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element that contains the primary email address associated with the user's account.
2.2.9.9.6 RIGHT
The RIGHT element describes a right assigned to the principal named in the use license. One or more RIGHT elements MUST be present.
Each RIGHT element MUST use one of the two following template forms.
Form 1
[[- enablingbits -]]
[[- rangetime -]]
[[- intervaltime -]]
Form 2
<[[- rightname -]] >
[[- enablingbits -]]
[[- rangetime -]]
[[- intervaltime -]]
[[- rightname -]] >
[[- rightname -]]: In form 1, the name of the right MUST be a n a m e a t t r i b u t e o n a R I G H T e l e m e n t a n d c a n b e a n y a r b i t r a r y r i g h t n a m e . I n f o r m 2 , t h e n a m e o f t h e r i g h t M U S T b e t h e n a m e o f t h e e l e m e n t a n d M U S T b e o n e o f a s e t o f t h e f o l l o w i n g r e s e r v e d r i g h t s :
V I E W
P R I N T
E D I T
F O R W A R D
V I E W R I G H T S D A T A
O W N E R
I f the UL has been issued to the author of the original PL, then there MUST be one RIGHT element named OWNER and it MUST follow form 1. All rights to the protected information are granted to this owner and further RIGHT elements MUST NOT be present.
[[- enablingbits -]]: MUST contain the symmetric content key encrypted with the user's public key, contained within an HYPERLINK \l "z4b093a0aa16f4f119866eca874b1598a" ENABLINGBITS element.
[[- rangetime -]]: SHOULD exist to specify a period of time for which the right can be exercised. If present, this MUST take the following form.
[[- time -]]: MUST be the time in the format Coordinated Universal Time (UTC).
[[- intervaltime -]]: SHOULD exist to specify a number of days or a time range for which the right can be exercised. If present, this MUST take the following form.
[[- intervaltimedays -]]: MUST be the number of days specified for the time condition.
2.2.9.9.7 POLICYLIST
The POLICYLIST element of the UL contains zero or more HYPERLINK \l "zd9a6699115e345b49aac9a7f005e60a3" POLICY elements.
If no POLICY elements are included, the POLICYLIST element MUST use the following template.
If at least one POLICY element is included, the POLICYLIST element MUST use the following template.
[[- policy -]]
[[- type -]]: MUST be the type of the policies in the list and MUST be either "inclusion" or "exclusion".
[[- policy -]]: MUST be a POLICY element and MAY have additional POLICY elements as peers.
2.2.9.9.8 POLICY
The POLICY element of the UL contains usage policy other than user rights. It MUST be copied verbatim from the PL, if present. It MAY be used to define application restrictions, such as version requirements of an application that tries to access the PL. It is created by the application that creates the PL.
The POLICY element MUST use the following template.
[[- filename -]]: MUST be the file name of the application to which the policy applies.
[[- min -]]: MUST be the minimum version of the application named by [[- filename -]] to be included in this policy.
[[- max-]]: MUST be the maximum version of the application named by [[- filename -]] to be included in this policy.
2.2.9.9.9 CONDITION
The CONDITION element of the UL contains usage conditions. It MAY be used to define OS version exclusions.
The CONDITION element MUST use the following template.
[[- minversion -]]-[[- maxversion -]]
[[- minversion -]]: MUST be the minimum version of the OS exclusion policy.
[[- maxversion -]]: MUST be the maximum version of the OS exclusion policy.
2.2.9.9.10 CONDITIONLIST
The CONDITIONLIST element of the UL contains a URL where an XrML revocation list can be retrieved. The revocation list located at the specified URL MUST be a signed XrML document containing a REVOCATIONLIST element as specified in section 3.17 of HYPERLINK "http://go.microsoft.com/fwlink/?LinkId=90612" [XRML].
If present, the CONDITIONLIST element MUST use the following template.
[[- publickey -]]
[[- type -]]: MUST be the type of the ID of the issuer of the revocation list.
[[- id -]]: MUST be the ID of the issuer of the revocation list.
[[- name -]]: An optional field containing a human-readable name of the revocation list site.
[[- address -]]: MUST be the URL of a location to download a revocation list.
[[- publickey -]]: MUST be a HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" PUBLICKEY element (section HYPERLINK \l "z063240dbee5e4ea99c320c36850d55b1" 2.2.9.1.6) that contains the public key used to sign the revocation list.
[[- days -]]: The number of days in the time interval for refreshing the revocation list. If this value is zero, the days attribute SHOULD be omitted.
[[- hours -]]: The number of hours in the time interval for refreshing the revocation list. If this value is zero, the hours attribute SHOULD be omitted.
[[- minutes -]]: The number of minutes in the time interval for refreshing the revocation list. If this value is zero, the minutes attribute SHOULD be omitted.
[[- seconds -]]: The number of seconds in the time interval for refreshing the revocation list. If this value is zero, the seconds attribute SHOULD be omitted.
2.2.9.10 Rights Policy Template
This section defines the format of the rights policy template. Templates are generated by an administrator on the server and then distributed to client machines. A client generates a HYPERLINK \l "z54fcb2b8e97f49938dc98ba04018c845" PL from a template when a user uses it to protect a document (offline publishing). The PL is signed using the HYPERLINK \l "z7cfb245613334e73a8bcb2be1c2f5b9e" CLC.
The rights policy template MUST use the following template.
[[- issuedtime -]]
[[- descriptor -]]
[[- issuer -]]
[[- distributionpoint-pub -]]
[[- distributionpoint-ref -]]
[[- work -]]
[[- authenticateddata -]]
[[- signature -]]
[[- issuedtime -]]: MUST be an HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ISSUEDTIME element containing the time the rights policy template was generated, in UTC.
[[- descriptor -]]: MUST be a HYPERLINK \l "zf1f85082221847efafce8503896653cb" DESCRIPTOR element describing the rights policy template, as defined in section HYPERLINK \l "z6c7498c828bc459f9a8faec0ac176aa2" 2.2.9.10.1.
[[- issuer -]]: MUST be an HYPERLINK \l "z41829c9f37e145bbaec2567c1c767d24" ISSUER element describing the issuer of the rights policy template, as defined in section HYPERLINK \l "z5ae38a0af1f244d0b0e1c9905d708070" 2.2.9.10.2.
[[- distributionpoint-pub -]]: MUST be a HYPERLINK \l "z28b2348318274560a6ff026f127e2c4b" DISTRIBUTIONPOINT element containing the intranet licensing URL of the server that will issue ULs for the PL generated from this rights policy template, as specified in section HYPERLINK \l "z53c290cfe1824083aa1cc352697c6d97" 2.2.9.10.3.
[[- distributionpoint-ref -]]: MUST be a DISTRIBUTIONPOINT element containing the rights request referral information, as specified in section HYPERLINK \l "z53c290cfe1824083aa1cc352697c6d97" 2.2.9.10.3.
[[-work -]]: MUST be a HYPERLINK \l "z9f91041b480b45e194299a6cf4ffc54e" WORK element containing the policy, as specified in section HYPERLINK \l "z9f91041b480b45e194299a6cf4ffc54e" 2.2.9.10.4.
[[- authenticateddata -]]: MUST be an HYPERLINK \l "za0edfad9d5d240f7909fc64c9da70a68" AUTHENTICATEDDATA element that describes the usage policy issued by the author, as specified in section HYPERLINK \l "za0edfad9d5d240f7909fc64c9da70a68" 2.2.9.10.5.
[[- signature -]]: MUST be a HYPERLINK \l "z2ecddd523b0a4f54bf636044764d76da" SIGNATURE element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate. The hash MUST be the hash of the body. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the length of the issuer's private key, which MUST match the length of the issuer's public key.
2.2.9.10.1 DESCRIPTOR
The DESCRIPTOR element of the rights policy template describes the type of the license and MUST use the following template.
[[- GUID -]]: MUST be a unique GUID that identifies the rights policy template, represented as a literal ASCII string enclosed in braces.
[[- name -]]: MUST be a HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element providing the name of the rights policy template. The text of this element is structured as follows. One or more occurrences of the following structure MUST be present in each NAME element, separated by a semicolon.
LCID [[- lcid -]]:NAME [[- name2 -]]:DESCRIPTION [[- description -]];
[[- lcid -]]: MUST be the LCID describing the language in which the NAME and DESCRIPTION that follow it are encoded.
[[- name2 -]]: MUST be the name of the policy, encoded in the language defined by the [[- lcid -]].
[[- description -]]: MUST be the description of the policy, encoded in the language defined by the [[- lcid -]].
2.2.9.10.2 ISSUER
The ISSUER element of the rights policy template identifies the issuer of the template. The contents of the ISSUER element MUST be copied from the contents of the principal element in the HYPERLINK \l "zd3054e5d53804ef4a499063834d9b3d1" ISSUEDPRINCIPALS element of the SPC of the issuing server.
The ISSUER element MUST use the following template.
[[- publickey -]]
[[- GUID -]]: MUST be a unique GUID that identifies the issuer of the license, represented as a literal ASCII string enclosed in braces. MUST be taken from the object of the principal of the HYPERLINK \l "zd8677e7b7e8b473584d31857a1dce4ec" ISSUEDPRINCIPALS of the issuer's certificate.
[[- name -]]: SHOULD be a string containing a name for the server. The HYPERLINK \l "z2dd3fef762fd4d928975f135288203e0" NAME element MAY be omitted.
[[- address -]]: SHOULD be an ADDRESS element of type "URL" containing the URL of the server.
[[- publickey -]]: MUST contain the issuer's public key. The exponent MUST be set to 65537. The size attribute of the VALUE element MUST be set to the size of the issuer's public key. The modulus MUST contain the modulus of the issuer's public key.
2.2.9.10.3 DISTRIBUTIONPOINT
The DISTRIBUTIONPOINT element of the rights policy template either describes the intranet licensing URL of the server that will be used for issuing ULs for the HYPERLINK \l "z54fcb2b8e97f49938dc98ba04018c845" PL generated from the rights policy template (this becomes a "publishing point" element), or the URL that is used when a recipient of a protected document wants to request rights to the document (this becomes a "referral-info" element). If the element describes the location of the server, it can be either an internal or an external location.
The DISTRIBUTIONPOINT elements MUST use the following template.
[[- type -]]: MUST be the type of the DISTRIBUTIONPOINT address. For the publishing point element, the type is "Publishing-URL", and for the referral-info element, the type is "Referral-Info".
[[- GUID -]]: MUST be a unique GUID that identifies the DISTRIBUTIONPOINT element, represented as a literal ASCII string enclosed in braces. HYPERLINK \l "z83" <24>
[[- name -]]: MUST be a name for the object. For an object of type "Publishing-URL", this element MUST contain the text "Publishing Point", while for an object of type "referral-info", this MUST NOT be present.
[[- address -]]: MUST be an HYPERLINK \l "z6380e033900a4978aba38b5f8ccb9eaa" ADDRESS element of type "URL". For an object of type "Publishing-URL", this element MUST contain the intranet licensing URL of the server, while for an object of type "referral-info", this element MUST contain the URL to use for requesting rights (usually an email address).
2.2.9.10.4 WORK
The WORK element MUST use the following template.
[[- preconditionlist -]]
[[- right -]]
[[- preconditionlist -]]: This element specifies the time conditions on the usage policy, as specified in section HYPERLINK \l "z4d5ac6b2b46f425c818557488a648e85" 2.2.9.10.4.1.
2.2.9.10.4.1 PRECONDITIONLIST
The PRECONDITIONLIST element specifies the period of time for which the document can be accessed. The element MAY be present.
The element MAY be specified in two ways. One of the following two ways MUST be used if this element is present.
Method 1
[[- fromtime -]]: The fromtime element specifies the beginning date and time for the document to be considered valid (as in "not expired"). The time is expressed in UTC format.
[[- untiltime -]]: The untiltime element specifies the end date and time for the document to be considered valid (as in "not expired"). The time is expressed in UTC format.
Method 2
[[- numberofdays -]]: The numberofdays element specifies the number of days from the HYPERLINK \l "zd7cd6e4daced408383bfe10195cbb391" ISSUEDTIME that the document will be considered valid (as in "not expired").
2.2.9.10.4.2 RIGHTSGROUP
The RIGHTSGROUP element contains HYPERLINK \l "z52f7eec1f5f54a1db97681979bafdf18" RIGHT elements and users who have each of these rights.
2.2.9.10.4.2.1 RIGHT
The RIGHT element describes a right that is assigned to a principal. One or more RIGHT elements MUST be present. It MUST follow one of two forms.
Form 1
[[- timecondition -]]
Form 2
<[[- rightname -]] >
[[- timecondition -]]
[[- rightname -]] >
[[- rightname -]]: In form 1, the name of the RIGHT MUST be an attribute on a RIGHT element and can be any arbitrary RIGHT name. In form 2, the name of the RIGHT MUST be the name of the element and MUST be one of a set of the following reserved values:
V I E W
P R I N T
E D I T
E X P O R T
E X T R A C T
[ [ - t i m e c o n d i t i o n - ] ] : M A Y e x i s t t o s p e c i f y a n u m b e r o f d a y s f o r w h i c h t h e r i g h t m a y b e e x e r c i s e d . I f p r e s e n t , t h i s M U S T t a k e t h e f o l l o w i n g f o r m :
<