[MS-RMPR]:

Rights Management Services (RMS): Client-to-Server Protocol

Intellectual Property Rights Notice for Open Specifications Documentation

Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies.

Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL's, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications.

No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft Open Specification Promise or the Community Promise. If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting .

Trademarks. The names of companies and products contained in this documentation may be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit

Fictitious Names. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.

Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than specifically described above, whether by implication, estoppel, or otherwise.

Tools. The Open Specifications do not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments you are free to take advantage of them. Certain Open Specifications are intended for use in conjunction with publicly available standard specifications and network programming art, and assumes that the reader either is familiar with the aforementioned material or has immediate access to it.

Revision Summary

Date / Revision History / Revision Class / Comments
7/3/2007 / 1.0 / Major / Initial Availability
8/10/2007 / 2.0 / Major / Updated and revised the technical content.
9/28/2007 / 2.0.1 / Editorial / Changed language and formatting in the technical content.
10/23/2007 / 2.1 / Minor / Clarified the meaning of the technical content.
1/25/2008 / 2.1.1 / Editorial / Changed language and formatting in the technical content.
3/14/2008 / 3.0 / Major / Updated and revised the technical content.
6/20/2008 / 4.0 / Major / Updated and revised the technical content.
7/25/2008 / 5.0 / Major / Updated and revised the technical content.
8/29/2008 / 5.0.1 / Editorial / Changed language and formatting in the technical content.
10/24/2008 / 6.0 / Major / Updated and revised the technical content.
12/5/2008 / 7.0 / Major / Updated and revised the technical content.
1/16/2009 / 8.0 / Major / Updated and revised the technical content.
2/27/2009 / 9.0 / Major / Updated and revised the technical content.
4/10/2009 / 10.0 / Major / Updated and revised the technical content.
5/22/2009 / 11.0 / Major / Updated and revised the technical content.
7/2/2009 / 12.0 / Major / Updated and revised the technical content.
8/14/2009 / 13.0 / Major / Updated and revised the technical content.
9/25/2009 / 14.0 / Major / Updated and revised the technical content.
11/6/2009 / 15.0 / Major / Updated and revised the technical content.
12/18/2009 / 16.0 / Major / Updated and revised the technical content.
1/29/2010 / 17.0 / Major / Updated and revised the technical content.
3/12/2010 / 18.0 / Major / Updated and revised the technical content.
4/23/2010 / 19.0 / Major / Updated and revised the technical content.
6/4/2010 / 20.0 / Major / Updated and revised the technical content.
7/16/2010 / 21.0 / Major / Updated and revised the technical content.
8/27/2010 / 22.0 / Major / Updated and revised the technical content.
10/8/2010 / 23.0 / Major / Updated and revised the technical content.
11/19/2010 / 24.0 / Major / Updated and revised the technical content.
1/7/2011 / 25.0 / Major / Updated and revised the technical content.
2/11/2011 / 26.0 / Major / Updated and revised the technical content.
3/25/2011 / 27.0 / Major / Updated and revised the technical content.
5/6/2011 / 28.0 / Major / Updated and revised the technical content.
6/17/2011 / 28.1 / Minor / Clarified the meaning of the technical content.
9/23/2011 / 28.1 / None / No changes to the meaning, language, or formatting of the technical content.
12/16/2011 / 29.0 / Major / Updated and revised the technical content.
3/30/2012 / 30.0 / Major / Updated and revised the technical content.
7/12/2012 / 30.1 / Minor / Clarified the meaning of the technical content.
10/25/2012 / 30.2 / Minor / Clarified the meaning of the technical content.
1/31/2013 / 30.2 / None / No changes to the meaning, language, or formatting of the technical content.
8/8/2013 / 31.0 / Major / Updated and revised the technical content.
11/14/2013 / 32.0 / Major / Updated and revised the technical content.
2/13/2014 / 32.0 / None / No changes to the meaning, language, or formatting of the technical content.
5/15/2014 / 32.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/30/2015 / 33.0 / Major / Significantly changed the technical content.
10/16/2015 / 34.0 / Major / Significantly changed the technical content.

Table of Contents

1Introduction

1.1Glossary

1.2References

1.2.1Normative References

1.2.2Informative References

1.3Overview

1.3.1Server Enrollment

1.3.2Client Bootstrapping

1.3.3Template Acquisition

1.3.4Online Publishing

1.3.5Offline Publishing

1.3.6Licensing

1.4Relationship to Other Protocols

1.5Prerequisites/Preconditions

1.6Applicability Statement

1.7Versioning and Capability Negotiation

1.8Vendor-Extensible Fields

1.9Standards Assignments

2Messages

2.1Transport

2.2Common Message Syntax

2.2.1Namespaces

2.2.2Messages

2.2.3Elements

2.2.3.1Certificate Element

2.2.3.2CertificateChain Element

2.2.3.3VersionData Element

2.2.3.4string Element

2.2.3.5MaximumVersion Element

2.2.3.6MinimumVersion Element

2.2.3.7URL Element

2.2.4Complex Types

2.2.4.1ArrayOfXmlNode Complex Type

2.2.4.2VersionData Complex Type

2.2.5Simple Types

2.2.6Attributes

2.2.7Groups

2.2.8Attribute Groups

2.2.9Common Data Structures

2.2.9.1Common Certificate and License Structures

2.2.9.1.1ISSUEDTIME

2.2.9.1.2VALIDITYTIME

2.2.9.1.3RANGETIME

2.2.9.1.4DESCRIPTOR

2.2.9.1.5ISSUER

2.2.9.1.6PUBLICKEY

2.2.9.1.7DISTRIBUTIONPOINT

2.2.9.1.8NAME

2.2.9.1.9ADDRESS

2.2.9.1.10SECURITYLEVEL

2.2.9.1.11ISSUEDPRINCIPALS

2.2.9.1.12SIGNATURE

2.2.9.1.13ENABLINGBITS

2.2.9.1.13.1KeyHeader

2.2.9.2Certificate and License Chains

2.2.9.3Issuing Certificates

2.2.9.3.1DESCRIPTOR

2.2.9.3.2ISSUER

2.2.9.3.3ISSUEDPRINCIPALS

2.2.9.3.4CONDITIONLIST

2.2.9.3.5DISTRIBUTIONPOINT

2.2.9.4Security Processor Certificate

2.2.9.4.1DESCRIPTOR

2.2.9.4.2ISSUER

2.2.9.4.3DISTRIBUTIONPOINT

2.2.9.4.4ISSUEDPRINCIPALS

2.2.9.5RMS Account Certificate

2.2.9.5.1DESCRIPTOR

2.2.9.5.2ISSUER

2.2.9.5.3DISTRIBUTIONPOINT

2.2.9.5.4ISSUEDPRINCIPALS

2.2.9.5.5FEDERATIONPRINCIPALS

2.2.9.6Client Licensor Certificate

2.2.9.6.1DESCRIPTOR

2.2.9.6.2ISSUER

2.2.9.6.3DISTRIBUTIONPOINT

2.2.9.6.4ISSUEDPRINCIPALS

2.2.9.7Publishing License

2.2.9.7.1DESCRIPTOR

2.2.9.7.2ISSUER

2.2.9.7.3DISTRIBUTIONPOINT

2.2.9.7.4ISSUEDPRINCIPALS

2.2.9.7.5OWNER

2.2.9.7.6AUTHENTICATEDDATA

2.2.9.7.7POLICYLIST

2.2.9.7.8POLICY

2.2.9.7.9CONDITIONLIST

2.2.9.8Encrypted Rights Data

2.2.9.8.1DESCRIPTOR

2.2.9.8.2ISSUER

2.2.9.8.3DISTRIBUTIONPOINT

2.2.9.8.4TIME

2.2.9.8.5WORK

2.2.9.8.5.1METADATA

2.2.9.8.5.2PRECONDITIONLIST

2.2.9.8.5.3RIGHT

2.2.9.8.6AUTHENTICATEDDATA

2.2.9.9Use License

2.2.9.9.1DESCRIPTOR

2.2.9.9.2ISSUER

2.2.9.9.3ISSUEDPRINCIPALS

2.2.9.9.4DISTRIBUTIONPOINT

2.2.9.9.5OWNER

2.2.9.9.6RIGHT

2.2.9.9.7POLICYLIST

2.2.9.9.8POLICY

2.2.9.9.9CONDITION

2.2.9.9.10CONDITIONLIST

2.2.9.10Rights Policy Template

2.2.9.10.1DESCRIPTOR

2.2.9.10.2ISSUER

2.2.9.10.3DISTRIBUTIONPOINT

2.2.9.10.4WORK

2.2.9.10.4.1PRECONDITIONLIST

2.2.9.10.4.2RIGHTSGROUP

2.2.9.10.4.2.1RIGHT

2.2.9.10.5AUTHENTICATEDDATA

2.3Directory Service Schema Elements

3Protocol Details

3.1Common Details

3.1.1Abstract Data Model

3.1.1.1Abstract Types

3.1.1.1.1ServerConfiguration ADM Elements

3.1.1.1.2TrustedLicensingServer

3.1.1.1.3PLCacheEntry

3.1.1.1.4ApplicationExclusionEntry

3.1.1.1.5DomainAccount

3.1.1.1.6FederatedAccount

3.1.1.1.7Directory

3.1.1.1.8RequestContext

3.1.1.2Abstract Variables

3.1.1.2.1ServerState

3.1.1.2.2StoredConfiguration

3.1.1.2.3ServiceConnectionPoint

3.1.1.2.4ForestName

3.1.1.3Abstract Interfaces

3.1.1.3.1GetDirectoryForAccount

3.1.1.3.2GetEmailAddressForAccount

3.1.1.3.3GetServiceLocationForDirectory

3.1.1.3.4GetUserKeyPair

3.1.1.3.5SetUserKeyPair

3.1.2Timers

3.1.3Initialization

3.1.3.1Acquiring a Key Pair

3.1.3.2Acquiring an SLC Chain

3.1.3.3StoredConfiguration Initialization

3.1.3.4ServerState Initialization

3.1.4Message Processing Events and Sequencing Rules

3.1.4.1Authentication

3.1.4.2Server Endpoint URLs

3.1.4.3Request Context

3.1.4.4Service Connection Point

3.1.4.4.1RightsManagementServices

3.1.4.4.1.1SCP

3.1.4.5Fault Codes

3.1.4.6Validation

3.1.4.7Cryptographic Modes

3.1.5Timer Events

3.1.6Other Local Events

3.1.6.1StoredConfigurationChanged

3.1.6.2SLC Expiry

3.2ActivationProxyWebServiceSoap Server Details

3.2.1Abstract Data Model

3.2.2Timers

3.2.3Initialization

3.2.4Message Processing Events and Sequencing Rules

3.2.4.1Activate Operation

3.2.4.1.1Messages

3.2.4.1.1.1ActivateSoapIn

3.2.4.1.1.2ActivateSoapOut

3.2.4.1.2Elements

3.2.4.1.2.1Activate

3.2.4.1.2.2ActivateResponse

3.2.4.1.2.3HidXml

3.2.4.1.2.4BinarySignature

3.2.4.1.3Complex Types

3.2.4.1.3.1ActivateParams

3.2.4.1.3.2ActivateResponse

3.2.4.1.3.3ArrayOfActivateParams

3.2.4.1.3.4ArrayOfActivateResponse

3.2.5Timer Events

3.2.6Other Local Events

3.3CertificationWebServiceSoap Server Details

3.3.1Abstract Data Model

3.3.2Timers

3.3.3Initialization

3.3.4Message Processing Events and Sequencing Rules

3.3.4.1Certify Operation

3.3.4.1.1Messages

3.3.4.1.1.1CertifySoapIn

3.3.4.1.1.2CertifySoapOut

3.3.4.1.2Elements

3.3.4.1.2.1Certify

3.3.4.1.2.2CertifyResponse

3.3.4.1.3Complex Types

3.3.4.1.3.1CertifyParams

3.3.4.1.3.2CertifyResponse

3.3.4.1.3.3QuotaResponse

3.3.5Timer Events

3.3.6Other Local Events

3.4LicenseSoap and TemplateDistributionWebServiceSoap Server Details

3.4.1Abstract Data Model

3.4.2Timers

3.4.3Initialization

3.4.4Message Processing Events and Sequencing Rules

3.4.4.1AcquireLicense Operation

3.4.4.1.1Messages

3.4.4.1.1.1AcquireLicenseSoapIn

3.4.4.1.1.2AcquireLicenseSoapOut

3.4.4.1.2Elements

3.4.4.1.2.1AcquireLicense

3.4.4.1.2.2AcquireLicenseResponse

3.4.4.1.2.3ApplicationData

3.4.4.1.3Complex Types

3.4.4.1.3.1ArrayOfAcquireLicenseParams

3.4.4.1.3.2ArrayOfAcquireLicenseResponse

3.4.4.1.3.3AcquireLicenseParams

3.4.4.1.3.4AcquireLicenseResponse

3.4.4.1.3.5AcquireLicenseException

3.4.4.2AcquireTemplateInformation Operation

3.4.4.2.1Messages

3.4.4.2.1.1AcquireTemplateInformationSoapIn

3.4.4.2.1.2AcquireTemplateInformationSoapOut

3.4.4.2.2Elements

3.4.4.2.2.1AcquireTemplateInformation

3.4.4.2.2.2AcquireTemplateInformationResponse

3.4.4.2.3Complex Types

3.4.4.2.3.1TemplateInformation

3.4.4.2.3.2GuidHash

3.4.4.3AcquireTemplates Operation

3.4.4.3.1Messages

3.4.4.3.1.1AcquireTemplatesSoapIn

3.4.4.3.1.2AcquireTemplatesSoapOut

3.4.4.3.2Elements

3.4.4.3.2.1AcquireTemplates 1

3.4.4.3.2.2AcquireTemplates 2

3.4.4.3.3Complex Types

3.4.4.3.3.1ArrayOfGuidTemplate

3.4.4.3.3.2GuidTemplate

3.4.5Timer Events

3.4.6Other Local Events

3.5PublishSoap Server Details

3.5.1Abstract Data Model

3.5.2Timers

3.5.3Initialization

3.5.4Message Processing Events and Sequencing Rules

3.5.4.1AcquireIssuanceLicense Operation

3.5.4.1.1Messages

3.5.4.1.1.1AcquireIssuanceLicenseSoapIn

3.5.4.1.1.2AcquireIssuanceLicenseSoapOut

3.5.4.1.2Elements

3.5.4.1.2.1AcquireIssuanceLicense

3.5.4.1.2.2AcquireIssuanceLicenseResponse

3.5.4.1.2.3UnsignedIssuanceLicense

3.5.4.1.3Complex Types

3.5.4.1.3.1ArrayOfAcquireIssuanceLicenseParams

3.5.4.1.3.2ArrayOfAcquireIssuanceLicenseResponse

3.5.4.1.3.3AcquireIssuanceLicenseParams

3.5.4.1.3.4AcquireIssuanceLicenseResponse

3.5.4.2GetClientLicensorCert Operation

3.5.4.2.1Messages

3.5.4.2.1.1GetClientLicensorCertSoapIn

3.5.4.2.1.2GetClientLicensorCertSoapOut

3.5.4.2.2Elements

3.5.4.2.2.1GetClientLicensorCert

3.5.4.2.2.2GetClientLicensorCertResponse

3.5.4.2.3Complex Types

3.5.4.2.3.1ArrayOfGetClientLicensorCertParams

3.5.4.2.3.2ArrayOfGetClientLicensorCertResponse

3.5.4.2.3.3GetClientLicensorCertParams

3.5.4.2.3.4GetClientLicensorCertResponse

3.5.5Timer Events

3.5.6Other Local Events

3.6EnrollServiceSoap Server Details

3.6.1Abstract Data Model

3.6.2Timers

3.6.3Initialization

3.6.4Message Processing Events and Sequencing Rules

3.6.4.1Synchronous Enrollment Operation

3.6.4.1.1Messages

3.6.4.1.1.1EnrollSoapIn

3.6.4.1.1.2EnrollSoapOut

3.6.4.1.2Simple Types

3.6.4.1.2.1RevocationTypeEnum

3.6.4.1.3Elements

3.6.4.1.3.1Enroll

3.6.4.1.3.2RevocationAuthorityInformation

3.6.4.1.3.3EnrollResponse

3.6.4.1.4Complex Types

3.6.4.1.4.1EnrollParameters

3.6.4.1.4.2X509Information

3.6.4.1.4.3EnrolleeRevocationInformation

3.6.4.1.4.4ArrayOfRevocationAuthorityInformation

3.6.4.1.4.5RevocationAuthorityInformation

3.6.4.1.4.6EnrolleeServerInformation

3.6.4.1.4.7EnrollResponse

3.6.4.1.4.8ArrayOfString

3.6.4.2Asynchronous Enrollment Operation

3.6.4.2.1Messages

3.6.4.2.1.1Asynchronous Enrollment Request

3.6.4.2.1.2Asynchronous Enrollment Response

3.6.4.2.2Simple Types

3.6.4.2.2.1RevocationTypeEnum

3.6.4.2.3Elements

3.6.4.2.3.1RevocationAuthorityInformation

3.6.4.2.4Complex Types

3.6.4.2.4.1EnrolleeCertificatePublicKey

3.6.4.2.4.2EnrolleeRevocationInformation

3.6.4.2.4.3EnrolleeServerInformation

3.6.4.2.4.4ArrayOfRevocationAuthorityInformation

3.6.4.2.4.5RevocationAuthorityInformation

3.6.5Timer Events

3.6.6Other Local Events

3.7ServerSoap Server Details

3.7.1Abstract Data Model

3.7.2Timers

3.7.3Initialization

3.7.4Message Processing Events and Sequencing Rules

3.7.4.1GetLicensorCertificate Operation

3.7.4.1.1Messages

3.7.4.1.1.1GetLicensorCertificateSoapIn

3.7.4.1.1.2GetLicensorCertificateSoapOut

3.7.4.1.2Elements

3.7.4.1.2.1GetLicensorCertificate

3.7.4.1.2.2GetLicensorCertificateResponse

3.7.4.1.3Complex Types

3.7.4.1.3.1LicensorCertChain

3.7.4.2FindServiceLocationsForUser Operation

3.7.4.2.1Messages

3.7.4.2.1.1FindServiceLocationsForUserSoapIn

3.7.4.2.1.2FindServiceLocationsForUserSoapOut

3.7.4.2.2Elements

3.7.4.2.2.1FindServiceLocationsForUser

3.7.4.2.2.2FindServiceLocationsForUserResponse

3.7.4.2.3Complex Types

3.7.4.2.3.1ArrayOfServiceLocationRequest

3.7.4.2.3.2ArrayOfServiceLocationResponse

3.7.4.2.3.3ServiceLocationRequest

3.7.4.2.3.4ServiceLocationResponse

3.7.4.2.4Simple Types

3.7.4.2.4.1ServiceType

3.7.4.3GetServerInfo Operation

3.7.4.3.1Messages

3.7.4.3.1.1GetServerInfoSoapIn

3.7.4.3.1.2GetServerInfoSoapOut

3.7.4.3.2Elements

3.7.4.3.2.1GetServerInfo

3.7.4.3.2.2GetServerInfoResponse

3.7.4.3.3Complex Types

3.7.4.3.3.1ArrayOfServerInfoRequest

3.7.4.3.3.2ServerInfoRequest

3.7.4.3.3.3GetServerInfoResponse

3.7.4.3.4Simple Types

3.7.4.3.4.1ServerInfoType

3.7.5Timer Events

3.7.6Other Local Events

3.8Client Details

3.8.1Abstract Data Model

3.8.1.1Abstract Elements

3.8.1.2Abstract Interfaces

3.8.2Timers

3.8.3Initialization

3.8.3.1SPC Issuer Initialization

3.8.3.2Service Locations

3.8.3.2.1Locating an RMS Server by Using Active Directory

3.8.3.2.2Locating an RMS Server by Using Existing Client Configuration Data

3.8.3.2.3Locating an RMS Server by Using Existing Licenses or Certificates

3.8.3.3RAC Initialization

3.8.3.4CLC Initialization

3.8.4Message Processing Events and Sequencing Rules

3.8.4.1Client Bootstrapping

3.8.4.2Template Acquisition

3.8.4.3Online Publishing

3.8.4.4Offline Publishing

3.8.4.5Licensing

3.8.5Timer Events

3.8.6Other Local Events

4Protocol Examples

4.1Publishing Usage Policy Example

4.2Accessing Protected Information Example

4.3SOAP on DIME Response from Activate Method Example

4.4Template Acquisition Example

4.5Certificate Examples

4.5.1Security Processor Certificate Example

4.5.2RMS Account Certificate Example

4.5.3Client Licensor Certificate Example

4.5.4Publishing License Example

4.5.5Encrypted Rights Data Example

4.5.6Use License Example

4.5.7Rights Policy Template Example

4.6GetServerInfoResponse Example

5Security

5.1Security Considerations for Implementers

5.2Index of Security Parameters

6Appendix A: Full WSDL

6.1Activation Service WSDL

6.2Certification Service WSDL

6.3Licensing Service WSDL

6.3.1Template Distribution Service

6.4Publishing Service WSDL

6.5Server Service WSDL

6.6Enrollment Cloud Service WSDL

7Appendix B: Product Behavior

8Change Tracking

9Index

1Introduction

The RMS: Client-to-Server Protocol is used to obtain and issue certificates and licenses used for creating and working with protected content. The RMS: Client-to-Server Protocol uses the SOAP messaging protocol for exchanging information between a client and a server. It consists of five separate interfaces:

Server Service

Activation Service

Certification Service

Licensing Service

Publishing Service

The RMS: Client-to-Server Protocol depends on the proper use of these interfaces. In the case of the RMS 1.0 client, all five interfaces are used. Later client versions (RMS 1.0 SP1, RMS 1.0 SP2, and RMS 2.0) use all but the Activation Service. This specification contains the proper use of all five interfaces.

Sections 1.8, 2, and 3 of this specification are normative and can contain the terms MAY, SHOULD, MUST, MUST NOT, and SHOULD NOT as defined in [RFC2119]. Sections 1.5 and 1.9 are also normative but do not contain those terms. All other sections and examples in this specification are informative.

1.1Glossary

The following terms are specific to this document:

Active Directory: A general-purpose network directory service. Active Directory also refers to the Windows implementation of a directory service. Active Directory stores information about a variety of objects in the network. Importantly, user accounts, computer accounts, groups, and all related credential information used by the Windows implementation of Kerberos are stored in Active Directory. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). [MS-ADTS] describes both forms. For more information, see [MS-AUTHSOD] section 1.1.1.5.2, Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos, and DNS.

Advanced Encryption Standard (AES): A block cipher that supersedes the Data Encryption Standard (DES). AES can be used to protect electronic data. The AES algorithm can be used to encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. AES is used in symmetric-key cryptography, meaning that the same key is used for the encryption and decryption operations. It is also a block cipher, meaning that it operates on fixed-size blocks of plaintext and ciphertext, and requires the size of the plaintext as well as the ciphertext to be an exact multiple of this block size. AES is also known as the Rijndael symmetric encryption algorithm [FIPS197].

ASCII: The American Standard Code for Information Interchange (ASCII) is an 8-bit character-encoding scheme based on the English alphabet. ASCII codes represent text in computers, communications equipment, and other devices that work with text. ASCII refers to a single 8-bit ASCII character or an array of 8-bit ASCII characters with the high bit of each character set to zero.

certificate: As used in this document, certificates are expressed in [XRML] section 1.2.

certificate chain: A sequence of certificates, where each certificate in the sequence is signed by the subsequent certificate. The last certificate in the chain is normally a self-signed certificate.

certification authority (CA): A third party that issues public key certificates. Certificates serve to bind public keys to a user identity. Each user and certification authority (CA) can decide whether to trust another user or CA for a specific purpose, and whether this trust should be transitive. For more information, see [RFC3280].

client licensor certificate (CLC) chain: An XrML 1.2 certificate chain that contains an asymmetric signing key pair issued to a user account by an RMS publishing service and binds that user account to a specific computer. The CLC grants the role of a user who can publish protected content.

cloud service: A set of one or more publicly available services that Microsoft operates.

configuration naming context (config NC): A specific type of naming context (NC), or an instance of that type, that contains configuration information. In Active Directory, a single config NC is shared among all domain controllers (DCs) in the forest. A config NC cannot contain security principal objects.

consumer: The user who uses protected content.

content key: The symmetric key used to encrypt content.

Coordinated Universal Time (UTC): A high-precision atomic time standard that approximately tracks Universal Time (UT). It is the basis for legal, civil time all over the Earth. Time zones around the world are expressed as positive and negative offsets from UTC. In this role, it is also referred to as Zulu time (Z) and Greenwich Mean Time (GMT). In these specifications, all references to UTC refer to the time at UTC-0 (or GMT).

creator: The user who creates protected content.

Data Encryption Standard (DES): A specification for encryption of computer data that uses a 56-bit key developed by IBM and adopted by the U.S. government as a standard in 1976. For more information see [FIPS46-3].

domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication (2) of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section 1.1.1.5 and [MS-ADTS].

domain account: A stored set of attributes (2) representing a principal used to authenticate a user or machine to an Active Directory domain.

endpoint: A network-specific address of a remote procedure call (RPC) server process for remote procedure calls. The actual name and type of the endpoint depends on the RPC protocol sequence that is being used. For example, for RPC over TCP (RPC Protocol Sequence ncacn_ip_tcp), an endpoint might be TCP port 1025. For RPC over Server Message Block (RPC Protocol Sequence ncacn_np), an endpoint might be the name of a named pipe. For more information, see [C706].

forest: One or more domains that share a common schema and trust each other transitively. An organization can have multiple forests. A forest establishes the security and administrative boundary for all the objects that reside within the domains that belong to the forest. In contrast, a domain establishes the administrative boundary for managing objects, such as users, groups, and computers. In addition, each domain has individual security policies and trust relationships with other domains.

fully qualified domain name (FQDN): An unambiguous domain name (2) that gives an absolute location in the Domain Name System's (DNS) hierarchy tree, as defined in [RFC1035] section 3.1 and [RFC2181] section 11.

globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the GUID. See also universally unique identifier (UUID).

hardware ID (HID): A string usually derived from a fingerprint of an individual computer. The HID is an identifier for a computer.

language code identifier (LCID): A 32-bit number that identifies the user interface human language dialect or variation that is supported by an application or a client computer.

license: An XrML1.2 document that describes usage policy for protected content.

license chain: Similar to a certificate chain, but for a license.

Lightweight Directory Access Protocol (LDAP): The primary access protocol for Active Directory. Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), which allows users to query and update information in a directory service (DS), as described in [MS-ADTS]. The Lightweight Directory Access Protocol can be either version 2 [RFC1777] or version 3 [RFC3377].

little-endian: Multiple-byte values that are byte-ordered with the least significant byte stored in the memory location with the lowest address.

NT LAN Manager (NTLM): A Microsoft authentication protocol that is based on a challenge-response sequence for authentication. NT refers to the Windows operating system. For more information, see [MS-NLMP].

NT LAN Manager (NTLM) Authentication Protocol: A protocol using a challenge-response mechanism for authentication (2) in which clients are able to verify their identities without sending a password to the server. It consists of three messages, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (authentication). For more information, see [MS-NLMP].

offline publishing: The process of creating protected content and signing the associated publishing license using a previously acquired CLC.

online publishing: The process of creating protected content and contacting a server to have the publishing license signed.

Passport Unique ID (PUID): A unique user name associated with a Microsoft Passport account.

policy: A set of rules that governs all interactions with an object such as a document or item.

protected content: Any content or information (file, email) that has an RMS usage policy assigned to it, and is encrypted according to that policy. Also known as "Protected Information".

publishing license: An XrML 1.2 license that defines the usage policy for protected content and contains the content key with which that content is encrypted. The usage policy identifies all authorized users and the actions that they are authorized to take with the content, in addition to any usage conditions. The publishing license tells a server which usage policies apply to a specific piece of content and grants a server the right to issue Use Licenses (Uls) based on that policy. The publishing license is created when content is protected. Also referred to as "Issuance License (IL)."

publishing license (PL): An XrML 1.2 license that defines usage policy for protected content and contains the content key with which that content is encrypted. The usage policy identifies all authorized users and the actions they are authorized to take with the content, along with any conditions on that usage. The publishing license tells the server what usage policies apply to a given piece of content and grants the server the right to issue use licenses (ULs) based on that policy. The PL is created when content is protected. Also known as an Issuance License (IL).