1.1 Glossary

This document uses the following terms:

attribute: A characteristic of some object or entity, typically encoded as a name/value pair.

authentication: The ability of one entity to determine the identity of another entity.

certificate: A certificate is a collection of attributes and extensions that can be stored persistently. The set of attributes in a certificate can vary depending on the intended usage of the certificate. A certificate securely binds a public key to the entity that holds the corresponding private key. A certificate is commonly used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets. Certificates are digitally signed by the issuing certification authority (CA) and can be issued for a user, a computer, or a service. The most widely accepted format for certificates is defined by the ITU-T X.509 version 3 international standards. For more information about attributes and extensions, see [RFC3280] and [X509] sections 7 and 8.

certificate chain: A sequence of certificates, where each certificate in the sequence is signed by the subsequent certificate. The last certificate in the chain is normally a self-signed certificate.

certificate template: A list of attributes that define a blueprint for creating an X.509 certificate. It is often referred to in non-Microsoft documentation as a "certificate profile". A certificate template is used to define the content and purpose of a digital certificate, including issuance requirements (certificate policies), implemented X.509 extensions such as application policies, key usage, or extended key usage as specified in [X509], and enrollment permissions. Enrollment permissions define the rules by which a certification authority (CA) will issue or deny certificate requests. In Windows environments, certificate templates are stored as objects in the Active Directory and used by Microsoft enterprise CAs.

certification authority (CA): A third party that issues public key certificates. Certificates serve to bind public keys to a user identity. Each user and certification authority (CA) can decide whether to trust another user or CA for a specific purpose, and whether this trust should be transitive. For more information, see [RFC3280].

challenge: A piece of data used to authenticate a user. Typically a challenge takes the form of a nonce.

cipher: A cryptographic algorithm used to encrypt and decrypt files and messages.

content: Multimedia data. content is always in ASF, for example, a single ASF music file or a single ASF video file.  Data in general. A file that an application accesses. Examples of content include web pages and documents stored on either web servers or SMB file servers.

Data Encryption Standard (DES): A specification for encryption of computer data that uses a 56-bit key developed by IBM and adopted by the U.S. government as a standard in 1976. For more information see [FIPS46-3].

decryption: In cryptography, the process of transforming encrypted information to its original clear text form.

Digital Rights Management (DRM): A set of technologies that provides control over how a given piece of protected content can be used.

digital signature: A message authenticator that is typically derived from a cryptographic operation by using an asymmetric algorithm and private key. When a symmetric algorithm is used for this purpose, the authenticator is typically referred to as a Message Authentication Code (MAC).

direct license acquisition: The process by which a web-enabled device requests a license directly from the license server over a network.

domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section 1.1.1.5 and [MS-ADTS].

elliptic curve cryptography (ECC): A public-key cryptosystem that is based on high-order elliptic curves over finite fields.  For more information, see [IEEE1363].

encryption: In cryptography, the process of obscuring information to make it unreadable without special knowledge.

error code: An integer that indicates success or failure.  A zero value indicates success; a nonzero value indicates failure.

exchange: A pair of messages, consisting of a request and a response.

flags: A set of values used to configure or report options or settings.

Greenwich mean time (GMT): Time measured at the Greenwich Meridian Line at the Royal Observatory in Greenwich.

group: A named collection of users who share similar access permissions or roles.

Hash-based Message Authentication Code (HMAC): A mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function (for example, MD5 and SHA-1) in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function.

HRESULT: An integer value that indicates the result or status of an operation. A particular HRESULT can have different meanings depending on the protocol using it. See [MS-ERREF] section 2.1 and specific protocol documents for further details.

indirect license acquisition: The process of transferring a license between two local devices. For example, licenses are indirectly acquired from a computer to a mobile device such as a cell phone, Smartphone, PDA, or portable media player.

key: In cryptography, a generic term used to refer to cryptographic data that is used to initialize a cryptographic algorithm. Keys are also sometimes referred to as keying material.

key exchange: A synonym for key establishment. The procedure that results in shared secret keying material among different parties. Key agreement and key transport are two forms of key exchange. For more information, see [CRYPTO] section 1.11, [SP800-56A] section 3.1, and [IEEE1363] section 3.

license synchronization: The process of requesting updates for licenses that have expired or become invalid. Once the device is connected to the indirect license acquisition host, the MTP protocol [MTP] is used to request a license synchronization challenge from the device.

Media Transfer Protocol (MTP): MTP is used to manage content on any portable device with storage. The primary purpose of MTP is to facilitate communication between devices that connect to a computer or other host, exchange data, and then disconnect for standalone use. A secondary purpose of MTP is to enable command and control of a connected device. This includes remote control of device functionality, monitoring of device-initiated events, and reading and setting of device properties. For more information, see [MTP].

message: A data structure representing a unit of data transfer between distributed applications. A message has message properties, which may include message header properties, a message body property, and message trailer properties.

negotiation: A series of exchanges. The successful outcome of a negotiation is the establishment of one or more security associations (SAs). For more information, see [RFC2408] section 2.

policy: The description of actions permitted for a specified set of content, and restrictions placed on those actions. Restrictions are described in the license associated with the content.

private key: One of a pair of keys used in public-key cryptography. The private key is kept secret and is used to decrypt data that has been encrypted with the corresponding public key. For an introduction to this concept, see [CRYPTO] section 1.8 and [IEEE1363] section 3.1.

protected content: (1) Any content or information, such as a file, Internet message, or other object type, to which a rights-management usage policy is assigned and is encrypted according to that policy. See also Information Rights Management (IRM).

(2) Content for which usage is governed by policies specified in a license.

proxy: A computer, or the software that runs on it, that acts as a barrier between a network and the Internet by presenting only a single network address to external sites. By acting as a go-between that represents all internal computers, the proxy helps protects network identities while also providing access to the Internet.

public key: One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a digital certificate. For an introduction to this concept, see [CRYPTO] section 1.8 and [IEEE1363] section 3.1.

public key infrastructure (PKI): The laws, policies, standards, and software that regulate or manipulate certificates and public and private keys. In practice, it is a system of digital certificates, certificate authorities (CAs), and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction. For more information, see [X509] section 6.

public-private key pair: The association of a public key and its corresponding private key when used in cryptography. Also referred to simply as a "key pair". For an introduction to public-private key pairs, see [IEEE1363] section 3.

RC4: A variable key-length symmetric encryption algorithm. For more information, see [SCHNEIER] section 17.1.

removable media: Any type of storage that is not permanently attached to the computer. A persistent storage device stores its data on media. If the media can be removed from the device, the media is considered removable. For example, a floppy disk drive uses removable media.

revocation list: The list of identifiers of software or hardware components to which protected content cannot flow. Different content protection systems typically have different formats for representing revocation lists.

root certificate: A self-signed certificate that identifies the public key of a root certification authority (CA) and has been trusted to terminate a certificate chain.

secure clock server (SCS): Used to synchronize device times with the current global time using the secure clock protocol messages as specified in section 2.2.2.

Secure Sockets Layer (SSL): A security protocol that supports confidentiality and integrity of messages in client and server applications that communicate over open networks. SSL supports server and, optionally, client authentication using X.509 certificates [X509] and [RFC5280]. SSL is superseded by Transport Layer Security (TLS). TLS version 1.0 is based on SSL version 3.0 [SSL3].

service: A process or agent that is available on the network, offering resources or services for clients. Examples of services include file servers, web servers, and so on.

session key: A symmetric key that is derived from a master key and is used to encrypt or authenticate a specific media stream by using the Secure Real-Time Transport Protocol (SRTP) and Scale Secure Real-Time Transport Protocol (SSRTP).

SHA-1: An algorithm that generates a 160-bit hash value from an arbitrary amount of input data, as described in [RFC3174]. SHA-1 is used with the Digital Signature Algorithm (DSA) in the Digital Signature Standard (DSS), in addition to other algorithms and standards.

SHA-1 hash: A hashing algorithm as specified in [FIPS180-2] that was developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).

standard license: A stand-alone, self-contained license. A standard license is not updated by a leaf license.

symmetric key: A secret key used with a cryptographic symmetric algorithm. The key needs to be known to all communicating parties. For an introduction to this concept, see [CRYPTO] section 1.5.

time service: A system service that implements support for synchronizing a computer's local time with a time source.

time source: A component that possesses a clock and that makes the clock's time available to other components for synchronization. For more information, see "reference source" in [RFC1305].

transaction identifier (TID): A GUID that uniquely identifies a transaction between a portable device and a WMDRM service.

Uniform Resource Locator (URL): A string of characters in a standardized format that identifies a document or resource on the World Wide Web. The format is as specified in [RFC1738].

update: An add, modify, or delete of one or more objects or attribute values.  See originating update, replicated update.

XML: The Extensible Markup Language, as described in [XML1.0].

XML Schema (XSD): A language that defines the elements, attributes, namespaces, and data types for XML documents as defined by [XMLSCHEMA1/2] and [XMLSCHEMA2/2] standards. An XML schema uses XML syntax for its language.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.