2.2.9.8 Encrypted Rights Data

The contents of the PL's AUTHENTICATEDDATA element having an ID of "Encrypted-Rights-Data" MUST be an XrML document, as defined in [XRML], referred to as Encrypted Rights Data (ERD). The ERD is XrML that defines the rights the author grants. It is encrypted for privacy protection and then base64-encoded. For a PL based on an official rights template, the contents of the ERD are copied verbatim from the rights template. The plaintext ERD MUST use the following template.

 <XrML xmlns="" version="1.2">
    <BODY type="[[- erdtype -]]" >
       [[- issuedtime -]]
       [[- descriptor -]]
       [[- issuer -]]
       [[- distributionpoint-pub -]]
       [[- distributionpoint-ref -]]
       [[- work -]]
       [[- authenticateddata -]]
       [[- exclusionpolicy -]]
       [[- inclusionpolicy -]]
    </BODY>
    [[- signature -]]
 </XrML>

[[- erdtype -]]: MUST be the type of ERD. If the ERD was generated based on an enterprise rights template, then this value MUST be "Microsoft Official Rights Template". Otherwise this value MUST be "Microsoft Rights Template".

[[- issuedtime -]]: MUST be an ISSUEDTIME (section 2.2.9.1.1) element containing the time the ERD was generated, in UTC.

[[- descriptor -]]: If present, MUST be a DESCRIPTOR (section 2.2.9.8.1) element describing the ERD.

[[- issuer -]]: MUST be  present for an official rights template and MUST be an ISSUER (section 2.2.9.8.2) element describing the issuer of the ERD. The ISSUER SHOULD NOT be present if the [[- erdtype -]] is "Microsoft Rights Template".

[[- distributionpoint-pub -]]: MUST be present for an official rights template and MUST be a DISTRIBUTIONPOINT (section 2.2.9.8.3) element containing the URL address of the server that issues ULs for this ERD.

[[- distributionpoint-ref -]]: An optional element containing the author's referral information. If present, MUST be a DISTRIBUTIONPOINT (section 2.2.9.8.3) element of type "Referral-Info".

[[- work -]]: A WORK element as specified in section 2.2.9.8.5. Contains a unique GUID for the certificate and at least one RIGHT element. Can also include metadata specifying the owner of the PL and a list of time conditions on the usage policy.

[[- authenticateddata -]]: MAY be one or more AUTHENTICATEDDATA elements as defined in section 2.2.9.8.6.

[[- exclusionpolicy -]]: MAY be a POLICYLIST (section 2.2.9.7.7) element in a signed PL with type "exclusion" that identifies an exclusion policy list that applies to the PL and the information the PL protects.

[[- inclusionpolicy -]]: MAY be a POLICYLIST (section 2.2.9.7.7) element in a signed PL with type "inclusion" that identifies an inclusion policy list that applies to the PL and the information the PL protects.

[[- signature -]]: MUST only be present for an official rights template. MUST be a SIGNATURE (section 2.2.9.1.12) element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate. The hash MUST be a hash of the body. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the length of the issuer's private key, which MUST match the length of the issuer's public key.