1.2 Glossary
This document uses the following terms:
Active Directory: The Windows implementation of a general-purpose directory service, which uses LDAP as its primary access protocol. Active Directory stores information about a variety of objects in the network such as user accounts, computer accounts, groups, and all related credential information used by Kerberos [MS-KILE]. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which are both described in [MS-ADOD]: Active Directory Protocols Overview.
bootstrapping: A process that RMS clients can use to self-activate.
certificate: As used in this document, certificates are expressed in [XRML] section 1.2.
certificate chain: A sequence of certificates, where each certificate in the sequence is signed by the subsequent certificate. The last certificate in the chain is normally a self-signed certificate.
client licensor certificate (CLC) chain: An XrML 1.2 certificate chain that contains an asymmetric signing key pair issued to a user account by an RMS publishing service and binds that user account to a specific computer. The CLC grants the role of a user who can publish protected content.
cloud service: A set of one or more publicly available services that Microsoft operates.
consumer: The user who uses protected content.
content key: The symmetric key used to encrypt content.
creator: The user who creates protected content.
forest: One or more domains that share a common schema and trust each other transitively. An organization can have multiple forests. A forest establishes the security and administrative boundary for all the objects that reside within the domains that belong to the forest. In contrast, a domain establishes the administrative boundary for managing objects, such as users, groups, and computers. In addition, each domain has individual security policies and trust relationships with other domains.
globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the GUID. See also universally unique identifier (UUID).
license: An XrML1.2 document that describes usage policy for protected content.
NT LAN Manager (NTLM) Authentication Protocol: A protocol using a challenge-response mechanism for authentication in which clients are able to verify their identities without sending a password to the server. It consists of three messages, commonly referred to as Type 1 (negotiation), Type 2 (challenge) and Type 3 (authentication).
offline publishing: The process of creating protected content and signing the associated publishing license using a previously acquired CLC.
online publishing: The process of creating protected content and contacting a server to have the publishing license signed.
policy: The set of rules that govern the interaction between a subject and an object or resource.
publishing license: An XrML 1.2 license that defines the usage policy for protected content and contains the content key with which that content is encrypted. The usage policy identifies all authorized users and the actions that they are authorized to take with the content, in addition to any usage conditions. The publishing license tells a server which usage policies apply to a specific piece of content and grants a server the right to issue use licenses (ULs) based on that policy. The publishing license is created when content is protected. Also referred to as "Issuance License (IL)."
publishing license (PL): An XrML 1.2 license that defines usage policy for protected content and contains the content key with which that content is encrypted. The usage policy identifies all authorized users and the actions they are authorized to take with the content, along with any conditions on that usage. The publishing license tells the server what usage policies apply to a given piece of content and grants the server the right to issue use licenses (ULs) based on that policy. The PL is created when content is protected. Also known as an Issuance License (IL).
rights policy template: An XrML 1.2 document that contains a predefined usage policy that is used to create the PL when content is protected. Conceptually, a rights policy template (or "template") is a blueprint for a PL, identifying authorized users and the actions they are authorized to take with the content (along with any conditions on that usage). Unlike a PL, a template does not contain a content key or information about the content owner. The content key and information about the content owner are required to be added when the PL for a given piece is created from the template. End users can use a template when protecting a document instead of defining the specifics of the usage policy themselves. When a document is published using a template, the template is used to generate the PL.
RMS account certificate (RAC): An XrML 1.2 certificate chain that contains an asymmetric encryption key pair that is issued to a user account by an RMS Certification Service. The RAC binds that user account to a specific computer. The RAC represents the identity of a user who can access protected content. Also known as a Group Identity Certificate (GIC).
security processor certificate (SPC): An XrML 1.2 certificate chain generated during activation that contains the public key corresponding to the SPC private key. The SPC grants the role of a machine that can be used for working with protected content.
security processor certificate (SPC) private key: A unique private key that is generated at activation time and issued to the machine, either by self-activation or by calling the Activate method.
server licensor certificate (SLC): An XrML 1.2 certificate that contains a public key issued to an RMS server by an RMS cloud service (RMS 1.0, RMS 1.0 SP1, and RMS 1.0 SP2) or Self Enrollment (RMS 2.0). The RMS client uses the RMS server's public key to encrypt the usage policy and content key in a publish license.
service connection point (SCP): An object stored in Active Directory that specifies the location of an RMS server.
use license (UL): An XrML 1.2 license that authorizes a user to access a given protected content file and describes the usage policies that apply. Also known as an "End-User License (EUL)".