2.2.9.5 RMS Account Certificate

This section defines the format of the RAC. The server generates the RAC when it responds to a successful Certify request.

The RAC MUST use the following template.

 <XrML xmlns="" version="1.2">
    <BODY type="LICENSE" version="3.0">
       [[- issuedtime -]]
       [[- validitytime -]]
       [[- descriptor -]]
       [[- issuer -]]
       [[- distributionpoint-int -]]
       [[- distributionpoint-ext -]]
       [[- issuedprincipals -]]
       [[- federationprincipals -]]
    </BODY>
    [[- signature -]]
 </XrML>
  

[[- issuedtime -]]: MUST be an ISSUEDTIME (section 2.2.9.1.1) element containing the time the RAC was generated, in UTC.

[[- validitytime -]]: SHOULD be a VALIDITYTIME (section 2.2.9.1.2) element describing the period of validity for the RAC, in UTC.

[[- descriptor -]]: MUST be a DESCRIPTOR (section 2.2.9.5.1) element describing the RAC.

[[- issuer -]]: MUST be an ISSUER (section 2.2.9.5.2) element describing the issuer of the RAC.

[[- distributionpoint-int -]]: SHOULD be a DISTRIBUTIONPOINT (section 2.2.9.5.3) element containing the intranet URL address of the server that issued the RAC.

[[- distributionpoint-ext -]]: SHOULD be a DISTRIBUTIONPOINT (section 2.2.9.5.3) element containing the external URL address of the server that issued the RAC.

[[- issuedprincipals -]]: MUST be an ISSUEDPRINCIPALS (section 2.2.9.5.4) element describing the principal and the RAC public key.

[[- federationprincipals -]]: MUST be a FEDERATIONPRINCIPALS (section 2.2.9.5.5) element that issues the RAC private key to the user account.

[[- signature -]]: MUST be a SIGNATURE element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate. The hash MUST be the hash of the body. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the length of the issuer's private key, which MUST match the length of the issuer's public key.