2.2.9.6 Client Licensor Certificate

This section defines the format of the CLC. The server generates the CLC when it responds to a successful GetClientLicensorCert request.

The CLC MUST use the following template.

 <XrML xmlns="" version="1.2">
    <BODY type="LICENSE" version="3.0">
       [[- issuedtime -]]
       [[- descriptor -]]
       [[- issuer -]]
       [[- distributionpoint-int -]]
       [[- distributionpoint-ext -]]
       [[- issuedprincipals -]]
       <WORK>
          [[- workobject -]]
          <RIGHTSGROUP name="Main-Rights">
             <RIGHTSLIST>
                <RIGHT name="ISSUE">
                   <CONDITIONLIST>
                      <TIME>
                         [[- rangetime -]]
                      </TIME>
                      <ACCESS>
                         <PRINCIPAL internal-id="1">
                            [[- enablingbits -]]
                         </PRINCIPAL>
                      </ACCESS>
                   </CONDITIONLIST>
                </RIGHT>
             </RIGHTSLIST>
          </RIGHTSGROUP>
       </WORK>
    </BODY>
    [[- signature -]]
 </XrML>

[[- issuedtime -]]: MUST be an ISSUEDTIME (section 2.2.9.1.1) element containing the time the CLC was generated, in UTC.

[[- descriptor -]]: MUST be a DESCRIPTOR (section 2.2.9.6.1) element describing the CLC.

[[- issuer -]]: MUST be an ISSUER (section 2.2.9.6.2) element describing the issuer of the CLC.

[[- distributionpoint-int -]]: MUST be a DISTRIBUTIONPOINT (section 2.2.9.6.3) element containing the intranet URL address of the server that issued the CLC. The server at this address will issue ULs from content that is published using this CLC.

[[- distributionpoint-ext -]]: SHOULD be a DISTRIBUTIONPOINT (section 2.2.9.6.3) element containing the external URL address of the server that issued the CLC, but this is optional. The server at this address will issue ULs from content that is published using this CLC.

[[- issuedprincipals -]]: MUST be an ISSUEDPRINCIPALS (section 2.2.9.6.4) element describing the principal and the CLC public key.

[[- workobject -]]: MUST be an object element that identifies the certificate. Copied verbatim from the object in the DESCRIPTOR (section 2.2.9.6.1), including the same GUID.

[[- rangetime -]]: MUST be a RANGETIME (section 2.2.9.1.3) element describing the period during which the certificate can be used for issuance.

[[- enablingbits -]]: MUST be the CLC private key encrypted with the RAC public key, contained within an ENABLINGBITS (section 2.2.9.1.13) element.

[[- signature -]]: MUST be a SIGNATURE (section 2.2.9.1.12) element containing the cryptographic signature of the body of the certificate, generated by the issuer of the certificate. The hash MUST be the hash of the BODY. The signature MUST be the hash encrypted with the issuer's private key. The key length MUST be the length of the issuer's private key, which MUST match the length of the issuer's public key.