2.2.9.6.4 ISSUEDPRINCIPALS

The ISSUEDPRINCIPALS element of the CLC issues the CLC public key to the user account.

The ISSUEDPRINCIPALS element MUST use the following template.

 <ISSUEDPRINCIPALS>
    <PRINCIPAL internal-id="1">
       <OBJECT type="Group-Identity">
          <ID type="[[- type -]]">
             [[- userid -]]
          </ID> 
          [[- emailaddress -]]
          [[- emailalias -]]
       </OBJECT>
       [[- publickey -]] 
    </PRINCIPAL>
 </ISSUEDPRINCIPALS>

[[- type -]]: MUST be the type of user account, as determined by the authentication scheme. MUST be copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the RAC.

[[- userid -]]: MUST be the identifier of the user. MUST be copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the RAC.

[[- emailaddress -]]: MUST be a NAME element that contains the primary email address associated with the user's account.

[[- emailalias -]]: SHOULD contain an email alias for a Microsoft Web Browser Federated Sign-On authenticated user [MS-MWBF]. MAY exist for CLCs issued to RACs of type "Federation". MUST NOT exist for CLCs issued to RACs of type "Windows" or "Passport". If present, this MUST be an ADDRESS element of type "email_alias" containing an email address. Multiple elements can be peers with one element for each email alias. MUST be copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the RAC.

[[- publickey -]]: MUST contain the CLC public key. The exponent MUST be set to 65537. The size attribute of the VALUE element MUST be set to the size of the CLC public key. The modulus MUST contain the modulus of the CLC public key.