3.2.1 Abstract Data Model

This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.

Group Key cache: The client SHOULD cache group keys corresponding to one or more security descriptors. For every combination of Active Directory domain and security descriptor, the cache contains zero or more of the following:

Group public key: The most recent public key retrieved for this domain and security descriptor, along with its root key identifier and group key identifier. There is never more than one group public key in the cache for any combination of domain and security descriptor. Also, there can never be a group public key in the cache with the same set of domain, security descriptor, root key identifier, and L0 index values as a group seed key in the cache, unless the group public key has a newer group key identifier.

Group seed keys: Each group seed key object consists of one or more of the following. There is never more than one group seed key object for a given combination of domain, security descriptor, root key identifier, and L0 index.

• L1 seed key: The most recent L1 seed key retrieved from this domain for this security descriptor and its group key identifier.

• L2 seed key: The most recent L2 seed key retrieved from this domain for this security descriptor and its group key identifier.

  Note  Each Group public key and Group seed key also contain a Boolean attribute that identifies whether the key was the current key at the time it was retrieved.