Share via

2.2.9.9.3 ISSUEDPRINCIPALS

  • Article

The ISSUEDPRINCIPALS element of the UL identifies the RAC to which this UL is issued. All rights in the UL are granted to this RAC. The principal element MUST be copied verbatim from the principal element in the ISSUEDPRINCIPALS element of the RAC.

The ISSUEDPRINCIPALS element MUST use the following template.

 <ISSUEDPRINCIPALS>
    <PRINCIPAL internal-id="1">
       <OBJECT type="Group-Identity">
          <ID type="[[- type -]]">[[- userid -]]</ID>
          [[- emailaddress -]]
          [[- emailalias -]]
       </OBJECT> 
       [[- publickey -]]
          </PRINCIPAL>
 </ISSUEDPRINCIPALS>
  
 

[[- type -]]: MUST be the type of user account, determined by the authentication scheme. For a RAC issued by a server that has authenticated the user by an Active Directory account, the type MUST be "Windows". For a RAC issued by a server using Microsoft Web Browser Federated Sign-On authentication [MS-MWBF], the type MUST be "Federation". For a RAC issued by the RMS Account Certification cloud service using Passport authentication, the type is "Passport".

[[- userid -]]: MUST be the identity of the user. For a RAC issued to a user's Active Directory credentials, this MUST be the user's SID. For a RAC issued to a user's Microsoft Web Browser Federated Sign-On credentials, this MUST be a unique GUID. For a RAC issued to a user's Passport credentials, this MUST be the user's PUID.

[[- emailaddress -]]: MUST be a NAME element that contains the primary email address associated with the user's account.

[[- emailalias -]]: SHOULD contain an email alias for a Microsoft Web Browser Federated Sign-On authenticated user [MS-MWBF]. This element MAY exist for RACs of type "Federation". This element MUST NOT exist for RACs of type "Windows" or "Passport". If present, this MUST be an ADDRESS element of type "email_alias" containing an email address. There MAY be multiple ADDRESS elements as peers with one element for each email alias.

[[- publickey -]]: MUST contain the RAC public key. The exponent is set to 65537. The size MUST be the size of the RAC public key, in bits. The modulus MUST contain the modulus of the RAC public key.