2.2.9.5.4 ISSUEDPRINCIPALS

  • Article

The ISSUEDPRINCIPALS element of the RAC issues the RAC public key to the user account.

The ISSUEDPRINCIPALS element MUST use the following template.

 <ISSUEDPRINCIPALS>
    <PRINCIPAL internal-id="1">
       <OBJECT type="Group-Identity">
          <ID type="[[- type -]]">
             [[- userid -]]
          </ID>
          [[- emailaddress -]]
          [[- emailalias -]]
       </OBJECT>
       [[- publickey -]]
       [[- RACtype -]]
       <SECURITYLEVEL name="Group-Identity-Type"
          value="Group" />
       <SECURITYLEVEL name="Group-Identity-Policy"
          value="Group-Identity-Credential" />
    </PRINCIPAL>
 </ISSUEDPRINCIPALS>

[[- type -]]: MUST be the type of user account, determined by the authentication scheme. There are three types of authentication: "Windows", "Federation", and "Passport". For a RAC issued by a server that has authenticated the user by an Active Directory account, the type MUST be "Windows". For a RAC issued by a server using the Microsoft Web Browser Federated Sign-On Authentication Protocol [MS-MWBF], the type MUST be "Federation".<17>

[[- userid -]]: MUST be the identifier of the user. For a RAC issued to a user's Active Directory credentials, this MUST be the user's security identifier (SID). For a RAC issued to a user's MWBF credentials, this MUST be a unique GUID. For a RAC issued to a user's Passport credentials, this MUST be the user's Passport Unique ID (PUID).

[[- emailaddress -]]: A NAME element that MUST contain the primary email address associated with the user's account.

[[- emailalias -]]: SHOULD contain an email alias for a Microsoft Web Browser Federated Sign-On Authentication Protocol [MS-MWBF] authenticated user. This is used for RACs of type "Federation" but not for RACs of type "Windows" or "Passport". If present, this MUST be an ADDRESS element of type "email_alias" containing an email address. MAY have multiple elements as peers with one element for each email alias.

[[- publickey -]]: MUST contain the RAC public key. The exponent MUST be set to 65537. The size attribute of the VALUE element MUST be set to the size of the RAC public key. The modulus MUST contain the modulus of the RAC public key.

[[- RACtype -]]: MUST describe whether the RAC is considered persistent or temporary. The difference between persistent and temporary RACs is the validity time. The validity time of persistent and temporary RACs is implementation-specific.<18> A SECURITYLEVEL element with the name "Group-Identity-Credential-Type" with a value of either "Persistent" or "Temporary".