3.8.4.1 Client Bootstrapping

Client bootstrapping is required before offline publishing or licensing can take place. It is not a prerequisite for online publishing.

The client MUST activate as a first step in bootstrapping. Activation is the process of certifying a given client machine for use in the RMS system. This is accomplished by binding an encryption key pair to the machine by way of the security processor and its SPC. Version 1.0 clients MUST make an Activate (section 3.2.4.1) request to the server to activate. All other versions of the client, including RMS 1.0 SP1, RMS 1.0 SP2, and RMS 2.0, activate themselves without contacting a server. The client generates its own security processor key pair and saves the private key in the SPC private key ADM element. The client then generates an SPC signed by the Trusted SPC Issuer private key. The client also creates an SPC Chain by appending the SPC with the Trusted SPC Issuer chain and saves it as the SPC Chain ADM element.

The user MUST be certified to participate in the RMS system. This is accomplished by binding an encryption key pair to both the user and the client machine by way of a RAC. The user MUST have a RAC to access protected content or to publish protected content offline. The client uses the Certify (section 3.3.4.1) method to acquire a RAC.

To publish offline, the user MUST have a signing key pair. The CLC binds a signing key pair to a user through the RAC. A user MUST have a CLC to create protected content offline. The client uses the FindServiceLocationsForUser (section 3.7.4.2) method to find the licensing server for the user and the GetClientLicensorCert (section 3.5.4.2) method to acquire a CLC from that server.