2.5.4.2 Bootstrap RMS Client - RMS Client Application
Goal
Prepare an RMS client application to participate in RMS.
Context of use
Client bootstrapping is a set of initialization steps that clients complete before performing either offline publishing or consuming content. During client bootstrapping, the client computer and the RMS user are configured to participate in RMS. This process involves various encryption key and certificate generations and exchanges.
Actors
Direct actor: The direct actor of this use case is the RMS client application.
Primary actor: The primary actor is the same as the direct actor.
Supporting actors: None.
Stakeholders and interests
RMS client application, as described in section 2.5.1.
RMS user, as described in section 2.5.1.
Client computer, as described in section 2.5.1.
RMS server, as described in section 2.5.1.
Preconditions
The ability to discover the RMS services.
Minimal guarantee
The RMS user and client computer can be uniquely identified as participants in RMS and receive the appropriate certificates (RAC) to consume protected content.
Success guarantee
The success guarantee is the same as the minimal guarantee, with the additional receipt of the client licensor certificate (CLC), which grants the ability to publish offline content.
Main success scenario
Trigger: Typically, this use case is triggered by an RMS client application that needs to protect content or consume protected content for the first time. This scenario can be initiated by an RMS user by using an RMS client application or by automation in an RMS client application.
The RMS client application discovers the RMS services that are necessary for this operation. This operation makes use of the certification service, and optionally, the publishing service.
The RMS client application generates a security processor certificate (SPC) that is client computer-specific.
The RMS client application sends the SPC to the certification RMS server and requests the user's RAC.
The certification RMS server validates the SPC and the identity of the user, and sends the RAC to the RMS client application.
To publish offline, the user needs a separate signing certificate that is bound to the user's identity in RMS. The client first finds the service location, by deriving it from a publishing license (PL) or by discovering it from the directory service. (See [MS-RMPR] section 3.1.4.4 for specific information on when Windows clients search Active Directory for the SCP. The client then sends a request to the publishing RMS server to retrieve the CLC.
Extensions
None.