Defining Revocation Policies
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Defining organizational revocation policies requires careful consideration and planning because, although implementing revocation provides greater security for protected content, it can affect users’ ability to consume content. Revocation policies for the deployment of RMS can be defined from the administration Web site.
Because the Microsoft Enrollment Service is the issuer of the server licensor certificate of the root cluster for your RMS deployment, Microsoft can revoke your server licensor certificate. However, Microsoft will only revoke a server licensor certificate when ordered to do so by a court of law.
In addition to the Microsoft Enrollment Service, you can specify a third party that can revoke the server licensor certificate of your RMS root cluster. This third party can be either an outside entity or a public or private key pair that the administrator generates on behalf of the organization. The private key of the third party that is specified can sign a revocation list that revokes the server licensor certificate. This third party is specified by its public key during provisioning of RMS. The rights policy templates of your server can also be configured to allow third parties to revoke content, application manifests, licenses, and certificates that are issued by your RMS installation. For more information, see “Creating and Modifying Rights Policy Templates” later in this subject.
If you decide to generate your own key pair to use for revoking the server licensor certificate of the root cluster, be sure to keep it in a secure location.
Revoking a server licensor certificate is an important decision because all certificates and licenses that are issued by your RMS installation become invalid when this certificate is revoked. For more information about revoking server licensor certificates, see “Revoking Server Licensor Certificates” later in this subject.
Considering How Revocation Lists Take Effect
Once revocation is required for a particular piece of protected content, all of the revocation lists that are registered on client computers will be used and will take effect if a condition specified is met. Therefore, use discretion when you implement revocation because this will result in revocation lists being registered on client computers and these lists may be applied more broadly than you intend. For more information about configuring this option, see “Creating and Modifying Rights Policy Templates” later in this subject.
Balancing Security and Usability
When you specify revocation policy in a rights policy template, consider the need to provide greater security for documents against the chance that users may encounter problems when they consume content, as described in the following example.
As part of setting up a revocation list in a rights policy template, you also specify a refresh interval for the revocation list. To consume content that is published by using that rights policy template, a revocation list must exist on the user’s computer, and the list must be no older than the specified refresh interval. For example, if the refresh interval is 10, the revocation list must have been created within the last 10 days. If a revocation list does not exist on the client computer, or if the list’s creation date is older than the refresh interval, the RMS-enabled application obtains the latest revocation list from the location that you specified in the use license. However, a user who is not connected to the network may not be able to obtain a current revocation list, and therefore may not be able to consume the content.
The following suggestions can help mitigate this problem:
Be careful when you specifying the refresh interval for a revocation list, and take steps to make sure that an up-to-date revocation list is always readily accessible to users.
Keep revocation lists at URLs that are accessible from both inside and outside of the corporate network.
Use Microsoft® Systems Management Server (SMS) or a similar mechanism to distribute updated copies of revocation lists to every client computer at a set interval, such as every night.
Require revocation for only the most sensitive types of documents.