Q: What's the difference between a Windows Rights Management Services Client Licensor Certificate and an End User License? What other types of certificates are used by Rights Management Services?
A: The fundamental rule is that in Windows Rights Management Services (RMS) each entity that interacts with the RMS system is represented by a specific certificate. These certificates don't use the standard X.509 certificate format—instead, they use the eXtensible Rights Markup Language (XrML), allowing them to express complex lists of RMS access rights.
First, each Active Directory (AD) RMS server cluster is represented by a certificate called the Server Licensor Certificate (SLC). This is a self-signed certificate. The private key corresponding to this certificate is used by the RMS server to protect other certificates used in the RMS system. The public key in this certificate is used by RMS clients to encrypt materials that only the RMS server can decrypt.
Client machines have an RMS machine certificate (sometimes referred to as a Security Processor—SPC). The SPC is used to authenticate each machine to the RMS system and allows machines to encrypt other RMS-related data that's stored locally on the computer.
RMS users are identified using two certificates. A Rights Account Certificate (RAC) is used to authenticate users against an RMS server. When a user first authenticates against an AD RMS cluster, the RMS server will generate an RAC for the user, who can then uses this certificate for all future authentications to the RMS system.
The RAC's private key is used to sign (protect) the second type of user certificate: the Client Licensor Certificate (CLC). The CLC is used to identify a user that has RMS-protected a piece of content. The user gets a CLC from the RMS server during RMS client activation, and the CLC is used to sign all future Publishing Licenses (PLs—explained next) that are embedded in each RMS-protected document.
PLs are used not for authenticating users but for expressing the rights a particular user has over an RMS-protected document. A PL holds a list of rights that link subjects (identified by their email addresses) to rights (e.g., View, Edit, Print, Copy). The PL is linked to each RMS-protected document. It's encrypted with the SLC's public key (so only the RMS server can decrypt it) and signed with the user's CLC private key (so everyone can view who wrote it).
Finally, RMS also has Use Licenses (ULs). A UL is a certificate expressing the rights an RMS user (the one requesting a license) has over an RMS-protected document. It contains and securely transports the encryption key that was used to encrypt the content of an RMS-protected document.