Deploying Revocation Lists

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To implement revocation, you must deploy revocation lists. Revocation lists specify the content, applications, users, or other principals that have been revoked. You can deploy both organizational revocation lists and revocation lists from Microsoft.

Deploying Organizational Revocation Lists

To use a rights policy template with a revocation list, you must make the revocation list available to client computers that are in the organization. For information about creating revocation lists, see “Implementing Revocation” earlier in this subject.

You can deploy an organizational revocation list by using the following steps:

  1. Copy the revocation list file to a publicly accessible Web server. Because users may consume the protected content outside the organization, the specified location should be accessible by all users, both inside and outside the network.

    Distributing the revocation list file to client computers may take some time. This creates the possibility that users would not have the revocation list available on their client computers when they attempt to open a document that requires a revocation list. If the revocation list is not on the client computer, the RMS-enabled application can download it from the location that is specified in the use license.

    Ideally, you should create a script that automatically signs and copies the revocation list to the Web site every day. This helps to ensure that users are not prevented from consuming content because they have an out-of-date revocation list. For a sample script, see “Creating Revocation Lists” earlier in this subject.

  2. In the rights policy template, specify a refresh interval that is greater than zero for the organizational revocation list. This ensures that the revocation list is not optional. If you will be updating the list infrequently, such as only in the case of a security breech, you can set the refresh condition to a long interval, and then depend on your scripting or policy settings to push the revocation list onto the client computers when necessary. For information about setting refresh intervals, see “Defining Revocation Policies” earlier in this subject. For more information about configuring rights policy templates, see “Creating and Modifying Rights Policy Templates” later in this subject.

  3. In the rights policy template, specify the URL from which the revocation list is available.

  4. Optionally, deploy the revocation list to client computers by using an automated method, such as Group Policy or Systems Management Server (SMS).

Deploying Revocation Lists from Microsoft

For the RiMS client to use a revocation list from Microsoft, you must deploy the list on the client computers. This topic describes how to deploy a revocation list from Microsoft in the following scenarios:

  • Your organization wants to deploy its own revocation list and the revocation list from Microsoft.

  • You organization wants to deploy only the revocation list from Microsoft.

When a revocation list is published by Microsoft, you can download it from the following locations:

  • RMS servers will be able to download the revocation list by using Windows Update.

  • Alternatively, the Microsoft revocation list will also be available for download from the Microsoft Download Center if your RMS server is not connected to the Internet.

If you download the revocation list package to an RMS server, the package is saved to the %systemdrive%\Program Files\Windows Rights Management Services Revocation List folder. If you are downloading the revocation list package to another type of computer, you can select the download location. The package contains an executable file, CRL_Update.exe, which you can run to install all of the client revocation lists in the client license store and also a revocation list file, Msrl.xml, which you can copy to a Web site or to a public shared folder.

To deploy your organization’s revocation list and the revocation list from Microsoft

  1. To deploy your organization’s revocation list, follow the instructions in “Deploying Revocation Lists” earlier in this subject.

  2. Download the Microsoft revocation list package and deploy it to all client computers in the organization by using a method such as Group Policy or Systems Management Server (SMS). Alternatively, you can copy entries from the Microsoft revocation list into the organizational revocation list and deploy only the organizational revocation list.

Warning

Microsoft is a principal in the chain of trust for all certificates and licenses that are issued by RMS. Therefore, a revocation list that is issued by Microsoft takes effect for all binding requests for which the use license is obtained based on a rights policy template that requires the organizational revocation list. In addition, the Microsoft revocation list is registered on the client computer.

To deploy only a Microsoft revocation list

  1. Download the Microsoft revocation list package.

  2. Modify any existing rights policy templates to require revocation or, if no rights policy templates exist, create one that requires revocation. Use the Microsoft public key when you specify the revocation condition.

  3. Make the refresh interval a very large number, such as 50,000. This large number ensures that a revocation list that is published by Microsoft never expires. Therefore, the use licenses that you distribute do not require a new version of the Microsoft revocation list when one might not be available.

  4. Copy the revocation list file to a publicly accessible Web server. Because users may consume the protected content outside of the organization, the specified location should be accessible by all users, both inside and outside the network.

  5. You must make the revocation list available because distributing the revocation list file to client computers may take some time. Because of this, it is possible that a user would not have the revocation list locally on their computer when they attempt to open a document with a publishing license that requires revocation. If the revocation list is not present on the client computer, the RMS-enabled application can download it from the specified location.

  6. In the rights policy template, specify the URL from which the revocation list is available. For more information about configuring rights policy templates, see “Creating and Modifying Rights Policy Templates” later in this subject.

  7. Optionally, deploy the revocation list package to client computers by using a method such as Group Policy or SMS. Users can then open RMS-protected content that requires revocation lists, even when they are not connected to the network.