RMS Trust Hierarchy

Updated: June 1, 2008

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The components that are involved in an RMS system include the Microsoft Enrollment Service, the organizational RMS servers, client computers, and users of the system. Each component is issued a certificate that establishes its identity in the system. A trust hierarchy defines the trust relationship between those certificates and, therefore, the entities that hold them. It also defines the trust relationship between trusted entities and the licenses that they issue to other trusted entities.

The trust hierarchy connects certificates and licenses in a chain of trust that RMS can always follow from a particular certificate or license all the way up to a trusted key pair. The chain of trust includes the current certificate, the certificate of the entity that issued it, the certificate of the entity that issued this entity's certificate, and so on, up the chain to the root of trust.

For RMS, the root of trust, or the "trust anchor," is a Microsoft key pair. This common root of trust allows an organization to build a trust ecosystem that encompasses trusted entities, such as users and partners, both inside and outside of the organization.

The following diagram displays the trust hierarchy in an organization. The chain of trust goes back to the Microsoft services that issue the base certificates.

Trust hierarchy
  1. Each client computer is issued a unique lockbox that contains the Microsoft root public key.

  2. When it receives a license request, RMS validates the principals by following the path that is in the trust hierarchy back to the root of trust.

  3. RMS verifies the authenticity of the trusted entity that is named in the license.

  4. RMS verifies that the trusted entity's certificate was issued by a server that is in the trust hierarchy.

At each level of the certificate chain, RMS validates the license or certificate, and then verifies that it connects to a known root of trust through a chain of trust. Each license or certificate that is in the chain is checked by RMS to validate the following conditions:

  • Its XrML is valid.

  • The issuer signature is valid.

  • The semantics of the license are appropriate for the intended use.

  • Conditions (such as validity dates) are met.

  • The license has not been revoked.

  • The license signature key and certified issuer key match.