RMS confusion?

All,

I am looking into Windows Rights Management Services for my company. 
Basically, what we do is do research for our clients and we send our 
researched data via email.  We would like to secure or protect our research 
data email by preventing our external clients from forwarding, copy/paste 
our email to our competitors or to their buddies.  I understand RMS can do 
this, BUT I am getting confused on the process of how this is done and the 
MAJOR thing is we dont' want our external clients jumping through hoops just 
to read our email.

So, from my reserach, we can protect our emails by saying the reciepent 
CANNOT forward and copy/paste the email we send them.  They receive the 
email, and then they need to download a client update software AND a 
certificate from our RM server?  Is this done all the time they receive a 
protected email from us?  Does the certifiate need to come from us or some 
sort of public ca like thwart etc...?  How fast is the whole process?

Thanks for any info! 

1) Client software is built into Vista & Windows Mobile 6.  It is a one time

download otherwise.

2) Certificates are only downloaded on the initial opening of a document & 
then cached on the client, so re-opens go pretty quickly.

3) If your org uses Outlook Web Access, you can get a feel for the customer 
experience - download of document, authentication, download of certificate, 
goes pretty quickly.  When/if they close & reopen then it is almost 
immediate.

4) You will need the external connector (uses Passport accounts) or if you 
move to Windows Server 2008 you can create federations which speeds things 
up a bit (authentication is automated, saving several seconds).



Pat

"Nutzer" <nutzer@ms.com> wrote in message 
news:MPGdnVvnq5HIOS3anZ2dnUVZ_o2vnZ2d@giganews.com...
> All,
>
> I am looking into Windows Rights Management Services for my company. 
> Basically, what we do is do research for our clients and we send our 
> researched data via email.  We would like to secure or protect our 
> research data email by preventing our external clients from forwarding, 
> copy/paste our email to our competitors or to their buddies.  I understand

> RMS can do this, BUT I am getting confused on the process of how this is 
> done and the MAJOR thing is we dont' want our external clients jumping 
> through hoops just to read our email.
>
> So, from my reserach, we can protect our emails by saying the reciepent 
> CANNOT forward and copy/paste the email we send them.  They receive the 
> email, and then they need to download a client update software AND a 
> certificate from our RM server?  Is this done all the time they receive a 
> protected email from us?  Does the certifiate need to come from us or some

> sort of public ca like thwart etc...?  How fast is the whole process?
>
> Thanks for any info!
> 

Quite simply RMS is nothing more than a webservice.

If you are sending RMS protected content to people outside of your domain, 
then they either need to use the free passport service to obtain a RAC 
(basically a credential that proves they are who they say they are), or they 
need to have an established RMS infrastructure within their own organization, 
which you have decided to trust, or you have an ADFS trust setup with another 
company.

I suspect you will be more insterested in the Passport service option, since 
you probably have random, unrelated clients that most likely don't have their 
own Active Directory domain that they are a member of.

If this is the case, then it's pretty simple to setup, but you should know 
that a Passport trust is a one way trust. You can send RMS protected content 
to them, but if they try to send RMS protected content to you, you will not 
be able to open it, unless you are also using a Passport account.

If you need to be able to send and receive RMS protected content from your 
clients, then you may want to just use the Passport service as the complete 
solution. You would want to use RMS if sending to external entities using the 
PAssport service was the 'exception' and not the 'rule', if that makes sense.

Most companies that implement RMS use it 'mainly' to keep content from 
leaving their environment...or at least being opened by a non-employee that 
cannot be verified by their AD. There are certain circumstances that may 
require them to send content outside their environment, but that is more of 
an 'exception'. They are mainly interested in protecting internal content, 
and keeping it protected if it should happen to migrate outside the 
environment.

With the introduction of 2008, I think we will see alot more intercomany 
usage through ADFS, but as far as 'one offs'etc, you are still looking at 
Passport as a solution.

Also, there is a company called Giga-Trust that has a great hosted solution 
that does exactly what you are looking for, and the best part is that they 
will run the whole thing, and you can keep your hair. ;)

-Jason

"Nutzer" wrote:

> All,
> 
> I am looking into Windows Rights Management Services for my company. 
> Basically, what we do is do research for our clients and we send our 
> researched data via email.  We would like to secure or protect our research

> data email by preventing our external clients from forwarding, copy/paste 
> our email to our competitors or to their buddies.  I understand RMS can do

> this, BUT I am getting confused on the process of how this is done and the

> MAJOR thing is we dont' want our external clients jumping through hoops
just 
> to read our email.
> 
> So, from my reserach, we can protect our emails by saying the reciepent 
> CANNOT forward and copy/paste the email we send them.  They receive the 
> email, and then they need to download a client update software AND a 
> certificate from our RM server?  Is this done all the time they receive a 
> protected email from us?  Does the certifiate need to come from us or some

> sort of public ca like thwart etc...?  How fast is the whole process?
> 
> Thanks for any info! 
> 
>