To prevent users from being able to backup and restore their files in an effort to bypass domain de-registration, it is recommended that one of the following approaches be implemented for domain management:
- Limit the amount of time the domain credentials are valid. Clients will need to contact the domain server to re-acquire domain credentials when they expire. At that time, the Domain Server can ensure that the machine is still authorized to be a member of the domain.
- Rollover the domain keys each time a user de-registers. The License Server should only issue licenses to clients that have the latest domain key. This assumes that the License Server can co-ordinate with the Domain Server to know which key is the latest. Rolling over the domain keys involves generating a new key pair for the domain. When rolling over the keys for a particular domain, be sure to increment the key version in
generateDomainCredential. For more information on implementing a key rollover, see RefImplDomainReqHandler in the Reference Implementation.
- If the domain server is the same as the license server, the server can use the rollback counter to detect backup and restore. See *Processing Adobe Access requests *in Using the Adobe Access SDK for Protecting Content.