Ok. So it appears all kinds of funkiness with the passport service has caused problems with any organization that has decided to trust Passport based RACs. So....in order to correct the problem, you will need to re-apply that trust to your RMS installation, so you can obtain an updated TUD cert from the Passport service. Please note that the Passport service is the only TUD cert with an expiration, so you will have to do this again a few years from now.
Here is the quote from the owners of the Passport service:
We have recently become aware of an issue with Enterprise RMS servers that have established trust with Passport RACs. Some Passport users may have trouble opening RMS protected content that were sent to them by Enterprise RMS customers.
Please note that this issue is unrelated to the recent update to the Microsoft Information Rights Management Trial Service, and does not apply to Enterprise RMS customers who have not established trust with Passport RACs.
We have isolated the cause of this issue to certain certificates that have expired validity times.
To resolve this, simply remove trust with Passport RACs, and re-establish the trust. "
Here are the steps to do that.
Here are the documentation links for W2K8 & W2K8 R2:
PowerShell for W2K8 R2: http://technet.microsoft.com/en-us/library/ee221037(WS.10).aspx
Here are the steps for RMS V1.
1. On the Global Administration page click “Administer RMS on this Web site”.
2. Click the “Trust policies” Administration link.
3. On the Trust policies page, check the “Microsoft RM Certification Service” Trusted User Domain checkbox and click “Remove each selected trusted user domain”.
4. Click the “Trust Passport RACs” button to import the new Certificate.