Network Trust Model

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If your organization has multiple, distributed IT departments, you might not be able to establish a single, trusted root. In this situation, you can implement a network trust model, in which all CAs are self-signed and trust relationships between CAs are based on cross-certificates. Cross-certificates are special certificates that are used to establish complete or qualified one-way trusts between otherwise unrelated CAs. For more information about the use of cross-certificates and how to manage cross-certified relationships, see "Selecting an Extended CA Infrastructure Configuration" later in this chapter.

A network trust model can be viewed as a hierarchy because a cross-certificate is essentially the same as a subordinate CA certificate in a rooted trust model. The cross-certifying CA is the issuer and the cross-certified CA is the subject.

Because a cross-certificate is a logical subordination of one CA to another CA, a network trust model is in effect a hierarchy, with the added property that a root CA is also a subordinate CA in the cross-certifying PKI.

Unlike the rooted trust model, in which a global directory such as Active Directory is not required, a global directory is essential in a network trust hierarchy. Without a global directory, cross-certificates need to be preinstalled on all clients of the PKI; otherwise there is no way to discover them.

Figure 16.7 shows an example of a network trust model.

Figure 16.7   Network Trust Model

The trusts in Figure 16.7 are bidirectional, which means that CA1 issued a cross-certificate of trust to CA2 and CA2 issued a cross-certificate of trust to CA1. It is also possible to rescind trust for a CA by revoking its cross-certificate.

Cross-certification does not need to be bidirectional, and a cross-certifying CA does not need the cooperation of the CA being certified. For example, CA1 can cross certify CA2, without CA2 cross certifying CA1. In such a case, clients of CA1 trust CA2 and CA3, while clients of CA2 and CA3 do not trust CA1. To do this, CA1 creates a cross-certificate without the knowledge of CA2, because all that CA1 needs is the public key certificate of CA2. This is known as unilateral cross-certification, where one CA cross-certifies another CA but not the reverse.

Bidirectional cross-certificates are usually preferred, although with this model you need to manage a greater number of cross-relationships as the number of cross-certificates increases.

Full trust between cross-certified CAs also means that the client trusts all certificates issued by the other CA, regardless of the purpose of the certificate. In a native Windows Server 2003 environment, however, you can filter by certificate types. You can also limit trust between CAs by means of qualified subordination, which can be implemented in the form of name constraints, policy constraints, policy mapping, and path constraints. For more information about these methods, see "Extending Your CA Infrastructure" later in this chapter.

Cross-certification enables you to create bridges between separate PKIs without either PKI being directly subordinate to the other. Because cross-certification is an indirect subordination of one PKI to another, the trust point does not change relative to either PKI. In fact, bidirectional cross-certification models the way in which companies form relationships; that is, each side participates in establishing the relationship. A network trust model, however, is much more difficult to maintain and troubleshoot than a rooted trust model.

Note

• Use a network trust model only in conjunction with name constraints. For more information about name constraints, see "Using Name Constraints" later in this chapter.