Limiting Unplanned Trusts
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When you extend your CA trust infrastructure beyond the boundaries of the PKI of your organization, you can inadvertently create unplanned trust relationships.
Unplanned trusts that can occur include:
Allowing certificates to be used for unintended applications
Allowing external certificates to be used for longer than intended
Enabling trust with the extended business partners of a business partners
For example, if company A trusts company B by means of an unconstrained cross-certificate, and company B trusts company C, then company A unintentionally trusts company C. Equally serious problems can occur when company A and company B cross-certify, and company A does not realize that company B does not have the same level of control over the manner in which its certificates are issued and used.
To limit the creation of unplanned trust relationships and the potential security risks that they pose, you can use CA constraints to define limits on your cross-certificate relationships. Constraints in Windows Server 2003 can be based on:
Use and path length (basic constraints)
Implement these constraints when you configure your CA and end user certificates. For more information about defining constraints, see "Using Qualified Subordination to Restrict Certificates" later in this chapter.
Using Certificate Trust Lists to Limit Unplanned Trusts
You can use certificate trust lists (CTLs) to limit unplanned trusts. CTLs are the primary means of limiting unplanned trust relationships in Windows 2000 environments.
A CTL is a predefined list of certificates that is signed by a trusted entity. The CTL includes either hashes of certificates or a list of the actual certificate names. In most cases, the CTL is a list of hashed certificate contexts. The CTL allows you to limit the purposes for which certificates issued by an external CA can be used, and the validity period of those certificates.
Windows Server 2003 certificate trust lists allow you to do the following:
Create trust certificates from specific CAs without requiring broader trust for the root CA. For example, you can use certificate trust lists on an extranet to trust certificates issued by certain commercial CAs. If you map certificates that are issued to an account stored in Active Directory, you can grant appropriate permission to users who need access to restricted extranet resources. This is possible because they have certificates issued by the trusted commercial CAs.
Restrict the permitted use of certificates issued by trusted CAs. For example, you can use a certificate trust list on an extranet to restrict the permitted use of certificates to applications such as secure mail.
Control the period of time in which third-party certificates and CAs are valid. For example, the CA of a business partner can have a lifetime of five years and issue certificates with lifetimes of one year. However, you can create a certificate trust list with a lifetime of six months to limit the time that certificates issued by the CA of the business partner are trusted on your extranet.
You might use a CTL to allow users to trust certificates that are issued by a commercial CA and restrict the permitted uses for those certificates. You might also use CTLs to control trust on an extranet for certificates that are issued by CAs that are managed by your business partners.
After a CTL is defined, it must be applied to client computers by means of Group Policy.