Trust Hierarchy Based on Organizational Structure

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Although a two- or three- tier trust hierarchy based on the quality of identification is sufficient for most organizations, some organizations might need to deploy a three-tier CA trust hierarchy based on the administrative structure of the organization.

In a trust hierarchy based on organizational structure, issuing CAs are configured to support different organizational divisions, such as permanent employees and contractors. The issuing policy, for example, might be based on the organization of user accounts, so that stronger security measures are applied to independent contractors, temporary employees, or external business partners.

Figure 16.8 shows a rooted trust hierarchy based on organizational structure.

Figure 16.8   Rooted Trust Hierarchy Based on Organizational Structure

Rooted Trust Hierarchy Based on Organization

Design your trust hierarchy according to organizational structure if your certificate requirements vary according to organizational units; for example, all employees receive certain certificates, all partners receive a different set of certificates, and so on. Do not use this type of design if you can define too many different groups of requirements; in this case, a trust hierarchy based on certificate usage is more appropriate.