Cross-Certification and the PKI User

From a public key infrastructure (PKI) user's point of view, cross-certification has the advantage of reducing the number of explicit Certificate Authority (CA) trust relationships. Figure A shows a hierarchical model, in which a user must explicitly trust the CAs of three external organizations (e.g., CA A, CA B, and CA C). Figure B shows a cross-certification setup, in which the user needs to have an explicit trust relationship only with one organization's CA (e.g., CA A). With an explicit trust between the user and CA A, the user can establish implicit trust relationships with the CAs in organizations B and C, through the existing cross-certification trust relationships between CA A and CA B and between CA A and CA C.

From a user's standpoint, the downside of cross-certification is that it complicates certificate-trust path validation. Certificate-validation software must still consider each organization's hierarchical trust relationships as well as the cross-certification trust relationships. Therefore, the Windows .NET Server PKI requires special client-side software logic for certification validation. This special software logic is embedded in Windows XP. (Microsoft might ship some special tools or software extensions to embed this logic in earlier Windows versions.)