Constrained Trust
Windows 2003 PKI's support for constrained PKI trust relationships, or what Microsoft calls qualified subordination, lets CA administrators put constraints on trust relationships between a CA and its subordinate CAs (in a hierarchical trust model) or between peer CAs (in a networked trust model). This ability to qualify trust relationships aligns PKI trust more closely with real-life trust: In reality, trust is rarely complete and is usually subject to certain conditions.
You define trust constraints by embedding specific X.509 certificate extensions in a subordinate CA's certificate or a peer cross-certified CA's certificate. Windows 2003 PKI supports the basic, name, issuance policy, and application policy trust-constraint-related certificate extensions.
Basic constraints. Basic constraints are based on an X.509 certificate extension called Basic Constraints, which can contain a field called pathLenConstraint (or path-length constraint). You can use this field only when the Basic Constraint X.509 certificate extension's ca field is set to true—which is the case only for a CA certificate. The path-length constraint sets the maximum number of non-self-issued CA certificates that can follow a certificate in a certification path, so you can use it to limit the length of the certificate chain. . . .
Register
