One of the most important concepts in a public key infrastructure (PKI) is trust: PKI administrators and users must be able to determine which public keys are trustworthy. In "CA Trust Relationships in Windows Server 2003 PKI," June 2004, InstantDoc ID 42444, I discuss the primary Windows 2003 PKI trust models—hierarchical and networked—and explain the concept of constrained trust in Windows 2003 PKI. These topics are primarily about Certification Authorities (CAs) and servers in a PKI trust.

However, if you want to establish a reliable PKI, you also need to understand how PKI administrators manage PKI-user-side trust decisions. In this context, the concept of a trust anchor (i.e., a CA that the PKI user explicitly trusts under all circumstances) is particularly important.

Windows 2003 and Windows XP include several mechanisms to control a PKI user's trust anchors. Some are user-driven mechanisms; others are Local Machine Administrator-driven or even Domain or Enterprise Administrator- driven mechanisms. The administrator-driven mechanisms are available only when the PKI client is a member of a Windows 2003 domain and forest infrastructure. Table 1 lists the available mechanisms and their characteristics, which I discuss in more detail in the next sections.

User-Centric PKI Trust Management
Windows 2003 and XP contain functionality to let PKI users make their own trust decisions. The key to this functionality is a user's certificate store and, more specifically, the trusted root CA's certificate container (aka the root certificate store). To access your personal certificate store, you can use the Microsoft Management Console (MMC) Certificates snap-in or the Microsoft Internet Explorer (IE) certificates viewer. To open the certificates viewer, open IE, select Internet Options, go to the Content tab, and click Certificates.

All CA certificates in the root certificate store container are by default considered trust anchors, and by default, a PKI user controls which CA certificates he or she wants to add to or remove from this container. When a user tries to add a CA certificate to the root store, a dialog box opens that asks the user to confirm that he or she wants to add the certificate to the root store, which Figure 1 shows.

In a default Windows 2003 or XP installation, the root certificate store comes prepopulated with a set of CA certificates so that the user doesn't need to add all CA certificates to his or her store. However, using these certificates isn't a sound security practice; the user is relying on the software vendor's judgment to decide whether a certificate is trustworthy. Enterprises should remove all prepopulated CA certificates and add only the certificates that the IT department considers trustworthy. (In consumer environments, the prepopulated root store is a good solution from an ease-of-use perspective because it removes some of the complexity of working with PKI and PKI-enabled applications.)

Windows 2003 comes with an important new Group Policy Object (GPO) trust management extension. The extension lets administrators set whether a user is allowed to make his or her root certificate store trust decisions and to determine which certificate store containers are considered trust anchor stores. To access the new settings, open the MMC Group Policy Object snap-in, then open the Computer Configuration, Windows Settings, Security Settings, Public Key Policies, Trusted Root Certification Authorities GPO container, and select Properties. To let users make their own trust anchor decisions, select the Allow users to select new root certification authorities (CAs) to trust check box, as Figure 2 shows. If you set Client computers can trust the following certificate stores to Enterprise Root Certification Authorities, only the certificates stored in the CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain>,DC=<domain> AD container will be trusted. If you select Third-Party Root Certification Authorities and Enterprise Root Certification Authorities, the certificates in the above Active Directory (AD) container and the Ones in the certificate store's Third Party Root Certification Authorities container will be trusted.

Independent of the above settings, users can always set the applications or purposes for which they want to trust a particular certificate in their certificate store. To access this functionality, a user needs to open Certificate properties in the Certificates snap-in, go to the Details tab, click Edit Properties, select Enable only the following purposes, and select the applications or purposes for which he or she wants to trust the certificate, as Figure 3 shows. Setting this certificate property affects the selected applications the same as if the certificate contained an extended key usage (EKU) or Application Policy X.509 certificate extension.

Most of the trust anchor certificates in the root store are inherited from the local machine certificate store. Only the local administrator can directly modify the trust anchors on the local machine. To view the content of a machine's certificate store, open the Certificates snap-in and select the local machine. To see the certificates in their personal certificate store that are inherited from the local machine store, users can select Show physical certificate stores in the View options of their personal certificate store. Each Logical Certificate container holds a Local Computer container that stores the certificates inherited from the local machine certificate store.

Centralized User PKI Trust Management
Windows 2003 provides three ways to centrally control a PKI user's trust anchors. You can manage trust anchors by using GPO settings, the NTAuth AD store, or the Windows Update service.

The two GPOs that let you control a user's trust anchors are the Trusted Root Certification Authorities GPO and the Enterprise Trust GPO. Both GPOs are located in the Computer Configuration, Windows Settings, Security Settings, Public Key Policies GPO container. The GPO settings are automatically downloaded to PKI clients as part of the Group Policy application process on the Windows client.

The Trusted Root Certification Authorities container is used to distribute trustworthy Enterprise CA certificates to PKI users. The CA entries in this container have unlimited trust (as long as the certificates haven't expired).

The Enterprise Trust container contains a set of certificate trust lists (CTLs), which are signed lists of CA certificates. The certificates are considered trust anchors only if the CTL is signed by using a private key whose public key certificate has been issued by another trust anchor. Administrators can limit how long the CTL entries are valid and for which applications they are valid. To do so, open the Group Policy Object snap-in, navigate to the User Configuration\ Security Settings\ Public Key Policies\ Enterprise Trust container, right-click it, and select New, Certificate Trust List to open the Certificate Trust List Wizard, which Figure 4 shows.

The NTAuth AD store is a special trust anchor store. It holds the CA certificates of all Windows 2003 Enterprise CAs and CAs that are trusted to issue Windows smart card logon certificates or certificates that contain a client authentication EKU or application policy (e.g., for use with Secure Sockets Layer—SSL—client authentication or RAS and VPN authentication). The NTAuth trust anchor certificates are downloaded to every PKI client as part of the Windows autoenrollment event. An autoenrollment event occurs when a user logs on, when an administrator uses the Gpupdate utility to manually refresh the local GPOs, or during an automatic Group Policy refresh (which occurs every 90 minutes by default). The NTAuth certificates are stored in the cACertificate attribute of the NTAuth Certificates object that's in CN=Public Key Services ,CN=Services, CN=Configuration,DC=<domain>.

The third centralized user PKI trust management solution is the Root Certificate Update Service, which is a Windows Update extension. This service provides a dynamic CA certificate distribution mechanism that can replace the preloaded CA certificates. You install the required client-side software through the Windows 2003 and XP Update Root Certificate component in the Control Panel Add/Remove Programs applet's Add/Remove Windows Components option.

The Root Certificate Update Service uses a special CTL, called the Windows Update CTL, to automatically download CA certificates when the Windows 2003 or XP client-side certificate-validation software checks the appropriate Windows Update download location. The service downloads new root CA certificates to the Third-Party Certification Authorities container in the machine and user certificate stores. Organizations that want to use this feature to distribute their CA certificate must subscribe to the Microsoft Root Certificate Program. More information about this program is available from the Microsoft TechNet site at http://www.micro

Flexible PKI Trust Definition
Trust is a fundamental concept of PKI. The enhanced trust features of Windows 2003 PKI simplify PKI user-side trust management and enable PKI users to make some trust decisions on their own. Every PKI user should have some understanding of how he or she can make basic PKI trust decisions.