One of the most important concepts in a public key infrastructure (PKI) is trust: PKI administrators and users must be able to determine which public keys are trustworthy. In "CA Trust Relationships in Windows Server 2003 PKI," June 2004, InstantDoc ID 42444, I discuss the primary Windows 2003 PKI trust models—hierarchical and networked—and explain the concept of constrained trust in Windows 2003 PKI. These topics are primarily about Certification Authorities (CAs) and servers in a PKI trust.
However, if you want to establish a reliable PKI, you also need to understand how PKI administrators manage PKI-user-side trust decisions. In this context, the concept of a trust anchor (i.e., a CA that the PKI user explicitly trusts under all circumstances) is particularly important.
Windows 2003 and Windows XP include several mechanisms to control a PKI user's trust anchors. Some are user-driven mechanisms; others are Local Machine Administrator-driven or even Domain or Enterprise Administrator- driven mechanisms. The administrator-driven mechanisms are available only when the PKI client is a member of a Windows 2003 domain and forest infrastructure. Table 1 lists the available mechanisms and their characteristics, which I discuss in more detail in the next sections.
User-Centric PKI Trust Management
Windows 2003 and XP contain functionality to let PKI users make their own trust decisions. The key to this functionality is a user's certificate store and, more specifically, the trusted root CA's certificate container (aka the root certificate store). To access your personal certificate store, you can use the Microsoft Management Console (MMC) Certificates snap-in or the Microsoft Internet Explorer (IE) certificates viewer. To open the certificates viewer, open IE, select Internet Options, go to the Content tab, and click Certificates.
All CA certificates in the root certificate store container are by default considered trust anchors, and by default, a PKI user controls which CA certificates he or she wants to add to or remove from this container. When a user tries to add a CA certificate to the root store, a dialog box opens that asks the user to confirm that he or she wants to add the certificate to the root store, which Figure 1 shows.
In a default Windows 2003 or XP installation, the root certificate store comes prepopulated with a set of CA certificates so that the user doesn't need to add all CA certificates to his or her store. However, using these certificates isn't a sound security practice; the user is relying on the software vendor's judgment to decide whether a certificate is trustworthy. Enterprises should remove all prepopulated CA certificates and add only the certificates that the IT department considers trustworthy. (In consumer environments, the prepopulated root store is a good solution from an ease-of-use perspective because it removes some of the complexity of working with PKI and PKI-enabled applications.)
Windows 2003 comes with an important new Group Policy Object (GPO) trust management extension. The extension lets administrators set whether a user is allowed to make his or her root certificate store trust decisions and to determine which certificate store containers are considered trust anchor stores. To access the new settings, open the MMC Group Policy Object snap-in, then open the Computer Configuration, Windows Settings, Security Settings, Public Key Policies, Trusted Root Certification Authorities GPO container, and select Properties. To let users make their own trust anchor decisions, select the Allow users to select new root certification authorities (CAs) to trust check box, as Figure 2 shows. If you set Client computers can trust the following certificate stores to Enterprise Root Certification Authorities, only the certificates stored in the CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain>,DC=<domain> AD container will be trusted. If you select Third-Party Root Certification Authorities and Enterprise Root Certification Authorities, the certificates in the above Active Directory (AD) container and the Ones in the certificate store's Third Party Root Certification Authorities container will be trusted.
Independent of the above settings, users can always set the applications or purposes for which they want to trust a particular certificate in their certificate store. To access this functionality, a user needs to open Certificate properties in the Certificates snap-in, go to the Details tab, click Edit Properties, select Enable only the following purposes, and select the applications or purposes for which he or she wants to trust the certificate, as Figure 3 shows. Setting this certificate property affects the selected applications the same as if the certificate contained an extended key usage (EKU) or Application Policy X.509 certificate extension.
Most of the trust anchor certificates in the root store are inherited from the local machine certificate store. Only the local administrator can directly modify the trust anchors on the local machine. To view the content of a machine's certificate store, open the Certificates snap-in and select the local machine. To see the certificates in their personal certificate store that are inherited from the local machine store, users can select Show physical certificate stores in the View options of their personal certificate store. Each Logical Certificate container holds a Local Computer container that stores the certificates inherited from the local machine certificate store.
Prev. page
[1]
2
next page 
