PKI Interoperability Models (February 2005)

4.2. Cross-Certification (Mesh) Model

Cross-certification is a different approach to interoperability. Instead of a hierarchy, CAs deal with each other as peers and choose whether or not to trust each other.

If they do, the CAs issue cross-certificates to each other. A user can then trace a certificate from an unknown CA back to a local trusted CA. This may be implemented by allowing users to contact their trusted CA’s repository of certificates or by including a chain of signatures on the certificate itself.

Figure 3. Cross-Certification - Full Mesh Model

However, achieving interoperability through a mesh of certifications is technically and logistically challenging. It is not easy for a single pair of CAs to co-ordinate their policies and technical systems, and as the mesh grows, the number of cross-certifications grows even faster. If every pair of CAs cross-certifies (to create a fully meshed network), the number of cross-certifications required is almost n2 (if n is the number of CAs). However, if some CAs do not directly link to each other, the network of trust becomes wider and more risky. A chain of CAs must be trusted for each verification. In this ‘partial mesh’ it may become necessary for users to have a way of limiting the chain of certificates that can be used to verify a signature.

Figure 4. Cross-Certification - Partial Mesh Model

The sprawling nature of cross-certification where CAs are not familiar to each other means it is not an ideal approach to establishing a broad, multi-national PKI. Instead, cross certification is most suited where two or three related CAs are required to interoperate with each other.

For example, two government departments with their own CAs might find it simple to cross certify each other for a particular tax application because their policies and technical specifications were already closely aligned. Such networks might grow organically across other government departments, but any such process would be slow, careful, and built on already-strong relationships.