PreviousNext

Constraints on Transitive Trust Relationships

To prevent the widespread proliferation of trust relationships that could result in unwieldy administrative burdens and weakened security, the DCE Security Service imposes the following three rules on transitive trust relationships:

· Any number of descendent cells can be traversed by a transitive trust relationship, and any number of ancestor cells can be traversed by a transitive trust relationship.

· No more than one direct trust peer relationship can be traversed by a transitive trust relationship. (A direct trust peer relationship is a direct trust relationship between cells that are neither ancestors nor descendants of each other in the naming hierarchy.)

· Once a hierarchical trust relationship traverses a direct trust ancestor and an optional direct trust peer, it cannot traverse to an ancestor of the peer cell. In other words, once a transitive trust path goes up and across, it can't go up.

The ramifications of these rules are explained in the following paragraphs.

Rule 1:

Any number of descendent cells can be traversed in a hierarchical trust relationship, and any number of ancestor cells can be traversed by a transitive trust relationship.

For example, in the following figure, peer Cells A and B have a direct trust relationship. Cell A has a transitive trust relationship with cells B/C and B/C/D.


Direct and Transitive Trust Relationships

The previous configuration also makes possible the transitive trust relationship between B and cell B/C/D shown in the following figure.


Cell Traversal in Transitive Trust Relationships

Rule 2:

No more than one direct trust peer relationship can be traversed by a transitive trust relationship.

For example, in the following figure, cells A, B, and C are peer cells. Cell A has a direct trust peer relationship with cell B, and cell B has a direct trust peer relationship with cell C. Cell A does not have a transitive trust relationship with cell C because to do so would traverse more than one direct trust peer relationship (A to B and B to C).


Limited Direct Trust Peer Traversal in Transitive Trust

Note that it is not required to traverse a direct trust peer relationship to have a transitive trust relationship. In the following figure, no direct trust peer relationships are traversed. In the figure, a transitive trust relationship exists between the following:

· B_Division and C_Division and C_organization

· C_Division and B_Division and B_organization


Transitive Trust Without Direct Trust Peer Traversal

Rule 3:

Once a hierarchical trust relationship traverses a direct trust ancestor and a direct trust peer, it cannot traverse to an ancestor of the cell.

For example, consider the following figure. The A_Conglomerate cell hierarchy and the B_Conglomerate cell are connected by direct trust relationships. Additionally, there is a direct trust relationship between A_product in the A_Conglomerate hierarchy and B_product in the B_Conglomerate hierarchy. In this configuration, no transitive trust relationships are possible because they cannot traverse to an ancestor after traversing a direct trust peer.


Limited Trust Traversal to Cell Ancestors

The type of trust relationship shown in this figure might be used by two companies that have a very limited agreement to cooperate on product development.

The following figure shows another transitive trust path.


Alternate Trust Traversal to Cell Ancestors

In the path, the B_product cell has a transitive trust path up to its ancestor, B_Company, and from B_Company to A_Company. But from A_company, the transitive trust path cannot continue up to A_Company's ancestor, although it can continue down to A_Company's descendants. Because this transitive trust relationship has traversed up to a trust ancestor (B_Company) and across to a trust peer (A_Company), it cannot then continue by going up to A_Company's ancestor (A_Conglomerate). This type of relationship might be used by two companies that have decided to combine operations at a very high level.

Note that a principal accessing a foreign cell through transitive trust relationships is not authenticated by each cell transited in the trust path, but only by the target cell itself. The authentication Service in a transited cell simply gives the principal a ticket to the next cell in the path, stamping the ticket with the hierarchical name of the transited cell, until the principal acquires a ticket to the target cell.

To determine whether or not to give a principal a ticket to the next cell in a transitive trust path, the authentication service in each transited cell examines the ticket and compares the last cell transited to the next cell in the path and applies the rules of transitive trust described in this topic. If the next cell to be transited is consistent with a valid transitive trust path, then the authentication service gives the principal a ticket to the next cell; otherwise, the authentication service refuses to issue a ticket.