A policy model (or trust policy model) is simply some scheme or set of rules that dictates which certifying authorities are authorized to issue certificates for which principals. In other words, the policy model will prescribe whose signature is to be regarded as a valid certifier for any given principal's certificates. The policy module which embodies these rules will use them in verifying the certificates it reads from the namespace.
Since the certificates themselves are stored and accessed through the DCE directory service (either GDS or CDS), one obvious policy model will be to organize the certifying authorities' reponsibilities according to the same hierarchies. However, models that employ other certifying hierarchies, or no hierarchy at all, are also possible.
Certification Paths
The mechanism that the certification service uses to embody more complex models is certification paths. A certification path is implemented by a sequence of certificates. Rather than immediately accessing a given principal's certificate to determine its public key, the user must access the beginning of a chain of certificates in order to get to the final certificate that contains the desired principal's public key. The intervening certificates consist of a series of public keys of CAs, each certified by the next CA in the chain.
The following diagram shows how a certificate chain might be used to find the public key of a principal, X:
A Certificate Chain
In a policy model that uses certification paths, a given principal's public key is found by beginning with a certificate signed by a CA that is trusted by the entity requesting the public key (in the above diagram, the trusted CA is CA0). This certificate contains the public key of the next CA in the path, namely CA1. The policy module reads this certificate, learns the key of the next CA, CA2, and so on, until the certificate for X, the original target, is found.
The idea of certificate chains is to propagate authenticity via certifying authorities while not propagating the authorities' responsibility, thus reducing the effects of the compromise of single authorities, wherever they may exist in the hierarchy of authorities.