8-71
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter8 Establishing Cisco Secure ACS System Configuration Certification Authority Setup
This section contains procedures for the following subjects:
Editing the Certificate Trust List, page 8-72
Adding a New CA Certificate to Local Certificate Storage, page 8-72
Note The CAs on the CTL should be those that issue user certificates that you want
Cisco Secure ACS to recognize as trustworthy.
Trust Requirements and Models
TLS authentications require two elements of trust. The first element of trust is
when the TLS negotiation establishes end-user trust by validating, through RSA
signature verifications, that the user is in possession of a keypair signed by a
certificate. This verifies that the end user is the legitimate keyholder for a given
digital certificate and corresponding user identification contained in the
certificate. However, trusting that a user is in possession of a certificate only
provides a username/keypair binding. The second element of trust is to use a
third-party signature (usually from a CA) that verifies the information in a
certificate. This third-party binding is similar to the real world equivalent of the
U.S. Passport seal on your passport. You trust the passport because you trust the
preparation and identity checking that the passport office made when creating that
passport. You trust digital certificates by installing the root certificate CA
signature in an equivalent way.
How you edit your CTL determines the type of trust model you have. Many
employ a restricted trust model wherein very few, privately controlled CAs are
trusted. This model provides the highest level of security but restricts adaptability
and expandability. The alternative, an open trust model, allows for more CAs or
public CAs. This open trust model trades off increased security for greater
adaptability and expandability.
We recommend that you fully understand the implications of your trust model
before editing the CTL in Cisco Secure ACS.