What is the primary role of cross certification?

A.
Creating trust between different PKIs

B.
Build an overall PKI hierarchy

C.
set up direct trust to a second root CA

D.
Prevent the nullification of user certificates by CA certificate revocation

Explanation:
More and more organizations are setting up their own internal PKIs. When these independent PKIs need to
interconnect to allow for secure communication to take place (either between departments or between different
companies), there must be a way for the two root CAs to trust each other. The two CAs do not have a CA
above them they can both trust, so they must carry out cross certification. A cross certification is the process
undertaken by CAs to establish a trust relationship in which they rely upon each other’s digital certificates and
public keys as if they had issued them themselves. When this is set up, a CA for one company can validate
digital certificates from the other company and vice versa.
Incorrect Answers:
B: Building an overall PKI hierarchy is not the primary purpose of cross certification. Cross certification is used
to create a trust between different PKIs or PKI hierarchies.
C: Cross certification does not set up a direct trust to a second root CA; it creates trusts between two PKIs (this
includes all CA’s in each hierarchy).
D: Preventing the nullification of user certificates by CA certificate revocation is not the purpose of cross
certification. Certificate revocation should nullify user certificates or at least render them untrusted.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 835