Cross-certification extends third-party trust relationships between Certification Authority domains. For example, two trading partners, each with their own CA, may want to validate certificates issued by the other partner?s CA. Alternatively, a large, distributed organization may require multiple CAs in various geographic regions. Cross-certification allows different CA domains to establish and maintain trustworthy electronic relationships.The term cross-certification refers to two operations. The first operation, which is generally executed infrequently, is the establishment of a trust relationship between two CAs. In the case of bilateral cross-certification, two CAs securely exchange their verification keys. These are the keys used to verify the CAs' signatures on certificates. To complete the operation, each CA signs the other CA's verification key in a certificate referred to as a "cross-certificate".The second operation is done by the client-side software. The operation, which is executed frequently, involves verifying the trustworthiness of a user certificate signed by a cross-certified CA. The operation is often referred to as "walking a chain of trust". The "chain" refers to a list of cross-certificate validations that are "walked" (or traced) from the CA key of the verifying user to the CA key required to validate the other user's certificate.When walking a chain of cross-certificates, each cross-certificate be checked to ensure that it is still trusted. User certificates must be able to be revoked; so must cross-certificates. This requirement is frequently overlooked in discussions regarding cross-certification.

For more information on third-party trust and cross-certification, refer to the Entrust White Paper titled " The Concept of Trust in Network Security ".