OSF DCE Administration Guide--Core Components
OSF DCE Administration Guide—Core Components
33.1.4 Constraints on Transitive Trust Relationships
To prevent the widespread proliferation of trust relationships that could result in
unwieldy administrative burdens and weakened security, the DCE Security Service
imposes the following three rules on transitive trust relationships:
1. Any number of descendent cells can be traversed by a transitive trust relationship,
and any number of ancestor cells can be traversed by a transitive trust relationship.
2. No more than one direct trust peer relationship can be traversed by a transitive
trust relationship. (A direct trust peer relationship is a direct trust relationship
between cells that are neither ancestors nor descendants of each other in the
naming hierarchy.)
3. Once a hierarchical trust relationship traverses a direct trust ancestor and an
optional direct trust peer, it cannot traverse to an ancestor of the peer cell. In other
words, once a transitive trust path goes up and across, it can’t go up.
The ramifications of these rules are explained in the following paragraphs.
Rule 1:
Any number of descendent cells can be traversed in a hierarchical trust
relationship, and any number of ancestor cells can be traversed by a transitive trust
relationship.
For example, in Figure 33-2, peer Cells A and B have a direct trust relationship. Cell A
has a transitive trust relationship with cells B/C and B/C/D.
Figure 33-2. Direct and Transitive Trust Relationships
AB
C
Transitive trust relationshps between
cell A and cells B/C and B/C/D
D
direct trust
direct trust
direct trust
The previous configuration also makes possible the transitive trust relationship between
B and cell B/C/D shown in Figure 33-3.
Figure 33-3. Cell Traversal in Transitive Trust Relationships
33 − 4 Tandem Computers Incorporated 124243