In a recent discussion witha Microsoft PFE, they say the previous common recommendation and trends of using a three tier hierarchy (Root->Intermediate/Policy->Issuing) is not being recommended anymore, but rather, eliminate the Intermediate level altogetherand use just a two tier hierarchy (Root->Issuing/Policy). They really didn't give any good examples of what this does or does not buy me, other than the obvious 'less hardware'.Initially, we were looking at having 3 Intermediate/Policy CA's: 1 on each continent we house our Data Centers and another for External use.I'm planning a WS08 R2 PKI and want to see if anyone really has anysolid pros/cons, agree/disagree, best practices, lessons learned, etc. with eliminating Intermediate CA's altogether. I'd like to make the best decision before implementing it. Any feedback is appreciated.Calling Komar...you out there? :)

Here's my 5 cent.I've never understood the purpose of policy CA's. It might be great if u go through the ____ of creating CP and CPS document but for internal use (most common) u regulate this stuff in other documents.I've worked with PKI for 12 years and in the beginning many companies backed when they were presented with the cost for HSM, 3-tier and CP/CPS.So it was a real showstopper.Nowadays MS simplified their recommendations to everyones joy.The way I see it the pros of policy CA's could easily be achieved by a 2-tier...which leave us with the cons (cost for additional hw and administration).Look, if u make use of policy CA's u can either have them offline or online. If offline then u have the extra cert renew and CRL routine for each CA. If online then u have an elevated risk. The chaining process will take slighter longer. If u decide on CPS's then u'll prolly need one for each CA (depends).So alot of cons but not any pros...that I can see.Good luck.

There is *no* best way of doing it. It is something that results from the design process. A good consultant will never come in stating 2 tier is better than 3 tier. If they do, they are just reading from a script or a prepared offering. <G>Reasons for 2 tier- less CAs- flatter- simpler chain building- can combine policy and issuing CA in one CAReasons for 3 tier- multiple forests, want common policy and define at 2nd tier- cross-certification where you wish to receive one cross-CA certificate and have trust of many CAs (pathlength=1)- Root signing with a commercial CA where you want to issue certs from multiple CAs (pathlength=1 again)Brian

HiCould anyone share me an article or document explaining the concept of Policy CA, I do understand the pros and cons of intermediate CA but I don't see any great value in stuffing in a Policy CA. May be I am wrong ?Hence could anyone explain a need and concept of Policy CA and how can we setup up a Policy CA using Windows 2k8 CA ?ThanksSantosh.

Guess I'm a bad consultant then. ;-)Heard about x-certification for a long time but never seen it in real life. Same thing wih policy CA's.But I'm from Sweden and the market is limited to many small/medium corps and just a few large ones and my guess is that x-cert and policy is for large scaled implementations with >50k users.Commercial Root however is interesting but haven't seen that either (I might be blind). Sanurajan, regarding policy CAs.A Policy CA is often used to separate assurance levels and/or geographical sites.For instance, u can set upone policy CA for high assurance certificates and another CA for low/medium assurance certificates.Or u can set up one policy CA in India and another one in the US to distinguish geographical diff. Or a mix of both.From my point of view having different policy CAs indicates that the CA with low assurance issues "bad" certificates and low security administration.As a consultant I build all CAs as High Assurance CAs. Then u can mix diff types and classes of certs on the CAs.So I'd say, use intermediate CA only if u got a large global corp and want to separate users on different sites and delegate administration.I'm sure Brian has another take on the above. ;-)Good luck!