Why should certificates from cross-certified infrastructures be validated using the bridge rather than simply using their root CAs in the trust store?
This might be best illustrated with an example. Suppose you want to interoperate with the DST ACES PKI. The first step you need to take before users with DST credentials can use them is to install the DST ACES Root in your CAPI store. After you take this step, you’ll observe that your server accepts DST ACES certificates. Let’s suppose you stop after this step. Imagine that a malicious user fools the DST ACES CA into issuing a certificate to them under the name “CN=PACE.PETER.M, OU=USMC, OU=PKI, OU=DoD, O=U.S. Government, C=US”, a subject alternative name of peter.pace@usmc.mil. The applications on that server would reasonably think that they were seeing peter.pace@usmc.mil authenticating with a CAC card because the certificate would be validated. Needless to say, you never want your applications to think a DST-credentialed user is Peter Pace. If, instead of stopping here, you install Webcullis or another authentication plugin capable of using a bridged infrastructure to validate crede
