In a modern communication network, what are the limitations of a tree- structured CA system? Why is it necessary?

A tree-structured Certificate Authority (CA) system presents specific limitations in modern communication networks. A primary concern is the single point of failure; if a root CA is compromised, all certificates issued beneath it become untrustworthy. Managing certificate revocation across a deep, hierarchical structure also proves complex and slow, potentially delaying the invalidation of compromised certificates within a Public Key Infrastructure (PKI). Also, varied certificate issuance policies among different intermediate CAs in the tree can cause interoperability issues.

Despite these limitations, a tree-structured CA system is necessary because it establishes a clear, verifiable chain of trust. This structure allows users and applications to implicitly trust a limited set of root CAs instead of individually verifying every certificate issuer. It simplifies trust management by delegating authority from a root CA to intermediate CAs. These intermediate CAs can then issue certificates for specific domains or organizations. This delegation enables scalable distribution of certificate issuance responsibilities while maintaining a centralized trust anchor, which is a foundational concept for secure communications.