If I understand corretly, the "leaf" entities are end entity certificates, that trust only their own PKI trust anchor, but need to communicate with end entities of other PKIs without changing their trust anchor settings. Therefore, using only cross certification.
I am supposed to add exactly one certificate so that T trusts G, but
not D. Furthermore R must not trust P.
In other words, T must consider G valid, but not D. R must also not consider P valid (that part is a little bit strange, but I understand that R trusts itself only).
First I thought to let C
certify G, but the solution proposes a certificate of C for P.
If C certies G, it would generate a G´ (a different certificate for the same entity). If C certifies P, it would generate a P' that still would be able to validate G. G, trusting C, would trust P'.
If C certifies P, there exists a path from R to P. P becomes a child
of R. Therefore R should trust P. But why is that not the case?
P is not a child of C or R, but P'. Therefore, R does not trust P (neither G or C). R also will trust G, if you are wondering.
Another certificate is searched in order that D trusts J and L, but
not K. Furthermore N must not trust B.
When introducing a certificate from D to B, D will trust J and L but
not K. The same moment trust from N to J and L arises (because there
is a certification path). So how can this task be solved?
Since that looks like homework, I´ll let this one to you to solve, since with the expanation of the other item its seem easier to understand this one.
