As explained in Authentication Using Certificates, a trust must exist between the recipient of a signed message and the signer of the message. One method of establishing this trust is through the use of a certificate, an electronic document verifying that entities or persons are who they claim to be. A certificate is issued to an entity by a third party that is trusted by both of the other parties. So, each recipient of a signed message must decide if the issuer of the signer's certificate is trustworthy. The CryptoAPI has implemented a methodology to allow application developers to create applications that automatically verify certificates against a predefined list of trusted certificates or roots. This list of trusted entities (called subjects) is called a Certificate Trust List (CTL).
The following example of CTL use involves an intranet (intra-company network) network administrator who wants to control just which outside sources are trusted. In this case the administrator can create a list of trusted certificates or roots, sign it, and make the list available to all clients on the network in the form of a CTL. An application designed to use this CryptoAPI functionality would then only accept signed messages or downloaded software that was signed by entities on the list.