Answers to Questions 71-75
71. Revocation of a certificate can be accomplished with (choose all that apply):
Explanation: "Revocation data can be published in a CRL (certificate revocation list), which is a signed list of certificate serial numbers; a CRDP (certificate revocation distribution point), which consists of partitioned CRLs; or an OCSP (online certificate status protocol), a client/server protocol used to query a VA (validation authority) for certificate status." -- Network Computing
A CRC is a checksum computation not involved in certificate revocation.
& Section 4.5.5: (Certificate) Revocation
72. E-mail clients do a great job of checking the status of a digital certificate:
Explanation: "Software that verifies signatures (such as e-mail clients) should automatically check our Certificate Revocation List before relying on the signature, but many software packages either don't do this very well or at all. So, it is good practice to do a check yourself before relying on a certificate." -- Entrust
& Section 18.104.22.168: Status Checking (Certificate Revocation)
& Section 22.214.171.124: Status Checking (Certificate Suspension)
73. If it seems possible a private key was compromised, while an investigation is under way, the first step is to:
A. Revoke the certificate
B. Suspend the certificate
C. Re-issue a new certificate
D. All choices are correct
E. No choice is correct
Explanation: "An IA shall suspend a subordinate IA's certificate upon the request of a duly authorized representative of the subordinate IA or of a person claiming to be the subordinate IA or a person in a position likely to know of a compromise of the subordinate IA's private key, such as an agent or employee of the subordinate IA. Such suspension must be undertaken in accordance with the suspension prerequisites." -- Eurotrust
Since suspension is not irreversible, but disables the use of the key just like revocation, it is a good intermediate step to take until you are sure that the key has been compromised and can no longer be trusted.
& Section 4.5.6: (Certificate) Suspension
74. When a private key is critical for recovery and protecting assets of a high enough value that no single person should be in charge of the key the process is to (choose all that apply):
A. Guard the private key on hardware with a security guard in place
B. Encrypt portions of the private key on numerous hardware tokens
C. Require a minimum number of secured hardware tokens come together to recreate the private key
Explanation: "Private key (n out of m) multi-person control. Access to cryptographic module containing the root CA requires the insertion of cryptographic hardware tokens into the cryptographic signer. A minimum number of required hardware tokens out of the total numbers of hardware tokens must be inserted one at a time to access the cryptographic module." -- http://www.comtrust.co.ae/Repository/cps/techsecuritycontrols.htm
& Section 126.96.36.199: M of N Control (Key Recovery)
75. The issue of a single digital certificate:
A. Identities a person, not roles.
B. Cannot be used for encryption if it is to also be used for a digital signature in a non-repudiation manner.
C. Both choices are correct
D. Neither choice is correct
E. One choice is correct
1. The same person may be simultaneously a patient, a doctor and a coroner.
2. Dual key pair support is critical for applications that utilize both encryption and digital signatures. An end user needs one key pair for encryption and another for digital signing so that the encryption key pair can be backed up without compromising the integrity of the user's digital signatures.
& 188.8.131.52 Multiple Key Pairs (Single, Dual)
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.