CertiGuide to Security+  9  Chapter 7:  Practice Exam Answers

Answers to Questions 66-70 1 Answers to Questions 76-80

71. Revocation of a certificate can be accomplished with (choose all that apply):

A. CRL

B. CRDP

C. OCSP

D. CRC

Explanation: "Revocation data can be published in a CRL (certificate revocation list), which is a signed list of certificate serial numbers; a CRDP (certificate revocation distribution point), which consists of partitioned CRLs; or an OCSP (online certificate status protocol), a client/server protocol used to query a VA (validation authority) for certificate status." -- Network Computing

A CRC is a checksum computation not involved in certificate revocation.

& Section 4.5.5: (Certificate) Revocation

72. E-mail clients do a great job of checking the status of a digital certificate:

A. True

B. False

Explanation: "Software that verifies signatures (such as e-mail clients) should automatically check our Certificate Revocation List before relying on the signature, but many software packages either don't do this very well or at all. So, it is good practice to do a check yourself before relying on a certificate." -- Entrust

& Section 4.5.5.1: Status Checking (Certificate Revocation)

& Section 4.5.6.1: Status Checking (Certificate Suspension)

73. If it seems possible a private key was compromised, while an investigation is under way, the first step is to:

A. Revoke the certificate

B. Suspend the certificate

C. Re-issue a new certificate

D. All choices are correct

E. No choice is correct

Explanation: "An IA shall suspend a subordinate IA's certificate upon the request of a duly authorized representative of the subordinate IA or of a person claiming to be the subordinate IA or a person in a position likely to know of a compromise of the subordinate IA's private key, such as an agent or employee of the subordinate IA. Such suspension must be undertaken in accordance with the suspension prerequisites." -- Eurotrust

Since suspension is not irreversible, but disables the use of the key just like revocation, it is a good intermediate step to take until you are sure that the key has been compromised and can no longer be trusted.

& Section 4.5.6: (Certificate) Suspension

74. When a private key is critical for recovery and protecting assets of a high enough value that no single person should be in charge of the key the process is to (choose all that apply):

A. Guard the private key on hardware with a security guard in place

B. Encrypt portions of the private key on numerous hardware tokens

C. Require a minimum number of secured hardware tokens come together to recreate the private key

Explanation: "Private key (n out of m) multi-person control. Access to cryptographic module containing the root CA requires the insertion of cryptographic hardware tokens into the cryptographic signer. A minimum number of required hardware tokens out of the total numbers of hardware tokens must be inserted one at a time to access the cryptographic module." -- http://www.comtrust.co.ae/Repository/cps/techsecuritycontrols.htm

& Section 4.5.7.1: M of N Control (Key Recovery)

75. The issue of a single digital certificate:

A. Identities a person, not roles.

B. Cannot be used for encryption if it is to also be used for a digital signature in a non-repudiation manner.

C. Both choices are correct

D. Neither choice is correct

E. One choice is correct

Explanation:

1. The same person may be simultaneously a patient, a doctor and a coroner.

2. Dual key pair support is critical for applications that utilize both encryption and digital signatures. An end user needs one key pair for encryption and another for digital signing so that the encryption key pair can be backed up without compromising the integrity of the user's digital signatures.

& 4.5.10.1 Multiple Key Pairs (Single, Dual)

Answers to Questions 66-70 1 Answers to Questions 76-80