A systems administrator has implemented PKI on a classified government network. In the
event that a disconnect occurs from the primary CA, which of the following should be
accessible locally from every site to ensure users with bad certificates cannot gain access to
the network?
A.
A CRL
B.
Make the RA available
C.
A verification authority
D.
A redundant CA
Key words: users with BAD CERTIFICATES cannot gain access to the network.
In other words, I want to make sure that users with invalid (revoqued) certificates cannot access the Network in the absence of a CA.
No for some details:
A PKI consists of:
A certificate authority (CA) that stores, issues and signs the digital certificates
A registration authority which verifies the identity of entities requesting their digital certificates to be stored at the CA
A central directory—i.e., a secure location in which to store and index keys
A certificate management system managing things like the access to stored certificates or the delivery of the certificates to be issued.
A certificate policy stating the PKI’s requirements concerning its procedures. Its purpose is to allow outsiders to analyze the PKI’s trustworthiness.
BLATANTLY INCORRECT ANSWERS
B.Make the RA available – I assume that the “RA” in this context refers to the “Registration Authority”. There is no mention that the RA is down. Also, it is the CA that contacts the RA, so if the CA is down there is no way to contact the RA, even if the A is available. The RA (Registration Authority) An authority in a network that verifies user requests for a digital certificate and tells the Certificate Authority (CA) to issue it. RAs are part of a public key infrastructure (PKI), a networked system that enables companies and users to exchange information and money safely and securely.
C.A verification authority – Such thing does not exist in a KPI context. We have “A certificate authority (CA)”, a “A registration authority”, but not such a thing as a “verification authority”. We use CRLs to verify certificates for that matter.
So it is a tossup between: “A.A CRL” & “D.A redundant CA”
D is not the best answer as CAs are not easily made redundant.
You have to know if you want to make the CA redundant for:
1) The ability to issue certificates no matter what happens to a single CA. This can be achieved with simply a second CA using the same templates. You could make it more complex with Windows Failover clusters or VMWare/Hyper V VMotion style availability.
2) You want redundancy so that if the CA fails, existing certificates keep working. You can achieve this without a second CA. Place your CRL on a highly available website (or LDAP if appropriate) and use a CRLOverlap so that if your CA goes down, the CRL is valid for an extended period of time until the CA resumes operations.
So in this case, redundancy is best achieved by using a CRL
So the answer is A: CRL
* A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key.
* By checking the CRL you can check if a particular certificate has been revoked.
* So I need to ensure that I can access the CRL at all times, even if disconnect occurs from the primary CA
0
0