A network administrator is looking for a way to automatically update company browsers so they import a
list of root certificates from an online source. This online source will then be responsible for tracking
which certificates are to be trusted or not trusted. Which of the following BEST describes the service that
should be implemented to meet these requirements?

A.
Trust model

B.
Key escrow

C.
OCSP

D.
PKI

Explanation:
In this scenario we can put a CA in the local network and use an online CA as root CA in a hierarchical
trust model.
A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital
Certificate.
In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information.
The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA.
The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren’t. This
arrangement allows a high level of control at all levels of the hierarchical tree.
Incorrect Answers:
B: Key escrow is a database of stored keys that later can be retrieved. Key escrow cannot be used to set
up a trust to a CA.
C: The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation
status of an X.509 digital certificate.
OCSP cannot be used to set up a trust to a CA.
D: PKI is a high level concept. In itself you cannot use a PKI to set up a trust to a CA. Within a PKI you use a
trust model for this purpose.
A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed
to create, manage, distribute, use, store, and revoke digital certificates.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 262, 279-285, 285, 285-289