A CA is compromised and attacks start distributing maliciously signed software updates. Which of the
following can be used to warn users about the malicious activity?
A.
Key escrow
B.
Private key verification
C.
Public key verification
D.
Certificate revocation list
Explanation:
If we put the root certificate of the comprised CA in the CRL, users will know that this CA (and the
certificates that it has issued) no longer can be trusted.
The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with
digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation.
The dates of certificate issue, and the entities that issued them, are also included. In addition, each list
contains a proposed date for the next release.
Incorrect Answers:
A: Key escrow is not related to revoked certificates.Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of
key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as
it relates to home mortgages) and made available if that third party requests them. The third party in
question is generally the government, but it could also be an employer if an employee’s private messages
have been called into question.
B: Within PKI there are only two methods to verify certificates or keys still are valid. One is using a CRL
and the other is using the OCSP protocol. Private key verification cannot be used to check if a CA is
comprised.
C: Public key verification cannot be used to a comprised CA. Within PKI there are only two methods to
verify certificates or keys still are valid. One is using a CRL and the other is using the OCSP protocol.Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 262, 279-285, 285