Which of the following is used to certify intermediate authorities in a large PKI deployment?

A.
Root CA

B.
Recovery agent

C.
Root user

D.
Key escrow

Explanation:
The root CA certifies other certification authorities to publish and manage certificates within the
organization.
In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information.
The intermediate CAs are next in the hierarchy, and they trust only information provided by the root CA.
The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren’t. This
arrangement allows a high level of control at all levels of the hierarchical tree. .
Incorrect Answers:
B: A recovery agent is an entity that has the ability to recover a key, key components, or plaintext
messages as needed. A recovery agent does not certify entities.
C: The root is the user name or account that by default has access to all commands and files on a Linux or
other Unix-like operating system. The root user does not certify entities.
D: Key escrow is not related to certifying authorities.
Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of
key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as
it relates to home mortgages) and made available if that third party requests them. The third party in
question is generally the government, but it could also be an employer if an employee’s private messages
have been called into question.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 262, 278-290