A software developer wants to ensure that the application is verifying that a key is valid before
establishing SSL connections with random remote hosts on the internet. Which of the following should be
used in the code? (Select TWO)
A.
Escrowed keys
B.
SSL symmetric encryption key
C.
Software code private key
D.
OCSP
E.
Remote server public key
Really hate this question. OCSP (Online Certificate Status Protocol) is clearly correct because it checks to see if the certificates are valid. An escrowed key is a key where you pay someone to keep a copy for you–nothing really says it has to be valid. SSL symmetric keys are normally session keys which are randomly generated by the host. Now the software code private key is plausible. Normally, a certificate for the software is generated so that the end user knows that the software is legit. For example, if I wanted to do an update on Adobe Acrobat, the update would be signed with the software certificate or private key. This tells me that the update is valid. Doesn’t really work with this question since the application is verifying that the key is valid. I would have to go with the D first and then C if there are actually two.
1
4
It should be D and E, OCSP to contact CA server and give it the remote server public key that the app got when requesting SSL connection.
7
0