CompTIA Security Plus Mock Test Q1076

A systems administrator has implemented PKI on a classified government network. In the event that a disconnect occurs from the primary CA, which of the following should be accessible locally from every site to ensure users with bad certificates cannot gain access to the network?

B. Make the RA available
C. A verification authority
D. A redundant CA

Correct Answer: A
Section: Cryptography

A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key.
By checking the CRL you can check if a particular certificate has been revoked.

Incorrect Answers:
B: Access to a registration authority (RA) is not required to check for bad certificates. A CRL will do fine.
A registration authority (RA) offloads some of the work from a CA. An RA system operates as a middleman in the process: It can distribute keys, accept registrations for the CA, and
validate identities.
C: A verification authority is used to check the uniqueness of a certificate, not primarily to check for bad certificates.
The user identity must be unique within each CA domain. The third-party validation authority (VA)/verification authority can provide this information on behalf of the CA. The binding is
established through the registration and issuance process.
D: A redundant CA is not required to check for bad certificates. A CRL will do fine.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 262, 279-280, 285