CompTIA Security Plus Mock Test Q1076

A systems administrator has implemented PKI on a classified government network. In the event that a disconnect occurs from the primary CA, which of the following should be accessible locally from every site to ensure users with bad certificates cannot gain access to the network?

A. A CRL
B. Make the RA available
C. A verification authority
D. A redundant CA

Correct Answer: A
Section: Cryptography

Explanation:
A certificate revocation list (CRL) is created and distributed to all CAs to revoke a certificate or key.
By checking the CRL you can check if a particular certificate has been revoked.

Incorrect Answers:
B: Access to a registration authority (RA) is not required to check for bad certificates. A CRL will do fine.
A registration authority (RA) offloads some of the work from a CA. An RA system operates as a middleman in the process: It can distribute keys, accept registrations for the CA, and
validate identities.
C: A verification authority is used to check the uniqueness of a certificate, not primarily to check for bad certificates.
The user identity must be unique within each CA domain. The third-party validation authority (VA)/verification authority can provide this information on behalf of the CA. The binding is
established through the registration and issuance process.
D: A redundant CA is not required to check for bad certificates. A CRL will do fine.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 262, 279-280, 285