CompTIA Security Plus Mock Test Q1117

A network administrator is looking for a way to automatically update company browsers so they import a list of root certificates from an online source. This online source will then be responsible for tracking which certificates are to be trusted or not trusted. Which of the following BEST describes the service that should be implemented to meet these requirements?

A. Trust model
B. Key escrow
C. OCSP
D. PKI


Correct Answer: A
Section: Cryptography

Explanation:
In this scenario we can put a CA in the local network and use an online CA as root CA in a hierarchical trust model.
A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital Certificate.
In a hierarchical trust model, also known as a tree, a root CA at the top provides all of the information. The intermediate CAs are next in the hierarchy, and they trust only information
provided by the root CA. The root CA also trusts intermediate CAs that are in their level in the hierarchy and none that aren’t. This arrangement allows a high level of control at all
levels of the hierarchical tree.

Incorrect Answers:
B: Key escrow is a database of stored keys that later can be retrieved. Key escrow cannot be used to set up a trust to a CA.
C: The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.
OCSP cannot be used to set up a trust to a CA.
D: PKI is a high level concept. In itself you cannot use a PKI to set up a trust to a CA. Within a PKI you use a trust model for this purpose.
A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 262, 279-285, 285, 285-289