Page 612 - StudyBook.pdf
P. 612
596 Chapter 10 • Public Key Infrastructure
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this
book, are designed to both measure your understanding of the Exam Objectives
presented in this chapter, and to assist you with real-life implementation of
these concepts.
Q: What are the key components of a PKI system?
A: CAs that maintain and issue digital certificates, RAs that handle the verification
process for the CA, directories where the certificates and public keys are held,
and a certificate management system. Optionally, timestamping services may be
provided as well.
Q: What mechanisms are in place to notify users that a certificate has been
revoked?
A: CRLs are issued on a routine basis. However, real-time status checking of cer-
tificates can be performed using OCSP.
Q: What are the main differences between the single CA, hierarchical CA, and
Web-of-trust (mesh) trust models?
A: Single CAs are self-explanatory; there is a single CA with no subordinate CAs
below it.A single CA may (or may not) have an RA to offload requests.A hier-
archical CA functions in a “tree” mode, where there is one root CA, several
subordinate CAs, and leaf CAs below the subordinate CAs.A Web-of-trust CA
has no real root authority, and validation of certificates is done on a peer level.
Q: I’m confused about m of n control. Can you break it down into simple terms?
A: m of n control is just a mathematics term for saying that for every instance that
a key is split between recovery agents (n), you must have at least m number of
those recovery agents present to recover a private key. Both m and n are vari-
ables.
Q: Why does a key pair have to be destroyed when it is no longer in use?
www.syngress.com
