Chapter 6 Questions
What does it mean if a certificate extension attribute is marked as critical?
If it does not match it will be sent back and rejected
How does a subject go about obtaining a certificate from a CA?
In most cases, the subject generates a key pair then adds the public key along with subject information and certificate type in a certificate signing request (CSR) and submits it to the CA. If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject
You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program?
A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose should not be reused for other functions.
What mechanism informs clients about suspended or revoked keys?
Either a published Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) responder.
You are advising a customer about encryption for data backup security and the key escrow services that you offer. How should you explain the risks of key escrow and potential mitigations?
Escrow refers to archiving the key used to encrypt the customer's backups with your company as a third party. The risk is that an insider attack from your company may be able to decrypt the data backups. This risk can be mitigated by requiring M-of-N access to the escrow keys, reducing the risk of a rogue administrator.
What mechanism does HPKP implement?
HTTP Public Key Pinning (HPKP) ensures that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate by submitting one or more public keys to an HTTP browser via an HTTP header.
What are the potential consequences if a company loses control of a private key?
It puts both data confidentiality and identification and authentication systems at risk. Depending on the key usage, the key may be used to decrypt data with authorization. The key could also be used to impersonate a user or computer account.
What type of certificate format can be used if you want to transfer your private key and certificate from one Windows host computer to another?
PKCS #12 / .PFX / .P12.
What is the main weakness of a hierarchical trust model?
The structure depends on the integrity of the root CA
What extension field is used with a web server certificate to support the identification of the server by multiple specific subdomain labels?
The subject alternative name (SAN) field. A wildcard certificate will match any subdomain label.
What cryptographic information is stored in a digital certificate?
The subject's public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.
What type of operation is being performed by the following command? openssl req -nodes -new -newkey rsa:2048 -out my.csr -keyout mykey.pem
This generates a new RSA key pair plus a certificate signing request.