Network Security FAQ: Public Key Infrastructure
Q1. How can the exchange of public keys be secured without PKI?
Without PKI, public keys can be exchanged out-of-band or over a secure channel.
Public keys can also be exchanged over an insecure channel, but then the received keys have to be verified out-of-band.
Q2. Describe briefly the concept of trusted introducing.
Q3. Describe briefly the concept of a trusted third party.
Q4. PKIs can form different topologies of trust. List three different topologies.
Answer: Three topologies of trust are as follows:
- Single root CA
- Hierarchical CA
- Cross-certified CA
Q5. Explain the PKI enrollment procedure.
Q6. Describe three enrollment protocols that are commonly used today.
Answer: Three enrollment protocols commonly used today include the following:
- File-based requests The end user formats the enrollment request in a form of a PKCS #10 message in a file. This file is transferred to the CA, which signs the information and returns a PKCS #10 response file with the embedded certificate.
- Web-based requests This protocol runs over the HTTP protocol and is used by web browsers.
- Simple Certificate Enrollment Protocol (SCEP) A lightweight, HTTP-based protocol for enrollment of VPN devices is used.
Q7. Give at least three reasons for placing a certificate on a CRL.
Answer: A certificate could be placed on a CRL for these reasons:
- The private key is compromised.
- The purpose for which the key was issued no longer applies.
- The private key is lost.
- A VPN router is replaced.
Q8. Describe the steps needed to put a certificate on a CRL.
Q9. How can you view and verify the certificate of a certain site?
Answer: You can view and verify a site’s certificate by going to the site and using one of two available methods to verify the certificate:
- Click File > Properties in Internet Explorer. On the Properties page, click Certificates to display the certificate.
- Click on the Lock icon at the bottom of your web page.