public key infrastructure Flashcards
A _____ is a trusted entity that issues digital certificates, which are data files used to cryptographically link an entity with a public key.
certificate authority (CA)
An _____ can be used to sign and encrypt email messages, typically using S/MIME or PGP. The user’s email address must be entered in the Subject Alternative Name (SAN) extension field
email certificate
A _____ is issued to a software publisher, following some sort of identity check and validation process by the CA.
code signing certificate
_____ may be issued to network appliances, such as routers, switches, and firewalls.
Machine certificates
What are the components of a three-level Certificate Authority (CA) hierarchy?
Root, Intermediate, and Issuing
A ______ describes a certificate used with multiple sub-domains of a domain. They are represented with an asterisk (*) such as *.google.com.
wildcard certificate
_____ is an extension field on a web server certificate and supports the identification of the server by multiple subdomain labels.
Subject Alternative Name (SAN)
______ allow for users to trust a public website using a chain of trust to the root authority.
Public root certificates
A DER-encoded binary file can be represented as ASCII characters using Base64 ______ encoding. ___ files support other extensions like .key, .cer, and .cert.
Privacy-enhanced Electronic Mail (PEM)
All certificates use an encoding scheme called _____ to create a binary representation of the information in the certificate. It does not use a Base64 encoding.
Distinguished Encoding Rules (DER)
The ____ format allows the export of a certificate along with its private key. This would be used to archive or transport a private key.
.pfx
The ___ file is a password-protected container format that possibly contains private/public key pairs.
.p12
The ___ format is a means of bundling multiple certificates in the same file, often often used to deliver a chain of certificates. ___ files do not contain the private key.
P7B
_____ involve wide needs, such as standard users, administrators, smart card login/users, recovery agent users, and Exchange mail users
User certificates
_____ is proving the ownership of a domain, which may be proved by responding to an email to the authorized point of contact. This process is highly vulnerable to compromise.
Domain Validation (DV)
_____ is a process requiring more rigorous checks on the subject’s legal identity and control over the domain or software being signed.
Extended Validation (EV)
A _____ is a server assigned the task of completing an identity check and submitting Certificate Signing Requests (CSRs) on behalf of end users
registration authority
_____ refers to several techniques to ensure it is inspecting the proper certificate when a client inspects the certificate presented by a server or a code-signed application.
Certificate Pinning
_____ refers to the archiving of a key (or keys) with a third party.
Key escrow
A _____ must be completed by a subject who wants to obtain a certificate from a Certificate Authority (CA).
Certificate Signing Request (CSR)
The CSR is a Base64 ASCII file containing information about the requester including its public key.
A _____ is a list of certificates that were revoked before their expiration date.
Certificate Revocation List (CRL)
______ is a service that runs on an issuing Certificate Authority (CA) designated as an ____ responder to communicate the status of requested certificates, rather than returning a CRL.
Online Certificate Status Protocol (OCSP)
The _____ is a concept of the Public Key Infrastructure (PKI) to show how users and different Certificate Authorities (CA) can trust one another.
trust model
______ is a method of trusting digital certificates to bypass the CA hierarchy and chain of trust and minimize MitM attacks. The client stores a public key that belongs (or is pinned) to a web server. If visiting again and the key does not exist in the certificate chain, a warning is presented.
HTTP Public Key Pinning (HPKP)
