• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Mock exam,about Digital Certificate

 
Bingo Zhao
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
162. You are working on a new application that will help your company co-ordinate sales data across different departments. The aim is to have everyone access the same sales data at all times. This project needs to be finished as soon as possible and you have bought some third party code to speed up the development process. The code has been signed using a digital certificate and packaged in a jar file. What do you know about it? Note: Digital certificates have been provided that have been signed by a trusted Certificate Authority.
A.The jar file contains no malicious code.
B.The jar file was signed by the 3rd party vendor
C.The jar file contents may contain malicious code.
D.Someone impersonating the 3rd party vendor may have signed the jar file.
E.The code is fully tested and performs the task it was designed for.
The answer is C.
Base on the answers,B and d are in the reverse way,I think at least one is true!But why?
 
Terence Doyle
Ranch Hand
Posts: 328
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I think the word "KNOW" is the most important word here. The question is not very well phrased because they could have said it another way.
However as the question stands and from what we know about Digital Certificates ( they cannot be absolutely trusted and we have no way of knowing exactly who signed them ) option C seems the correct answer.

Terry
 
christy smile
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If it has told only 1 answer is true, I would have chosen D, if there are two, I would have chosen C. I chose D before C because if you are buying the code from the vendor, the vendor should be considered as somehow "trusted", and should not deliberately give you malicious code. Digital signature is being signed by the vendor's private key, there might be a chance the key has been compromised and others might impersonate the vendor.
BTW, which mock test is this?
 
Shakti Sharma
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If D is not correct (Someone impersonating the 3rd party vendor may have signed the jar file), it means Actual vendor signed the jar file. It dose not make sense that vendor whome you paid for software will intentionaly give malicious code. So if we assume that private key is compromised then D is first choice and then C. But in question there is no mention of the fact that private key is compromised So we can say that B is also correct. I think this the way this security is designed. You get the signed code and You have the trusted certificate and you are satified that code is safe to run. If this is not the case what extra step you will take before using the code ? Any way you dont want to use the code if you have any doubt about the code. Even after using the security machanism you are in doubt it means that this security is not suffcient.
 
jusheng jiang
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, I think C is true; B & D is false.
the 3rd party vendor mayn't certificate his own jar file,it must be signed by a trusted Certificate Authority.
 
Shakti Sharma
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Vendor’s digital certificate is certified by CA, if that is not sufficient. Lets assume that C is right since CA does not sign it. If we are choosing answer ( C ) based on assumption that vendors private key is compromised then we can also assume that CAs private key can also be compromised. Anybody’s key can be compromised, so based on this scenario we can say that you can not trust on this security mechanism at all. This security mechanism works on certain assumption that vendor keep his private key safe and vendor is trusted since it is trusted by our trusted CA. If he sign some thing with his private key, since I trust CA , I also trust him , That is what CA is for.
 
Nitin Gujral
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my opinion, if we assume that the private key of the Vendor has not been compromised and since the certificate has been signed by the CA, the choice should be B.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic