162. You are working on a new application that will help your company co-ordinate sales data across different departments. The aim is to have everyone access the same sales data at all times. This project needs to be finished as soon as possible and you have bought some third party code to speed up the development process. The code has been signed using a digital certificate and packaged in a jar file. What do you know about it? Note: Digital certificates have been provided that have been signed by a trusted Certificate Authority. A.The jar file contains no malicious code. B.The jar file was signed by the 3rd party vendor C.The jar file contents may contain malicious code. D.Someone impersonating the 3rd party vendor may have signed the jar file. E.The code is fully tested and performs the task it was designed for. The answer is C. Base on the answers,B and d are in the reverse way,I think at least one is true!But why?
Hi, I think the word "KNOW" is the most important word here. The question is not very well phrased because they could have said it another way. However as the question stands and from what we know about Digital Certificates ( they cannot be absolutely trusted and we have no way of knowing exactly who signed them ) option C seems the correct answer.
If it has told only 1 answer is true, I would have chosen D, if there are two, I would have chosen C. I chose D before C because if you are buying the code from the vendor, the vendor should be considered as somehow "trusted", and should not deliberately give you malicious code. Digital signature is being signed by the vendor's private key, there might be a chance the key has been compromised and others might impersonate the vendor. BTW, which mock test is this?
If D is not correct (Someone impersonating the 3rd party vendor may have signed the jar file), it means Actual vendor signed the jar file. It dose not make sense that vendor whome you paid for software will intentionaly give malicious code. So if we assume that private key is compromised then D is first choice and then C. But in question there is no mention of the fact that private key is compromised So we can say that B is also correct. I think this the way this security is designed. You get the signed code and You have the trusted certificate and you are satified that code is safe to run. If this is not the case what extra step you will take before using the code ? Any way you dont want to use the code if you have any doubt about the code. Even after using the security machanism you are in doubt it means that this security is not suffcient.
Vendor’s digital certificate is certified by CA, if that is not sufficient. Lets assume that C is right since CA does not sign it. If we are choosing answer ( C ) based on assumption that vendors private key is compromised then we can also assume that CAs private key can also be compromised. Anybody’s key can be compromised, so based on this scenario we can say that you can not trust on this security mechanism at all. This security mechanism works on certain assumption that vendor keep his private key safe and vendor is trusted since it is trusted by our trusted CA. If he sign some thing with his private key, since I trust CA , I also trust him , That is what CA is for.