• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

Mock exam,about Digital Certificate

 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
162. You are working on a new application that will help your company co-ordinate sales data across different departments. The aim is to have everyone access the same sales data at all times. This project needs to be finished as soon as possible and you have bought some third party code to speed up the development process. The code has been signed using a digital certificate and packaged in a jar file. What do you know about it? Note: Digital certificates have been provided that have been signed by a trusted Certificate Authority.
A.The jar file contains no malicious code.
B.The jar file was signed by the 3rd party vendor
C.The jar file contents may contain malicious code.
D.Someone impersonating the 3rd party vendor may have signed the jar file.
E.The code is fully tested and performs the task it was designed for.
The answer is C.
Base on the answers,B and d are in the reverse way,I think at least one is true!But why?
 
Ranch Hand
Posts: 328
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
I think the word "KNOW" is the most important word here. The question is not very well phrased because they could have said it another way.
However as the question stands and from what we know about Digital Certificates ( they cannot be absolutely trusted and we have no way of knowing exactly who signed them ) option C seems the correct answer.

Terry
 
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If it has told only 1 answer is true, I would have chosen D, if there are two, I would have chosen C. I chose D before C because if you are buying the code from the vendor, the vendor should be considered as somehow "trusted", and should not deliberately give you malicious code. Digital signature is being signed by the vendor's private key, there might be a chance the key has been compromised and others might impersonate the vendor.
BTW, which mock test is this?
 
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If D is not correct (Someone impersonating the 3rd party vendor may have signed the jar file), it means Actual vendor signed the jar file. It dose not make sense that vendor whome you paid for software will intentionaly give malicious code. So if we assume that private key is compromised then D is first choice and then C. But in question there is no mention of the fact that private key is compromised So we can say that B is also correct. I think this the way this security is designed. You get the signed code and You have the trusted certificate and you are satified that code is safe to run. If this is not the case what extra step you will take before using the code ? Any way you dont want to use the code if you have any doubt about the code. Even after using the security machanism you are in doubt it means that this security is not suffcient.
 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, I think C is true; B & D is false.
the 3rd party vendor mayn't certificate his own jar file,it must be signed by a trusted Certificate Authority.
 
Shakti Sharma
Ranch Hand
Posts: 60
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Vendor’s digital certificate is certified by CA, if that is not sufficient. Lets assume that C is right since CA does not sign it. If we are choosing answer ( C ) based on assumption that vendors private key is compromised then we can also assume that CAs private key can also be compromised. Anybody’s key can be compromised, so based on this scenario we can say that you can not trust on this security mechanism at all. This security mechanism works on certain assumption that vendor keep his private key safe and vendor is trusted since it is trusted by our trusted CA. If he sign some thing with his private key, since I trust CA , I also trust him , That is what CA is for.
 
Greenhorn
Posts: 17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In my opinion, if we assume that the private key of the Vendor has not been compromised and since the certificate has been signed by the CA, the choice should be B.
 
Politics n. Poly "many" + ticks "blood sucking insects". Tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic