Exam Objectives Frequently Asked Questions
|
|
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts.
| What components are needed to build a complete PKI? | ||
| A. | Five major components are needed to build a PKI. CAs are needed to issue certificates and for certificate revocation lists. The certification publication point, based on any kind of directory service, makes certificates and the CRLs available at any time. Any structure needs some kind of management tool, so a PKI also provides a utility for key and certificate management. The fourth component is the set of well-written applications that make public cryptography transparent to the user when the user has indicated what must be completed. The final component in PKI is hardware that supports cryptographic technologies. The hardware ranges from smart cards used to store secure keys to PCI cards that handle on-board encryption/decryption processing. The fifth component of a complete PKI is completely optional. | |
| What are the primary components of the Windows 2000 PKI? | ||
| A. | The Microsoft Certificate Services make it possible to create your own CAs and to issue and manage digital certificates. This means that the Microsoft Certificate Service is your CA and management tool. The Active Directory service is your Certificate Publication Point. The third component is the set of well-written applications that work seamlessly with the Windows 2000 PKI, including Microsoft Internet Explorer and the IIS, as well as many third-party vendors. The final primary component of Windows 2000 PKI is a component from the Exchange Server software, the Exchange Key Management Service. The optional hardware support in cryptography is available through the use of smart cards. | |
| Are the security features easy to use? | ||
| A. | Microsoft has designed the PKI to be easy for everyone to use, from end users to administrators. The PKI components are included with the Windows 2000 operating system, so there is nothing extra to buy or install. Departments can be set up with their own CAs, because the CA software is part of the operating system. The administrator and the end user can use already familiar tools such as the MMC and Internet Explorer to create certificates, view their certificates, view other certificates, validate their authenticity, and set what certificates are authorized to do. By using Internet Explorer, users can access the Microsoft Certificate Service to request that a certificate be created. The Certificate Request Wizard will supply appropriate fields, and the request will automatically be forwarded to the appropriate CA. When the certificate is generated, the public key information is automatically stored in Active Directory, and the private information is delivered to the requester. | |
| For the administrator, how easy is the PKI to maintain? | ||
| A. | The management of the PKI is a daily task once it is installed. From the Certificate Service and MMC snap-in, the administrator can perform the daily PKI maintenance tasks. Most of the tasks can be completed by merely selecting the appropriate menu item. Normal maintenance includes the following:
| |
| What does it really mean when people state that you can export DES? | ||
| A. | In 1996, the U.S. export regulations on cryptography were put under the purview of the Department of Commerce. In the fall of 1998, export restrictions were relaxed. The regulations for exporting cryptographic material and key recovery requirements are as follows:
|
|
|
EAN: 2147483647
Pages: 162