Exam 350-701 topic 1 question 480 discussion

B is the correct answer. https://community.cisco.com/t5/security-knowledge-base/ca/ta-p/3114159#:~:text=As%20part%20of%20a%20public%20key%20infrastructure%20%28PKI%29%2C,information%2C%20the%20CA%20can%20then%20issue%20a%20certificate.

The answer is B: "Vetting (verifying) the identity of the website owner or organization: When you request a certificate from CA, it verifies the information you provide. This information includes the organization’s name, domain name, address, email address and a public key.....If the certification authority realizes it has improperly issued a certificate, it revokes the certificate and issues a new one for the same entity. If the CA discovers that the certificate used by an entity is a counterfeit, it revokes the certificate and adds it to the Certificate Revocation List (CRL)."

The answer is B

The question is based on the wikipedia: https://en.wikipedia.org/wiki/Certificate_authority "In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates." You can find answer C) word by word there. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. ...and a similar description to A) The certificate is also a confirmation or validation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate.

I'm with Tthurston1 on this one, so C. I might be wrong, but, at the end of the day, the CA is there to confirm that only the subject can decrypt the message encrypted with its public key and that a message that can be decrypted with the public key was definitely encrypted by the subject via private. In my view C is the scope, A&B are processes done in order to achieve the goal.

CA doesn't directly validate any certificate. If you want to check if a certificate is valide, you just check if it's signed by CA( or above) and if it is still valid! So, A can not be correct! I go for B.

In the grand scheme of things, Options A-C are ALL VALID functions of a CA in a PKI infrastructure. But of course, you can only choose one answer..... I would opt for Option C because it emphasizes the critical aspect of verifying ownership of the PUBLIC key by the named subject.

They are asking for CA not RootCA certificate, might be B, make more sense to me.

In a PKI (Public Key Infrastructure), the purpose of a CA (Certificate Authority) is to issue, manage, and revoke digital certificates. The CA plays a central role in establishing trust and enabling secure communication within the PKI ecosystem. Here are the key purposes of a CA:

I agree. A is the most ligical for a CA in PKI setup.

A is the only right. Issuing a digital certificate can be done also by an internal custom CA with no validity to the outside word.

I would argue here, it could be A) as well. I as user or scripts are able to "issue" or "revoke" certificates, but only CA can grant authenticity...