INFS 767, Fall 2003, Examination 2

Posted: 11/29/2003, Due: 12/15/03

Please submit hard copy by 7pm on 12/15/03.  Place in my mailbox or my office (slip under door if I am not there).  A list of missing submissions will be posted on the class web page on 12/16/03.  Please check this list to confirm submission has been received.

Prof. Ravi Sandhu

 

This is a take-home, open-book and open-time examination.  You are required to solve it on your own using whatever material you like.  Please sign and submit the following honor code statement with your solution:

 

I have not taken any help on this examination from anyone and not provided any help to anyone.  The solution has been entirely worked out by me and represents my individual effort.

 

Please submit a typed solution with the signed honor code statement.  Keep a copy for your records and reference.  Any clarification questions regarding the examination should be emailed to sandhu@gmu.edu.  Clarifications will be posted on this page as needed.

 

ANSWER ALL 5 QUESTIONS.  ALL QUESTIONS HAVE EQUAL WEIGHT.

 

Q1. What are the trust requirements for a CA and RA identified by Housely and Polk?  Can you think of additional trust requirements that the authors have omitted?  Discuss the assertion that the RA needs much less trust than the CA. (Maximum length 1 page.)

 

Q2. Answer these questions with reference to the Housely-Polk book. (Maximum length 1/2 page each.)

a)      What problem does a bridge CA solve? 

b)      What is the path validation problem?  

 

Q3. Consider Chapter 7 of the Housely-Polk book.  Identify three certificate extensions that you consider to be the most significant.  Justify your choice.  (Maximum length 1 page.)

 

 Q4. Consider the server-side SSL vulnerability discussed in the Hayes 1998 paper. Is there something that could be done in the browser to solve this problem?  Assume Microsoft would be willing to go along with your recommendation.  (Maximum length 1 page.)

 

Q5. Discuss the pros and cons of storing authorization information in X.509 certificate extensions versus using separate attribute certificates.  .  (Maximum length 1 page.)

 

History:

11/29/03: Examination 2 posted.  No clarifications so far.