some mock questions?

123You have been given a JAR file that has been signed by a 3rd Party Vendor. A Trusted Certificate Authority (CA) has signed the 3rd Party Vendors certificate. Is it possible to add any more classes to this JAR file?True/False?

AYes
BNo

127You are working on a new application that will help your company co-ordinate sales data across different departments. The aim is to have everyone access the same sales data at all times. This project needs to be finished as soon as possible and you have bought some third party code to speed up the development process. The code has been signed using a digital certificate and packaged in a jar file. What do you know about it? Note: Digital certificates have been provided that have been signed by a trusted Certificate Authority.

AThe jar file contains no malicious code.
BThe jar file was signed by the 3rd party vendor
CThe jar file contents may contain malicious code.
DSomeone impersonating the 3rd party vendor may have signed the jar file.
EThe code is fully tested and performs the task it was designed for.

123 You have been given a JAR file that has been signed by a 3rd Party Vendor. A Trusted Certificate Authority (CA) has signed the 3rd Party Vendors certificate. Is it possible to add any more classes to this JAR file?True/False?

A Yes
B No
(B is the Correct Answer: Because if you add more classes to the Jar file the vendors certificate will not be considered valid any more as it was only for the files already present in the jar)

127 You are working on a new application that will help your company co-ordinate sales data across different departments. The aim is to have everyone access the same sales data at all times. This project needs to be finished as soon as possible and you have bought some third party code to speed up the development process. The code has been signed using a digital certificate and packaged in a jar file. What do you know about it? Note: Digital certificates have been provided that have been signed by a trusted Certificate Authority.

A The jar file contains no malicious code.
B The jar file was signed by the 3rd party vendor
C The jar file contents may contain malicious code.
D Someone impersonating the 3rd party vendor may have signed the jar file.
E The code is fully tested and performs the task it was designed for.

(A is the Correct Answer. I guess this one is obvious)
[ September 20, 2005: Message edited by: Aleena Rehman ]

Originally posted by Aleena Rehman:
A The jar file contains no malicious code.
B The jar file was signed by the 3rd party vendor
C The jar file contents may contain malicious code.
D Someone impersonating the 3rd party vendor may have signed the jar file.
E The code is fully tested and performs the task it was designed for.

(A is the Correct Answer. I guess this one is obvious)

Not that obvious to me. The digital certificate merely attempts to certify the origin of the payload as one that is registered with the certifying authority. No guarantees are made about the trustworthyness of the 3rd party vendor or the content of the payload. You personally still have to trust the identified 3rd party vendor if you want to use the payload. Theoretically the vendor could still knowingly (spyware, etc.) or unknowingly (virus that slips through) deliver malicous code (which would be bad business practice but thats another topic).
[ September 21, 2005: Message edited by: Peer Reynders ]

The digital certificate merely attempts to certify the origin of the payload as one that is registered with the certifying authority. No guarantees are made about the trustworthyness of the 3rd party vendor or the content of the payload.

That is right, certificate does not gurantees the content, just the author. So the answer should be C.

Originally posted by Ray Ye:
So the answer should be C.

I think that this question also wants (B) "The jar file was signed by the 3rd party vendor" in addition to (C). Now, if you are really pessimistic you may even be inclined to select (D) "Someone impersonating the 3rd party vendor may have signed the jar file"
instead of (B) - but I don't think the question is after that one.

But it is entirely possible (though incredibly negligent) that a 4th Party walks away with the 3rd party's "private" portion of the certificate, if the 3rd party has taken insufficient electronic and physical security measures to protect it. Then that 4th party could impersonate the 3rd party until the certificate is updated.

I think that this question also wants (B) "The jar file was signed by the 3rd party vendor" in addition to (C).

I don't think C is right. Since it is claimed the jar was "signed by a trusted Certificate Authority" not 3rd party vendor. (unless you think CA is a vendor, but do you think notary public a vendor?) This also rules out D. Since CA has distributed its public key and signs the jar with its private key, it is a digital signature, which is very impossible to impersonate.

Sorry, I mean I don't think B is right.

Originally posted by Ray Ye:
Since it is claimed the jar was "signed by a trusted Certificate Authority" not 3rd party vendor.

The question made no such claim - read it again:

"The code has been signed using a digital certificate and packaged in a jar file"

"Digital certificates have been provided that have been signed by a trusted Certificate Authority"

The certifcates are issued by the CA - the Author (i.e. 3rd Party vendor) then signs the content with the private key.

Originally posted by Ray Ye:
This also rules out D. Since CA has distributed its public key and signs the jar with its private key, it is a digital signature, which is very impossible to impersonate.

I agree with you that the question does not want (D).
My point was that in matters of security you are always wearing your "paranoia" hat.
And the answer was "D. Someone impersonating the 3rd party vendor may have signed the jar file"
First of all it says "may have", not "has".
Secondly its talking about the impersonating the Author, not cracking the private key.
It is possible to impersonate the author if you manage to steal the author's private key.
[ September 22, 2005: Message edited by: Peer Reynders ]

The author's certificate (public key) was signed by CA. And author signed the JAR with his private key, this sigature will be compared with his certificate to insure it is from the author himself not anybody else. To the user of the signed jar, the jar author is the vendor, not 3rd party though (but 2nd party)

Originally posted by Ray Ye:
the jar author is the vendor, not 3rd party though (but 2nd party)

Now you are confusing me - the question always uses "3rd Party Vendor". How do you manage to separate the 3rd party and the vendor? They are one and the same entity, identical to the author.

Peer,

I think you are right. If we call jar author 3rd party vendor, then B and D are all right. As you pointed out, impersonation definitely makes D "may have signed jar" a right answer.

Unfortunately, we don't know what the question designer thought what the answer(s) should be. I believe that (B) and (C) were the desired answers, because (D) would be discounted as a "remote" possibilty.