Fountain and plaques at a Buddhist temple.

Answer #1 — CompTIA Security+ Guidance

Answer #1

Answer to example question #1:

Question: You want to use a system that can protect communication by authenticating the server, and also providing a copy of the server's public key in a trustworthy format. A provider of trusted certificates will only provide one when you follow their rules. There is a protocol that you can use to check in real time whether a certificate should be trusted or not. You must have a copy of the currently untrusted certificates locally, to reduce network traffic. Rather than a complete copy of the key, you may refer to its hash instead. There are ways to prevent a breach today from exposing secrets based on keys in the past. What do you need?

E: thumbprint

Each of the sentences in the above question refers to one of the answer choices, and I have made it easy by putting the answer choices in the same order:

"a system that can ..." = TLS or Transport Layer Security

"the rules" = CPS or Certificate Practices Statement

"a protocol" = OCSP or Online Certificate Status Protocol

"copy of the revoked keys" = CRL or Certificate Revocation List

"its hash" = thumbprint

"exposure today doesn't expose keys from the past" = PFS or Perfect Forward Secrecy.

Yes, they're all true! You have to work backward through the English. "What do you need?" is the actual question. All the choices are relevant and true, but only one answers the question.

One of the sentences says "You must have", it's a requirement. The others state that the item provides some feature, or describe your plan.

That one corresponds to a local copy of the CRL, which is a relatively uncommon or unneeded step. This makes it a better question from the CompTIA point of view. Less common makes it more challenging.

Yes, the overall question question text is about TLS in general. But the question, once we find it, is about a specific requirement (having a list of invalid keys) rather than about TLS in general (authenticating the server and its public key).