CISSP Exam - Question 395

C is correct Cross-certification is a major component of the federated identity management (FIM) implementation model and is used to establish a network between dozens of organizations. Cross-certification allows two different organizations to establish mutual trust by exchanging and validating each other's digital certificates. This mutual trust enables users in one organization to access resources in another organization without the need for separate user accounts or authentication processes.

Copied from answer to question 538:In the cross-certification federated identity model, each organization certifies that every other organization is trusted. This trust is establishedwhen the organizations review each other’s standards. Each organization must verify and certify through due diligence that the other organizations meet or exceed standards. One disadvantage of cross certification is that the number of trust relationships that must be managed can become a problem. In addition, verifying the trustworthiness of other organizations can be time-consuming and resource intensive. In the trusted third-party (or bridge) federated identity model, each organization subscribes to the standards of a third party. The third party manages verification, certification, and due diligence for all organizations. This is usually the best model if an organization needs to establish federated identity management relationships with a large number of organizations -from CISSP Cert Guide, 3rd Edition

C. Cross-certification allows entities within a federation to trust each other's digital certificates and authentication assertions. It establishes agreed-upon standards and policies so one organization's authentication can be relied upon by others in the group. IDaaS (A) is an identity management delivery model. ABAC (B) is an authorization model. A TTP (D) facilitates trust but cross-certification enables it directly between federation members. Cross-certification is the key enabler of identity federation across large volumes of autonomous organizations, allowing them to share identity data and integrate access control. It underpins FIM scalability and adoption.

Identity as a Service (IDaaS) - Federated identity management (FIM) is an arrangement between multiple enterprises or domains that enables their users to use the same identification data (digital identity) to access all their networks.

Cross-certification is for CAs to trust one another, IDaaS is more for SSO.

FIM: What is federated identity management (FIM)? Federated identity management (FIM) is an arrangement between multiple enterprises or domains that enables their users to use the same identification data (digital identity) to access all their networks. These partners are also known as trust domains. cross-certification: A process whereby two CAs establish a trust relationship between them by each CA signing a certificate containing the public key of the other CA.

D is more general, but A is service name for D

I think it's C. By the way, supporters of option C, let's make sure to cast our votes. There are many comments, but the voting rate for option A and option D is higher, isn't it?

C. Cross-certification Cross Certification is a process where two or more certificate authorities (CAs) trust each other's public key certificates, allowing users in one organization to securely access resources in another organization. This process is known as identity federation and allows users to access resources from multiple organizations without the need for separate login credentials for each organization

Answer A) Identity as a Service (IDaaS) This is the only answer that provides anything of value to this question as it is the Identity Provider (IdP). B: has nothing to do with anything. C: is referring to web certs D: Trusted third party (TTP) doesn't give you any insight that what their role is

Cross-certification is a major component of the federated identity management (FIM) implementation model used to establish a network between dozens of organizations. It allows organizations to trust the digital certificates issued by each other's certification authorities (CAs) without directly trusting each other. This trust relationship enables users from different organizations to securely access resources across organizational boundaries while maintaining their own identity management systems.

how are soooo many people getting this wrong? The answer is D aka the identity provider. Cross-certification is okay for 2-3 organizations but is NOT scalable. and A is just LOL. You do not need IDaaS(cloud) for federation https://ccsp.alukos.com/concepts/identity/fim/

Here's my source for D: https://www.techtarget.com/searchsecurity/definition/federated-identity-management However, all domains are interlinked through a third-party service that stores users' access credentials and provides the trust mechanism needed for FIM to work. This third service is known as the identity provider or identity broker.

D is correct. C is not scalabale and the definition specifically contradicts this answer as viable. https://ccsp.alukos.com/concepts/identity/fim/ It’s NOT C. In a cross-certification federation, each member of the federation has to review and approve every other member for inclusion in the federation. This does not scale well, and once the number of organizations gets fairly substantial, it becomes unwieldy.