Effective CISSP Questions

Your company decides to implement fine-grained attribute-based access control (ABAC) that entails access to identity repositories. Which of the following is the best to inform the policy decision point (PDP) with the subject’s attributes? (Source: Wentz QOTD)
A. X.500
B. X.509

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. LDAP.

Both X.500 and LDAP support directory access to retrieve an entity’s attributes. However, X.500 is too complex. LDAP is more widely implemented. It may not meet the economy of mechanism principle.

Architectural and Design Principles

Directory Service, X.500, and LDAP

A directory is a repository of information about objects. The directory service provides access to the directory. The X.500 standard defines a directory called directory information base (DIB) organized in a hierarchical structure, known as the directory information tree (DIT). Objects in the DIB can be uniquely identified and accessed through its identified by a distinguished name (DN).

The X.500 standard defines a series of protocols covering electronic directory services, such as:

  • DAP (Directory Access Protocol)
  • DSP (Directory System Protocol)
  • DISP (Directory Information Shadowing Protocol)
  • DOP (Directory Operational Bindings Management Protocol)

As X.500 is too complex, it’s not as widely implemented as the Lightweight Directory Access Protocol (LDAP), the most well-known alternative to DAP. 

Samba and File Services

Samba is free software that implements Microsoft’s SMB (Server Message Block) protocol to provide file and print services and can integrate with the Microsoft Windows Server domain (NTDS or Active Directory). Samba is software providing file and print services, not a standard or protocol providing directory services or access to a directory.

Digital Certificate and X.509

X.509 Certificate Formats

In cryptography, X.509 is a standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures. An X.509 certificate contains a public key and an identity (a hostname, or an organization, or an individual), and is either signed by a certificate authority or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key.

X.509 also defines certificate revocation lists, which are a means to distribute information about certificates that have been deemed invalid by a signing authority, as well as a certification path validation algorithm, which allows for certificates to be signed by intermediate CA certificates, which are, in turn, signed by other certificates, eventually reaching a trust anchor.

X.509 is defined by the International Telecommunications Union’s “Standardization Sector” (ITU-T), in ITU-T Study Group 17 and is based on ASN.1, another ITU-T standard.

Source: Wikipedia

Subject and Attributes

A subject is a uniquely identified or authenticated entity with describing attributes. The Policy Decision Point (PDP) is one of the core components mentioned in XACML that supports attribute-based access control.

Sample XACML Implementation

Zero Trust Architecture

Attribute-based access control (ABAC) plays a crucial role for authorization in the Zero Trust Architecture.

Zero Trust Architecture



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您的公司決定實施細粒度的基於屬性的訪問控制(ABAC),該訪問控制必須存取帳號資料庫。 以下哪一項是最好的方法,可以將主體(subject)的屬性告知政策決策點(PDP)?
A. X.500
B. X.509


Leave a Reply