Questions about Verisign certs vs. self-signed certs are good, because that's an issue that actually comes up in infosec.
There definitely are good crypto questions to ask. But these questions aren't those. They demonstrate only enough of a command of cryptography to pass an interview. They're signalling questions, not assessment questions.
And, with the exception of things like "what's wrong with self-signed certificates", the real crypto questions will weed out essentially 100% of your candidates (and 99% of appsec candidates as well). Note: the "real" questions I'm thinking of have very little to do with algorithms.
There's a word for things you ask about because a person who was really a member of your club would be fascinated by them: shibboleth.
There definitely are good crypto questions to ask. But these questions aren't those. They demonstrate only enough of a command of cryptography to pass an interview. They're signalling questions, not assessment questions.
And, with the exception of things like "what's wrong with self-signed certificates", the real crypto questions will weed out essentially 100% of your candidates (and 99% of appsec candidates as well). Note: the "real" questions I'm thinking of have very little to do with algorithms.
There's a word for things you ask about because a person who was really a member of your club would be fascinated by them: shibboleth.