PrepAway - Latest Free Exam Questions & Answers

What is the difference between the OCSP (Online Certifi…

What is the difference between the OCSP (Online Certificate Status Protocol) and a Certificate Revocation List
(CRL)?

PrepAway - Latest Free Exam Questions & Answers

A.
The OCSP (Online Certificate Status Protocol) provides real-time certificate checks and a Certificate
Revocation List (CRL) has a delay in the updates.

B.
The OCSP (Online Certificate Status Protocol) is a proprietary certificate mechanism developed by
Microsoft and a Certificate Revocation List (CRL) is an open standard.

C.
The OCSP (Online Certificate Status Protocol) is used only by Active Directory and a Certificate Revocation
List (CRL) is used by Certificate Authorities

D.
The OCSP (Online Certificate Status Protocol) is a way to check the attributes of a certificate and a
Certificate Revocation List (CRL) is used by Certificate Authorities.

Explanation:
The CA is responsible for creating and handing out certificates, maintaining them, and revoking them if
necessary. Revocation is handled by the CA, and the revoked certificate information is stored on a certificate
revocation list (CRL). This is a list of every certificate that has been revoked. This list is maintained and updated
periodically.
Online Certificate Status Protocol (OCSP) is being used more and more rather than the cumbersome CRL
approach. When using just a CRL, the user’s browser must either check a central CRL to find out if the
certification has been revoked or the CA has to continually push out CRL values to the clients to ensure they
have an updated CRL. If OCSP is implemented, it does this work automatically in the background. It carries out
real-time validation of a certificate and reports back to the user whether the certificate is valid, invalid, or
unknown. OCSP checks the CRL that is maintained by the CA. So the CRL is still being used, but now we have
a protocol developed specifically to check the CRL during a certificate validation process.
Incorrect Answers:
B: The OCSP (Online Certificate Status Protocol) is not a proprietary certificate mechanism developed by
Microsoft; it is an open standard.
C: The OCSP (Online Certificate Status Protocol) is not used only by Active Directory.
D: The OCSP (Online Certificate Status Protocol) is not a way to check the attributes of a certificate; it is a way
to check the revocation status of a certificate.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 836-837


Leave a Reply