A security administrator must implement a system to ensure that invalid certificates are not used by a custom developed application. The system must be able to
check the validity of certificates even when internet access is unavailable. Which of the following MUST be implemented to support this requirement?
A.
CSR
B.
OCSP
C.
CRL
D.
SSH
This is a 50/50
Validity of certifates is arrived to by the use of either OCSP or CRL.
This eliminates A & D, and leaves either B or C as the correct answer
OCSP (RFC 2560) is a standard protocol that consists of an OCSP client and an OCSP responder. This protocol determines revocation status of a given digital public-key certificate without having to download the entire CRL. CRL is the traditional method of checking certificate validity.
Yet, by virtue of being a Protocol, it shall only fucntion with an internet connection, otherwise it shall not be able to download anything at all.
So this points to C- CRL as the only possible answer.
Yet, haing said that, the odd thing is that CRL also requires an internet comm
https://blogs.msdn.microsoft.com/johan/2010/02/02/using-ssl-without-an-internet-connection/
The easiest way to resolve this is to skip CRL checking.
Yet, note that Note that disabling CRL check is not recommended in a production environment, unless you are troubleshooting an issue and wants to isolate if the problem is related to CRL validation. Make sure to turn it on again after performing the validation.
https://social.technet.microsoft.com/wiki/contents/articles/2303.understanding-access-to-microsoft-certificate-revocation-list.aspx
0
0