A security administrator must implement a system to ensure that invalid certificates are not used by a
custom developed application. The system must be able to check the validity of certificates even when
internet access is unavailable. Which of the following MUST be implemented to support this
requirement?
A.
CSR
B.
OCSP
C.
CRL
D.
SSH
Clearly the emphasis on this question is a downed internet access. With OCSP, the system asks if the certificate is good and basically gets a yes/no answer. Quicker but requires access to the Internet. CRL is basically a downloaded list so periods of non-access to the Internet will still yield some (possibly outdated) answer. C meets the requirement of the question.
0
0
2 questions about offline verification of certificates are floating around for this test. One answers OCSP, the other CRL. I have found articles that say CRLs have a ~7 day lifespan. OCSP responses can be cached, but nobody says for how long. Then there is this…
A proxy HTTP server can be used as an intermediate server to handle OCSP requests from cached responses, or forward requests to the configured responder. If a proxy server is configured for an application, all the OCSP requests for the application are sent to the configured server. The default proxy port is 80. A proxy server is not configured by default.
So my questions are…
1. How long can a CRL be used with no internet access.
2. How long is the internet going to be down in this situation.
3. How long can OCSP requests be cached.
4. Can a proxy be used to verify OCSP indefinitely?
0
0