A company wants to ensure that the validity of publicly trusted certificates used by its web server
can be determined even during an extended internet outage. Which of the following should be
implemented?
A.
Recovery agent
B.
Ocsp
C.
Crl
D.
Key escrow
C.
0
0
The CRL (Certificate revocation list) is exactly what its name implies: a list of subscribers paired with digital certificate status. The list enumerates revoked certificates along with the reason(s) for revocation. The dates of certificate issue, and the entities that issued them, are also included. In addition, each list contains a proposed date for the next release. The CRL (Certificate Revocation List) was first released to allow the CA to revoke certificates, however due to limitations with this method it was succeeded by OSCP. The main advantage to OCSP is that because the client is allowed query the status of a single certificate, instead of having to download and parse an entire list there is much less overhead on the client and network.
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.
An OCSP responder (a server typically run by the certificate issuer) may return a signed response signifying that the certificate specified in the request is ‘good’, ‘revoked’, or ‘unknown’. If it cannot process the request, it may return an error code.
The correct answer is C.
5
0
I think C as well. B is OCSP (online) which could not be used during an extended internet outage.
1
0
C
1
0
I also go for C. OCSP is a protocol which requires a network connection to work. Since we are talking of an extended internet outage, there is no way that OCSP would work under these circumstances.
1
0
2 questions about offline verification of certificates are floating around for this test. One answers OCSP, the other CRL. I have found articles that say CRLs have a ~7 day lifespan. OCSP responses can be cached, but nobody says for how long. Then there is this…
A proxy HTTP server can be used as an intermediate server to handle OCSP requests from cached responses, or forward requests to the configured responder. If a proxy server is configured for an application, all the OCSP requests for the application are sent to the configured server. The default proxy port is 80. A proxy server is not configured by default.
So my questions are…
1. How long can a CRL be used with no internet access.
2. How long is the internet going to be down in this situation.
3. How long can OCSP requests be cached.
4. Can a proxy be used to verify OCSP from cache indefinitely?
https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_71/rzain/rzainocspconfig.htm
0
0