Your organization implemented an X.509-based public key infrastructure. Which of the following is the most efficient way to identify a service endpoint to validate a certificate using online certificate status protocol? (Wentz QOTD)
A. Lookup extensions in the certificate itself
B. Retrieve the first entry in the certificate revocation list
C. Query the TXT record, _ocsp_crl, on the DNS server
D. Query the SRV record, _ocsp, on the DNS server
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Lookup extensions in the certificate itself.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
A certificate is issued by a certificate authority and assigned an expiration date. It can be revoked before the expiration date because of a breach of the private key or other reasons. There are two ways to validate a certificate: certificate revocation list (CRL) and online certificate status protocol (OCSP). A CRL is a list of revoked certificates provided by the CA or validation authority (VA) and typically updated periodically. OCSP is a protocol for clients to query the status of a certificate in real-time. The download URL of CRL and service endpoint of OCSP can be found in a certificate. The Certificate Authority Information Access extension of a certificate provides the service endpoint of OCSP. DNS technically can be implemented to support the lookup of the OCSP endpoint or CRL. However, it’s not a standard approach.
Reference
- OCSP & CRL and Revoked SSL Certificates
- How can I figure out which OCSP URL should be used for a certificate with OpenSSL?
- What the heck is OCSP?
- Certificate revocation list
- CRL Explained: What Is a Certificate Revocation List?
您的組織實施了基於 X.509 的公鑰基礎結構(PKI)。 以下哪項是識別服務端點以使用在線證書狀態協議(OSCP)驗證證書的最有效率的方法? (Wentz QOTD)
A. 查找證書本身中的擴展名(extensions)
B. 檢索證書吊銷列表(CRL)中的第一個條目
C. 查詢DNS服務器上的TXT記錄, _ocsp_crl
D. 查詢DNS服務器上的SRV記錄, _ocsp