Effective CISSP Questions

When engaging in an HTTPS communication, a web browser verifies the certificate of the webserver. Which of the following is the least efficient way to verify the certificate in performance or verification time? (Wentz QOTD)
A. Certificate expiration date
B. Certificate revocation list
C. HTTP Public Key Pinning
D. Online Certificate Status Protocol (OCSP) stapling

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Certificate revocation list.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Public key infrastructure
Public key infrastructure (Credit: Wikipedia)

A certificate revocation list (CRL) is a list of digital certificates that have been revoked before their expiration date. CRLs are generated and published periodically, e.g., weekly or daily, and, in some cases, hourly. It’s inefficient for web browsers to request and download the CRL from the Certificate Authority or the Validation Authority (VA). The VA hosts a certificate revocation list for download via the HTTP or LDAP protocols.

Because of the latency of CLRs, the Online Certificate Status Protocol (OCSP) makes online status queries possible. A browser can send OCSP requests to the OCSP responder for the certificate status. However, a high volume of OCSP queries burdens the OCSP server.

The Online Certificate Status Protocol (OCSP) stapling, formally known as the TLS Certificate Status Request extension, is a standard for checking the revocation status of X.509 digital certificates. It allows the presenter of a certificate to bear the resource cost involved in providing Online Certificate Status Protocol (OCSP) responses by appending (“stapling”) a time-stamped OCSP response signed by the CA to the initial TLS handshake, eliminating the need for clients to contact the CA, with the aim of improving both security and performance. (Wikipedia)

Public Key Pinning means a certificate containing a public key is preloaded to an application at development time or added upon its first encountering. “HTTP Public Key Pinning (HPKP) is an obsolete Internet security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using misissued or otherwise fraudulent digital certificates.[1] A server uses it to deliver to the client (e.g. web browser) a set of hashes of public keys that must appear in the certificate chain of future connections to the same domain name.” (Wikipedia)

A certificate is assigned an expiration date. A browser can verify the certificate upon receiving it.

Public Key in the Certificate


在進行 HTTPS 通信時,Web 瀏覽器會驗證 Web 服務器的證書。 以下哪一項在性能或驗證時間方面效率最低? (Wentz QOTD)
A. 證書有效期
B. 證書吊銷清單
C. HTTP 公鑰固定(pinning)
D. 在線證書狀態協議 (OCSP) 裝訂(stapling)

Leave a Reply