A security architect works for a manufacturing organization that has many different branch offices. The architect is looking for a way to reduce traffic and ensure the branch offices receive the latest copy of revoked certificates issued by the CA at the organization's headquarters location. The solution must also have the lowest power requirement on the CA.
Which of the following is the BEST solution?
Using Delta CRLs at the branches is the best solution. Delta CRLs are smaller and contain only the newly revoked certificates since the last full CRL, which minimizes the amount of data that needs to be transferred. This approach reduces network traffic and ensures that branch offices receive the latest copy of revoked certificates efficiently. It also has a lower power requirement on the CA compared to other methods like continuously polling with OCSP or deploying additional infrastructure such as RAs across all branch offices.
I believe C is correct. OCSP stapling: OCSP stapling enables the server, rather than the client, to make the request to the OCSP responder. The server staples the OCSP response to the certificate and returns it to the client during the TLS handshake. This approach enables the presenter of the certificate, rather than the issuing CA, to bear the resource cost of providing OCSP responses. It also enables the server to cache the OCSP responses and supply them to all clients. This significantly reduces the load on the OCSP responder because the response can be cached and periodically refreshed by the server rather than by each client.
An excerpt from the link provided: Online Certificate Status Protocol The OSCP was designed with the goal of reducing the costs of CRL transmission and eliminating the time lag between certificate invalidity and certificate revocation inherent in CRL-based designs. The idea behind OCSP is straightforward. A CA certificate contains a reference to an OSCP server. A client validating a certificate transmits the certificate serial number, a hash of the issuer name, and a hash of the subject name to that OSCP server. The OSCP server checks the certificate status and returns an indication as to the current status of the certificate. This removes the need to download the entire list of revoked certificates and also allows for essentially instantaneous revocation of invalid certificates. It has the design trade-off of requiring that clients validating certificates have network connectivity to the required OCSP server.
Answer is B. A Certificate Revocation List (CRL) is a list of certificates that have been revoked by the Certificate Authority (CA). Delta CRLs are an efficient way to distribute CRL information because they only contain newly revoked certificates, rather than the entire list of revoked certificates. This means that the Delta CRL is smaller and faster to download, reducing network traffic. using Delta CRLs at the branches (option B) is the best solution to reduce traffic and ensure the branch offices receive the latest copy of revoked certificates issued by the CA, while having the lowest power requirement on the CA.
IT's B: Delta CRL is an incremental CRL issued several times between Base CRL publishing and will contain only those certificates that was revoked since the last Base CRL was issued. Usually Delta CRLs are published quite frequently (for example, each 1-2 days) to keep certificate revocation status information up to date
OCSP is NOT the best choice here. OCSP does not provide lists of revoked certs or send copies of anything anywhere. In OCSP, a user or client must submit a certificate to the website for verification. It will come back with one of three results: good, revoked, unknown. For example, a company has 100 certs. They must submit all 100 to find out which are revoked. That is not what the architect is looking to do here. They want delta CRLs. This process sends updates on certificate statuses as they happen if they happen. So if a cert expires today, the delta CRL will send that revocation status after it has expired. If nothing expires or changes, then nothing is sent. This saves manpower and reduces traffic because certificates are not constantly being submitted for verification.
The lowest power requirement is checking cert status via the easy one-time validation instead of the Master CRL. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
Answer here is Delta CRLs. Key phrase here is "latest copy of revoked certificates". While OSCP is bandwidth-efficient, it only returns the status of a certificate submitted in the OCSP request. I does not return a copy of revoked certificates.
B. Use Delta CRLs at the branches. The solution must also have the lowest power requirement on the CA.
B is correct Using Delta CRLs at the branches would be the best solution to reduce traffic and ensure the branch offices receive the latest copy of revoked certificates issued by the CA at the organization's headquarters location. Delta CRLs contain only the new or changed entries from the previous CRL, reducing the amount of data that needs to be transferred over the network. This approach can reduce network traffic and improve the performance of the certificate revocation checking process. Additionally, Delta CRLs can be configured to be automatically retrieved by the client devices, ensuring that they always have the latest information. This approach has the lowest power requirement on the CA as it only needs to generate and distribute the smaller Delta CRLs instead of the larger full CRLs.
Fully with B on this one. A Delta CRL shows the most recently revoked certificates. While OSCP is faster, its resource intensive, and will only respond with information on a requested Certificate. For this, if they need to track multiple revoked certificates its better to use the Delta CRL
Both B and C will do the job but B will fir the requirements: Reduced Traffic: Delta CRLs are significantly smaller than full CRLs as they only contain the changes since the last CRL update. This reduces the amount of data that needs to be transferred to the branch offices. Efficient Updates: Branch offices can be updated with the latest revocation information without needing to download the entire CRL, making the update process more efficient. Lower CA Load: Generating delta CRLs is less resource-intensive for the CA compared to generating full CRLs frequently. The CA only needs to issue a full CRL periodically, and smaller delta CRLs more frequently.
Delta CRls provides the latest revoked certificates. Question #207 is a repeat
OCSP is good and lightweight and but it may introduce the continuously status checking > increase the network traffic. While Delta CRL only contents the lated update version of certificates and make it only one time.
The correct answer is Delta CRLs
Using OCSP (Online Certificate Status Protocol) is a valid approach for checking the revocation status of certificates in real-time. However, when evaluating the given requirements in the context of reducing traffic and ensuring branch offices receive the latest copy of revoked certificates with the lowest power requirement on the CA, using Delta CRLs (Certificate Revocation Lists) is generally a more suitable solution.
The best solution for this scenario would be to use Delta CRLs at the branches. Delta CRLs allow the organization to distribute only the changes to the CRL rather than the entire CRL, which reduces traffic and conserves bandwidth. This also ensures that the branch offices receive the latest copy of revoked certificates issued by the CA at the organization's headquarters location. Additionally, using Delta CRLs has a low power requirement on the CA as it only needs to publish changes to the CRL. Deploying an RA on each branch office or configuring clients to use OCSP may not be practical or efficient for a large organization with many branches. Sending the new CRLs by using GPO may also result in excessive traffic and increased load on the network.
Delta CRL is an incremental CRL issued several times between Base CRL publishing and will contain only those certificates that was revoked since the last Base CRL was issued. Usually Delta CRLs are published quite frequently (for example, each 1-2 days) to keep certificate revocation status information up to date.