A security architect works for a manufacturing organization that has many different branch offices. The architect is looking for a way to reduce traffic and ensure the branch offices receive the latest copy of revoked certificates issued by the CA at the organization’s headquarters location. The solution must also have the lowest power requirement on the CA.
Which of the following is the BEST solution?
Using Delta CRLs at the branches is the best solution because it minimizes network traffic and reduces the load on the CA. Delta CRLs contain only the newly revoked certificates since the last full CRL, which allows for more efficient updates. This approach ensures that the branch offices receive the latest revocation information without requiring significant power or bandwidth consumption. Configuring clients to use OCSP, while useful, would increase the load on the OCSP responder and involve more frequent checks. Deploying an RA at each branch office would introduce unnecessary complexity. Sending CRLs by scheduled jobs could lead to delays and isn't as efficient.
C. This is a repeat question to #44.
B. Delta CRL contains any certificates revoked since the last Base CRL update and is much shorter. Every week or so the RADIUS downloads a new version of the Base CRL and the Delta CRL is emptied and refreshed.
OCSP stapling: OCSP stapling enables the server, rather than the client, to make the request to the OCSP responder. The server staples the OCSP response to the certificate and returns it to the client during the TLS handshake. This approach enables the presenter of the certificate, rather than the issuing CA, to bear the resource cost of providing OCSP responses. It also enables the server to cache the OCSP responses and supply them to all clients. This significantly reduces the load on the OCSP responder because the response can be cached and periodically refreshed by the server rather than by each client. Reference: https://www.sciencedirect.com/topics/computer-science/revoke-certificate
The BEST solution for reducing traffic and ensuring that branch offices receive the latest copy of revoked certificates is to use Delta Certificate Revocation Lists (CRLs) at the branches. Delta CRLs contain only newly revoked certificates since the last full CRL was issued, and therefore have smaller file sizes than full CRLs. This reduces the amount of traffic between the headquarters and branch offices. Additionally, using Delta CRLs will have the lowest power requirement on the CA compared to other solutions, such as deploying an RA on each branch office or configuring clients to use OCSP. Sending new CRLs by using scheduled jobs would require manual intervention and could result in delays in revoking certificates. Therefore, the correct answer is B. Use Delta CRLs at the branches.
OSCP would require calls to the CA back at HQ each time its checked. Delta CRLs sent to a server at each branch office, which could then be used by the clients at that location, would require far less traffic back to HQ because the client to server checks would happen on-site.
100% B
Here's the clue: "...the branch offices receive the latest copy of revoked certificates issued by the CA at the organization’s headquarters location..."
Answer is B https://www.securew2.com/blog/certificate-revocation-crl-explained
To address the challenge of reducing traffic and ensuring that branch offices receive the latest copies of revoked certificates issued by the Certificate Authority (CA) at the organization's headquarters, while also minimizing the power requirements on the CA, you can implement a solution involving Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP). Here's a strategy that combines these technologies: CRL Distribution Points (CDP): Configure the CA to publish CRLs to a centralized location accessible to all branch offices.
Deploying an RA at each branch office might introduce complexity and additional infrastructure at each location. Configuring clients to use OCSP might reduce traffic but could lead to increased load on the OCSP responder servers. Sending new CRLs using scheduled jobs might not be as efficient as Delta CRLs in minimizing the size of updates and traffic between the headquarters and branch offices. Therefore, using Delta CRLs at the branches is the best solution as it allows for efficient distribution of revoked certificate information with minimal impact on network traffic and the CA's power requirements.
From https://www.encryptionconsulting.com/ocsp-vs-crl OCSP OCSP can be used to get the status of a single certificate. Status of a certificate is fetched by making a request to an OCSP Responder. Has less effect on the client and network resources. Is the industry standard for Certificate Lifecycle Management currently. CRL A CRL is a list with multiple lines that has to be downloaded by the browser. A CRL is distributed using a CDP point which can be an HTTP link or an LDAP server. Has a big effect on client resources. Used to be the only solution for Certificate Lifecycle Management. OCSP stapling would be used here
Between B and C, it is B,,...."Another option is to use Delta CRLs that include only revoked certificates since last Base CRL was published. Delta CRLs are meant to be smaller in size and can be published frequently, say every day."...."OCSP is a good option but depend on certificate usage"
Delta CRls provides the latest revoked certificates.
its OCSP