CISSP Exam - Question 272

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

It's in the name Online Certificate Status Protocol (OCSP) - we want to check the "status" of a cert!

Online Certificate Status Protocol (OCSP) A request/response protocol used over HTTP. A client uses OCSP to contact the CA directly and ask about the revocation status of a particular certificate. Since an OCSP request is much smaller than a full CRL, this can save significantly on network resources, and since it doesn’t rely on publication periods, it can always be up to date. For these reasons, OCSP is generally seen as a more flexible and modern alternative to CRL.

(OCSP) This protocol eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification. When a client receives a certificate, it sends an OCSP request to the CA's OCSP server. The server then responds with a status of valid, invalid, or unknown. The browser uses this information to determine whether the certificate is valid.

CISSP Official Study Gude pg 282 "Online Certificate Status Protocol (OCSP) This protocol eliminates the latency inherent in the use of certificate revocation lists by providing a means for real- time certificate verification. When a client receives a certificate, it sends an OCSP request to the CA's OCSP server. The server then responds with a status of valid, invalid, or unknown. The browser uses this information to determine whether the certificate is valid. "

A. To verify the validity of an X.509 digital certificate "The Online Certificate Status Protocol (OCSP) is an alternative to the certificate revocation list (CRL) and is used to check whether a digital certificate is valid or if it has been revoked." https://www.fortinet.com/resources/cyberglossary/ocsp#:~:text=The%20Online%20Certificate%20Status%20Protocol%20(OCSP)%20is%20an%20alternative%20to,if%20it%20has%20been%20revoked. C is included in A. When I check certificates I check the status, not if it's revoked or not. Commands in general have a "status" flag, I don't recall ever seeing a "revoked" type option.

Simply A , Google it.

From the relevant RFC (RFC 6960) which is definitive: The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of identified certificates. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificates in question until the responder provides a response.

Selected Answer: A Online Certificate Status Protocol (OCSP) This protocol eliminates the latency inherent in the use of certificate revocation lists by providing a means for real-time certificate verification. When a client receives a certificate, it sends an OCSP request to the CA’s OCSP server. The server then responds with a status of valid, invalid, or unknown. The browser uses this information to determine whether the certificate is valid.

I thought the OCSP was an upgrade from CRL and gave more than just the revocation status. ChatGPT gave answer C as well so I will go with that but I have my doubts.

A. To verify the validity of an X.509 digital certificate ......this is the best answer choice. OCSP is used to check validity of digital certifications. C. is a distraction by the use of the word "status". Answer A. encompasses C which makes it the best answer choice.

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.