Exam SY0-601 topic 1 question 664 discussion

Yes, the question says it's an offline government facility so it automatically eliminates OCSP which makes CRL the only viable choice. CRL is the correct answer.

Given the scenario of an offline government facility and the need to check the validity of an SSL certificate, the correct choice for determining if a certificate has been revoked is: C. CRL (Certificate Revocation List). Reasoning: In an offline environment, real-time online checks using OCSP are not feasible. CRLs provide a comprehensive list of all certificates that have been revoked by a Certificate Authority. This list can be manually downloaded and transferred to the offline facility periodically, allowing for local checks against the list to determine if a certificate has been revoked. This manual transfer and local validation make CRLs more suitable for strictly offline scenarios, ensuring that certificate validity can still be checked even without direct online access.

This is such a dumb question. If the government facility is offline, why are there certificates involved? Shouldn't this building be solely paper based? Why have computers in the first place, if they are offline. Why have an I.T. guy? Offline because of power outage or not, I.T. guy has his own company laptop with battery power and VPN to headquarters, he would still be able to check certificates quickly using OCSP. I wouldn't get to hung up on the "Offline" thing because both OCSP and CRL requires Internet connection to pull up that info. OCSP just gives it to you faster and live which CRL can't

C no doubt

OCSP might be correct if the facility sets up an internal OCSP responder that stores the revocation status of certificates locally. This responder periodically receives updates on certificate revocations from the Certificate Authority (CA) and stores them locally.

To quickly check the validity of an SSL certificate and determine if it has been revoked, the best option is: B. OCSP (Online Certificate Status Protocol) OCSP allows for real-time checking of the status of a digital certificate. It provides a faster and more efficient method compared to Certificate Revocation Lists (CRLs), which require periodic updates and may not reflect the most current certificate status. OCSP queries the issuing Certificate Authority (CA) to instantly verify if a certificate has been revoked or is still valid. This makes it the most suitable choice for the scenario described, where speed and minimal delay are important considerations.

OFFLINE

C. CRL CRL is a list of certificates that have been revoked by the issuing Certificate Authority (CA). While it requires periodic updates and can introduce some delay due to the need to download the list, it can be stored locally and checked against certificates without requiring an online connection. Therefore, in an offline government facility, CRL would be the most feasible option for checking the validity of SSL certificates.

For Offline options is Option B. For Online Options is Option C.

"fastest check with the least delay" would certainly be OCSP. "Offsite" would indicate an offline list. In this case should we assume that the 'quickest" is CRL because OCSP is not possible?

Given the scenario of an offline government facility and the need to check the validity of an SSL certificate, the correct choice for determining if a certificate has been revoked is: C. CRL (Certificate Revocation List). Reasoning: In an offline environment, real-time online checks using OCSP are not feasible. CRLs provide a comprehensive list of all certificates that have been revoked by a Certificate Authority. This list can be manually downloaded and transferred to the offline facility periodically, allowing for local checks against the list to determine if a certificate has been revoked. This manual transfer and local validation make CRLs more suitable for strictly offline scenarios, ensuring that certificate validity can still be checked even without direct online access.

Just bc the assets or facility is offline doesn't mean that they cant access and request the OCSP say from a phone or another network? That would be the quickest method without a download still wouldn't it???

B. OCSP (Online Certificate Status Protocol) - OCSP is an online protocol that allows for real-time checks of a certificate's status. This method involves querying an OCSP responder, which can quickly return the status of a certificate without needing to download a large list of all revoked certificates

Offline = CRL

if the security engineer is in a government offline facility with no connection or internet, they cannot use OCSP to check the certificate's revocation status. In this case, the engineer should use the Certificate Revocation List (CRL) method to find out the certificate's status. The CRL is a list of revoked certificates that is maintained by the Certificate Authority (CA).

It is in a offline environment, CRL

OCSP supports a use case of low latency. When a certificate is revoked, it adds the certificate to a CRL. However, CRLs are cached so clients using the CRL won’t know the certificate is revoked until the CRL is refreshed. OCSP provides a real-time response eliminating this latency. -Security+ SY0-601 Get Certified Get Ahead by Darril Gibson