Exam CAS-004 topic 1 question 207 discussion

C. This is a repeat question to #44.

OCSP stapling: OCSP stapling enables the server, rather than the client, to make the request to the OCSP responder. The server staples the OCSP response to the certificate and returns it to the client during the TLS handshake. This approach enables the presenter of the certificate, rather than the issuing CA, to bear the resource cost of providing OCSP responses. It also enables the server to cache the OCSP responses and supply them to all clients. This significantly reduces the load on the OCSP responder because the response can be cached and periodically refreshed by the server rather than by each client. Reference: https://www.sciencedirect.com/topics/computer-science/revoke-certificate

CRLs can help reduce traffic but not as effective as OSCP

Explanation: A. Deploy an RA on each branch office: This option may introduce additional overhead and complexity without necessarily addressing the need for low power requirements on the CA. B. Use Delta CRLs at the branches: While Delta CRLs can reduce the size of the information being transmitted, they still require the clients to periodically check for updates, which may not be as efficient as using OCSP. C. Configure clients to use OCSP: This is the best option because OCSP allows clients to check the status of a certificate in real-time, reducing the amount of traffic compared to downloading full CRLs or Delta CRLs. OCSP responses are typically smaller and can be cached, minimizing load on the CA. D. Send the new CRLs by using scheduled jobs: This method may still require significant bandwidth and processing on the CA and may not provide timely updates for revoked certificates.

Between B and C, it is B,,...."Another option is to use Delta CRLs that include only revoked certificates since last Base CRL was published. Delta CRLs are meant to be smaller in size and can be published frequently, say every day."...."OCSP is a good option but depend on certificate usage"

Delta CRls provides the latest revoked certificates.

Here's the clue: "...the branch offices receive the latest copy of revoked certificates issued by the CA at the organization’s headquarters location..."

its OCSP

Answer is B https://www.securew2.com/blog/certificate-revocation-crl-explained

To address the challenge of reducing traffic and ensuring that branch offices receive the latest copies of revoked certificates issued by the Certificate Authority (CA) at the organization's headquarters, while also minimizing the power requirements on the CA, you can implement a solution involving Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP). Here's a strategy that combines these technologies: CRL Distribution Points (CDP): Configure the CA to publish CRLs to a centralized location accessible to all branch offices.

Deploying an RA at each branch office might introduce complexity and additional infrastructure at each location. Configuring clients to use OCSP might reduce traffic but could lead to increased load on the OCSP responder servers. Sending new CRLs using scheduled jobs might not be as efficient as Delta CRLs in minimizing the size of updates and traffic between the headquarters and branch offices. Therefore, using Delta CRLs at the branches is the best solution as it allows for efficient distribution of revoked certificate information with minimal impact on network traffic and the CA's power requirements.

OSCP would require calls to the CA back at HQ each time its checked. Delta CRLs sent to a server at each branch office, which could then be used by the clients at that location, would require far less traffic back to HQ because the client to server checks would happen on-site.

100% B

From https://www.encryptionconsulting.com/ocsp-vs-crl OCSP OCSP can be used to get the status of a single certificate. Status of a certificate is fetched by making a request to an OCSP Responder. Has less effect on the client and network resources. Is the industry standard for Certificate Lifecycle Management currently. CRL A CRL is a list with multiple lines that has to be downloaded by the browser. A CRL is distributed using a CDP point which can be an HTTP link or an LDAP server. Has a big effect on client resources. Used to be the only solution for Certificate Lifecycle Management. OCSP stapling would be used here

The BEST solution for reducing traffic and ensuring that branch offices receive the latest copy of revoked certificates is to use Delta Certificate Revocation Lists (CRLs) at the branches. Delta CRLs contain only newly revoked certificates since the last full CRL was issued, and therefore have smaller file sizes than full CRLs. This reduces the amount of traffic between the headquarters and branch offices. Additionally, using Delta CRLs will have the lowest power requirement on the CA compared to other solutions, such as deploying an RA on each branch office or configuring clients to use OCSP. Sending new CRLs by using scheduled jobs would require manual intervention and could result in delays in revoking certificates. Therefore, the correct answer is B. Use Delta CRLs at the branches.

B. Delta CRL contains any certificates revoked since the last Base CRL update and is much shorter. Every week or so the RADIUS downloads a new version of the Base CRL and the Delta CRL is emptied and refreshed.