A security administrator must implement a system to ensure that invalid certificates are not used by a custom developed application. The system must be able to check the validity of certificates even when internet access is unavailable.
Which of the following MUST be implemented to support this requirement?
A. CSR
B. OCSP
C. CRL
D. SSH
A CRL is cached and is periodically updated which meets the criteria for a server to validate certificates “even during an extended internet outage”.
OCSP (Online Certificate Status Protocol) requires active connectivity to validate certificates which uses a large amount of network traffic. To circumvent large amount of network traffic there is such thing as OCSP Stapling to cache the statuses of certificates, but the question makes no mention of OCSP Stapling. A certificate still needs to be validated during the OCSP Stapling process which would still require network traffic to validate certificates.
My answer would go with CRL.
A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. … The X.509 standard defines the format and semantics of a CRL for a public key infrastructure.
I think B is the answer cus OCSP works even offline. And its clear in the question they mentioned “when internet access is unavailable”!