CompTIA Security Plus Mock Test Q1125

A company is concerned that a compromised certificate may result in a man-in-the-middle attack against backend financial servers. In order to minimize the amount of time a compromised certificate would be accepted by other servers, the company decides to add another validation step to SSL/TLS connections. Which of the following technologies provides the FASTEST revocation capability?

A. Online Certificate Status Protocol (OCSP)
B. Public Key Cryptography (PKI)
C. Certificate Revocation Lists (CRL)
D. Intermediate Certificate Authority (CA)


Correct Answer: A
Section: Cryptography

Explanation:
CRL (Certificate Revocation List) was first released to allow the CA to revoke certificates, however due to limitations with this method it was succeeded by OSCP. The main advantage
to OCSP is that because the client is allowed query the status of a single certificate, instead of having to download and parse an entire list there is much less overhead on the client
and network.

Incorrect Answers:
B: PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA).
C: CRL (Certificate Revocation List) was first released to allow the CA to revoke certificates, however due to limitations with this method it was succeeded by OSCP.
D: An Intermediate Certificate Authority is below the Root CA in a hierarchical trust model. It trusts only information provided by the root CA.

References:
https://www.fir3net.com/Security/Concepts-and-Terminology/certificate-revocation.html
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 278-290