Ensuring Validity of Publicly Trusted Certificates During Extended Internet Outage

Validating Publicly Trusted Certificates for Web Servers

Prev Question Next Question

Question

A company wants to ensure that the validity of publicly trusted certificates used by its web server can be determined even during an extended internet outage.

Which of the following should be implemented?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

The correct answer is C. CRL (Certificate Revocation List).

Explanation: A publicly trusted certificate is issued by a Certificate Authority (CA) and contains information that identifies the entity that owns the certificate and the public key that corresponds to a private key held by that entity. The certificate is digitally signed by the CA, which provides assurance that the certificate is valid.

During an extended internet outage, the validity of publicly trusted certificates used by the company's web server may be in question because the server may not be able to access the CA's servers to verify the certificate's validity.

A Certificate Revocation List (CRL) is a list of certificates that have been revoked by the CA before their scheduled expiration date. The list is signed by the CA and made available to users who need to check the validity of a certificate.

Implementing a CRL ensures that if a certificate used by the company's web server is revoked, the certificate will be listed on the CRL, and users will know not to trust it. This is important because a revoked certificate could be used by an attacker to conduct a man-in-the-middle attack or other forms of attacks.

Recovery Agent, Key Escrow, and OCSP are not applicable solutions to the problem of ensuring the validity of publicly trusted certificates used by the company's web server during an extended internet outage.

A recovery agent is a person or entity that can recover encrypted data if the encryption key is lost or compromised.

Key escrow is a process whereby a trusted third party holds a copy of a cryptographic key for a user.

OCSP (Online Certificate Status Protocol) is a protocol used to check the revocation status of a certificate. However, it requires an internet connection to access the CA's servers, which would not be available during an extended internet outage.