OCSP - Online Certificate Status Protocol - Explained | CCIE Security Exam

Online Certificate Status Protocol (OCSP) Explained

Prev Question Next Question


Which three statements about OCSP are correct? (Choose three.)



Click on the arrows to vote for the correct answer

A. B. C. D. E.


OCSP (Online Certificate Status Protocol) is a protocol used to obtain the revocation status of X.509 digital certificates. Here are the correct statements about OCSP:

A. OCSP is defined in RFC2560: This statement is true. The OCSP protocol was first defined in RFC2560, which was later updated by RFC6960.

C. OCSP responders can use RSA and DSA signatures to validate that responses are from trusted entities: This statement is also true. OCSP responders are responsible for providing certificate status information in response to OCSP requests. OCSP responders use RSA and DSA signatures to sign the response, ensuring that the response comes from a trusted source.

D. A response indicator may be good, revoked, or unknown: This statement is correct. When an OCSP responder receives a request for the revocation status of a certificate, it responds with one of three indicators: good, revoked, or unknown.

B. OCSP uses only HTTP as a transport: This statement is incorrect. While HTTP is the most commonly used transport protocol for OCSP requests and responses, OCSP can also use other protocols such as HTTPS and LDAP.

E. OCSP is an updated version of SCEP: This statement is incorrect. OCSP and SCEP (Simple Certificate Enrollment Protocol) are two different protocols that serve different purposes. OCSP is used to obtain the revocation status of digital certificates, while SCEP is used to enroll digital certificates with a Certificate Authority.

Therefore, the correct answers are A, C, and D.