You need to ensure that clients will check at least every 30 minutes as to whether a certificate has been revoked. Which of the following should you configure to accomplish this goal?
I checked in my lab these two options and I noticed that CRL publication intervals can be set from years to hours:
https://drive.google.com/file/d/1RguatpJXQXI32vTUZC5kRkRaf-AIQY57/view?usp=sharing
Delta publication intervals can be set from years to MINUTES:
https://drive.google.com/file/d/149ezGCDARPiTa4IeTZw9hmY-HI9YlUN3/view?usp=sharing
In the question it's asking what would be used to make sure the clients will check every 30 MINUTES whether a certificate has been revoked or not.
So I think that's why the answer is Delta CRL publication intervals.
I have made this comment before - When making statements on any of the questions please include what your thought for the answer is as well to back up your research. Providing links helps us learn but we also come to this site for the answers as well.
The CRL is downloaded and cached by the client for the validity period of the CRL.
CRL can become a very large file if your organization revokes regularly certificate. It can be a problem for your bandwidth and sometime because the CRL is very large, the threshold time limit to download CRL can be reached. That result that the revocation checking process fails. To limit these issues, Delta CRL can be used.
Delta CRL is a partial CRL that contains revoked certificate IDs since the last CRL has been published. In this way CRL validity time can be lengthy and the publication of Delta CRL can be performed regularly. So the client will download the CRL for a greater period of time and will download only Delta CRL most of the time. That result to save bandwidth.
the answer is C
https://www.tech-coffee.net/public-key-infrastructure-part-2-main-components/
A Delta CRL is a Certificate Revocation List (CRL) that contains all non-expired certificates
that have been revoked since the last base CRL was published. You can set a time
interval for how often the servers check the CRL. This is referred to as the Delta CRL publication
interval.
Although, it does seem like either would answer B or C could be correct. This may be one of those "which is the most correct" questions. LOL! If that is the case, I think Delta CRL is the "most correct" answer.
Per the link paprda posted:
To help minimize frequent downloads of lengthy CRLs, delta CRLs can be published. This allows the client to download the most current delta CRL and combine that with the most current base CRL to have a complete list of revoked certificates. Because the client will normally have the CRL cached locally, the use of delta CRLs can potentially improve performance.
Next, I wondered how to configure this setting, found the following:
https://social.technet.microsoft.com/Forums/Lync/en-US/b6117e81-9bfd-4c85-bfa1-0ff3716bf0dc/how-to-control-crl-publishing-time?forum=winserversecurity
1 - Open up the management console for the relevant certificate authority.
2 - Right-click the "Revoked Certificates" node.
3 - Specify the CRL publishing intervals on the CRL Publishing Parameters tab.
This one sounds correct, I think.
Needing to know what the difference is between them... I found this link to be helpful:
https://wiki.scn.sap.com/wiki/display/SAPMOB/Understanding+CRL+checks+performed+by+the+Enrollment+Server+starting+with+7.0+SP5
Certificate Revocation Lists (CRLs)
There are two types of CRLs:
Base CRLs: A Base CRL is a CRL that contains all non-expired revoked certificates
Delta CRLs: A Delta CRL is a CRL that contains all non-expired certificates that have been revoked since the last base CRL was published. The Delat CRL file has the same name as the Base CRL file with a + sign added
If just Base CRLs are used then a client checking revocation only needs to download the Base CRL to determine if a certificate is revoked.
If both Base and Delta CRLs are used then clients checking revocation must download both the Base CRL and the Delta CRL to determine if a certificate is revoked. This assumes the client can use Delta CRLs. All currently supported Windows Operating Systems support Delta CRLs.
I would say C is correct per the document linked by paprda.
"This allows the client to download the most current delta CRL and combine that with the most current base CRL to have a complete list of revoked certificates. Because the client will normally have the CRL cached locally, the use of delta CRLs can potentially improve performance."
Both Base CRL and Delta CRL publication interval is correct.
Delta CRL contains less data (delta from base) so less overhead but is optional i.e. may not be enabled.
Need more info to choose one over another. Given that 30 mins is a small interval compared to default of 7 days for Base CRL, I will choose Delta CRL (assuming it is enabled).
upvoted 2 times
...
...
This section is not available anymore. Please use the main Exam Page.70-742 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Samuelpn96
Highly Voted 4 years, 8 months agoVeiN
4 years, 8 months agodan
Highly Voted 5 years, 9 months agolofzee
Most Recent 4 years, 5 months agosyougun200x
4 years, 5 months agoSham
4 years, 7 months agocoleman
5 years, 6 months agoweng
5 years, 7 months agoTMW
5 years, 9 months agoTMW
5 years, 9 months agoGiles
5 years, 5 months agoTMW
5 years, 9 months agoPaz
5 years, 9 months agoChipper
5 years, 9 months agopaprda
5 years, 10 months agoGenjamBhai
4 years, 10 months ago