To check a certificate's revocation status, the verifier can ________.

Revocation status is checked by querying a status responder that knows whether a certificate is still valid. The Online Certificate Status Protocol (OCSP) lets the verifier ask the CA’s responder for a single certificate’s status and receive a quick good/unknown/revoked result. This real-time check is efficient and widely used during TLS handshakes or other security operations to confirm that the certificate hasn’t been revoked. Downloading the Certificate Revocation List (CRL) from the CA is another method, but it has drawbacks: the CRL can be large, it may be dated, and you must fetch and search the list to determine if the specific certificate is on it, which can introduce latency and potential staleness. OCSP provides a faster, more up-to-date status check, which is why it’s considered the best choice.