SY0-301 · Question #746
Which of the following is true about the CRL?
The correct answer is A. It should be kept public. The Certificate Revocation List must be publicly accessible so that relying parties can verify whether a certificate has been revoked before trusting it.
Question
Which of the following is true about the CRL?
Options
- AIt should be kept public
- BIt signs other keys
- CIt must be kept secret
- DIt must be encrypted
How the community answered
(27 responses)- A93% (25)
- C4% (1)
- D4% (1)
Why each option
The Certificate Revocation List must be publicly accessible so that relying parties can verify whether a certificate has been revoked before trusting it.
A CRL is a publicly distributed list maintained by the CA that allows any relying party - browsers, servers, clients - to check whether a certificate has been revoked before trusting it. Keeping it public is essential to the function of certificate validation in a PKI.
Signing keys is the role of the Certificate Authority (CA), not the CRL; the CRL only lists revoked certificate serial numbers.
Keeping the CRL secret would defeat its purpose, as relying parties must be able to download and consult it to verify certificate validity.
The CRL does not require encryption because it is a publicly accessible, CA-signed document; its integrity is protected by the CA's digital signature, not encryption.
Concept tested: Certificate Revocation List public availability and purpose
Source: https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1
Topics
Community Discussion
No community discussion yet for this question.