nerdexam
CompTIA

SY0-301 · Question #746

Which of the following is true about the CRL?

The correct answer is A. It should be kept public. The Certificate Revocation List must be publicly accessible so that relying parties can verify whether a certificate has been revoked before trusting it.

General security concepts

Question

Which of the following is true about the CRL?

Options

  • AIt should be kept public
  • BIt signs other keys
  • CIt must be kept secret
  • DIt must be encrypted

How the community answered

(27 responses)
  • A
    93% (25)
  • C
    4% (1)
  • D
    4% (1)

Why each option

The Certificate Revocation List must be publicly accessible so that relying parties can verify whether a certificate has been revoked before trusting it.

AIt should be kept publicCorrect

A CRL is a publicly distributed list maintained by the CA that allows any relying party - browsers, servers, clients - to check whether a certificate has been revoked before trusting it. Keeping it public is essential to the function of certificate validation in a PKI.

BIt signs other keys

Signing keys is the role of the Certificate Authority (CA), not the CRL; the CRL only lists revoked certificate serial numbers.

CIt must be kept secret

Keeping the CRL secret would defeat its purpose, as relying parties must be able to download and consult it to verify certificate validity.

DIt must be encrypted

The CRL does not require encryption because it is a publicly accessible, CA-signed document; its integrity is protected by the CA's digital signature, not encryption.

Concept tested: Certificate Revocation List public availability and purpose

Source: https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1

Topics

#CRL#certificate revocation#PKI

Community Discussion

No community discussion yet for this question.

Full SY0-301 Practice