What does a CRL contain?

a3590166a3590166 Member Posts: 14 ■□□□□□□□□□
According to wiki, a CRL contains revoked certificate. My study material has this question:

A CRL contains a list of which of the following type of keys?
A.Both public and private keys
B.Steganographic keys
C.Private keys
D.Public keys
ANSWER: A

I thought a certificate is a public key. Is the answer correct?

Comments

  • DarrilDarril Member Posts: 1,588
    a3590166 wrote: »
    According to wiki, a CRL contains revoked certificate. My study material has this question:

    A CRL contains a list of which of the following type of keys?
    A.Both public and private keys
    B.Steganographic keys
    C.Private keys
    D.Public keys
    ANSWER: A

    I thought a certificate is a public key. Is the answer correct?

    I just wrote a chapter on Certificate Services for another project so this knowledge is at the forefront of my mind right now.

    First, a certificate holds a public key but it holds a lot more. You can view one in Internet Explorer by clicking Tools, Internet Options, Content, Certificates, selecting a certificate and clicking View. Click the Details tab and you can see all the contents. Select serial number and you can see the serial number (which is important for this conversation). Select the Public Key and you can view the actual Public Key.

    When a private key becomes compromised, it should not be used any more but the private key isn't published so it can't be revoked. Instead the certificate that holds the matching public key of the public/private key pair is revoked.

    How is the certificate uniquely identified? By the serial number. So when the certificate is revoked, the serial number is published in a certificate revocation list (CRL) which is actually a version 2 certificate.

    So, what does a CRL hold? Serial numbers of certificates.

    Wnen an SSL session is started, a certificate is sent to a client with the embedded public key and serial number. The client then checks with the certification authority (CA) which maintains the CRL. The CRL is sent to the client in the form of a V2 certificate. The client checks the CRL to see if the received certificate's serial number is on it.

    I realize "serial numbers" isn't a choice, but that's what the CRL contains - a serial number that uniquely identifies the certificate.

    HTH,

    Darril Gibson
    Author: CompTIA Security+: Get Certified Get Ahead
  • a3590166a3590166 Member Posts: 14 ■□□□□□□□□□
    So the answer is D?
  • DarrilDarril Member Posts: 1,588
    I suggest the question isn't valid.

    What color is the result of the following formula? (2 x 5)

    A. Purple
    B. Green
    C. Blue
    D. Yellow

    We can debate colors all day long, but a mathemetical formula doesn't have a color.

    Similarly, a CRL doesn't have a list of keys. It has a list of serial numbers.

    Darril Gibson
  • renegirenegi Registered Users Posts: 1 ■□□□□□□□□□
    Hi all, new to posting but not new to the site. I've been following it for a while now and am studying for my Sec+ and plan to take it soon.

    Anyways, I totally agree with you Darril. But I think someone really needs to talk to CompTIA about their exams. This question is straight from their site for sample practice questions.

    The CRL contains a list of:
    a) private keys
    b) public keys
    c) root certificates
    d) valid certificates

    They consider only public keys to be the correct answer...
  • DarrilDarril Member Posts: 1,588
    Welcome to the forums.

    Feel free to talk to CompTIA. I'll stay out of that battle:). The question you posted is a little different than the original poster's question and it does bring up a relevant point about many CompTIA questions. You're often required to pick the best answer and if you run across something like this, public keys is the best answer, primarily because you can rule out all the rest of the answers.

    A. A certificate revocation list (CRL) is published and private keys would never be published.
    C. Root certificates identify a CA and the CA publishes a CRL so it doesn't make sense for a CRL to include a list of root certificates.
    D. The CRL identifies revoked certificates, not valid certificates.

    This leaves only B with public keys. Certificates do contain public keys (and much more) and certificates are uniquely identified by serial numbers. It's a stretch to say that the CRL is a list of public keys but it is accurate that the CRL identifies public keys that should not be used.

    Hope this helps. Good luck with the Security+ exam.
Sign In or Register to comment.