Which of the following is true about the CRL?

A.
It should be kept public

B.
It signs other keys

C.
It must be kept secret

D.
It must be encrypted

Explanation:
The CRL must be public so that it can be known which keys and certificates have been revoked.
In the operation of some cryptosystems, usually public key infrastructures (PKIs), a certificate revocation
list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have
been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted.
Incorrect Answers:
B: A CRL is a database of revoked keys and signatures. It does not sign other keys.
C: Keeping the CRL secret would be against the purpose of the CRL, which is to provide information
regarding revoked keys and certificates.
D: The CRL must be readily available so it should not be encrypted.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 279-285, 285