ISC2 CISSP Practice Question

The correct answer is To identify certificates that should no longer be trusted. A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. Its primary function is to provide a mechanism for relying parties to check if a certificate is still valid and trustworthy.

• To store backup copies of all issued certificates is incorrect. Certificate storage is typically handled by a certificate database or a central directory, not the CRL.
• To validate the authenticity of certificate authorities is incorrect. The authenticity of a CA is established through a chain of trust that terminates at a trusted root CA certificate stored by the client, not through a CRL.
• To map user identities to their public keys is incorrect. This is the primary function of the digital certificate itself, which binds an identity to a public key. The CRL deals with the status of that binding, not its creation.