Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Answers > Answers - Pg. 165

Public Key Infrastructure CHAPTER 11 165 4. The correct answer is B. When the certificate reaches its expiry date, it naturally expires everywhere, and you should already have requested a renewal certificate with a later expiry date. The other answers are all rea- sons to revoke the certificate as soon as possible. Answer A, a change of contact e-mail address, requires revoking the certificate to prevent the old e-mail contact from being able to submit a request for a changed certificate; a change of address (Answer C) voids information in the cer- tificate, so that it is no longer a true statement of identity; accidental (or deliberate) exposure of the private key to unauthorized parties results in the certificate being unreliable as a uniquely identifying piece of information. 5. The correct answer is A. A CRL may be simple, containing all certificates that have been revoked, or delta, containing all certificates that have been revoked since the last CRL was published. Answer B is not true. CRLs are published to a schedule. Answer C is not true of CRLs but is true of OCSP. Answer D is not true because some of the certificates on the CRL may be merely "suspended," and will be trustable later.