PKIs, if any, is no useful for authentication on consumable
credential. The only merit of PK with CA over shared key with
KDC is that no communication with CAs is necessary for every
transaction. However, it means that there is no entity to check
the amount of remaining credential. So, if an attacker has a
certificate to be used for 1,000USD of transaction, the attacker
can use the certificate for 1,000 second 1,000 times a second
from 1,000 different locations, total damage of which is
1,000,000,000,000USD for personal benifit of the attacker or for
economical terrorism to ruin the world wide economy.
It should be noted that CRLs are, because of obvious operational
issues, expected to be updated weekly or monthly and quite unlikely
hourly, even in which case, CRLs can not prevent the attacks
above mentioned.
Masataka Ohta