The discussion is over the "ownership" of DN's and keying material and
has led to a question about "ownership" of a certificate.
A certificate asserts a binding between one DN and a key. The concept
of "ownership" is misapplied in this context. Think of a certificate
rather as a "statement" concerning the relationship between the
name and the key. If the "statement" is issued by a trusted entity (CA),
and the conditions met in order for that CA to make
that "statement" are well defined, understood, and auditable, then
a third party may make certain assumptions about the identity of
the subject named in the certificate.
Following this logic, the Certificate Revocation List is used not
to "repossess" a certificate, but is another kind of "statement"
by the CA. Specifically it dissolves the binding between the
subject named and the public key. It makes no "statement" concerning
the validity of the key or the name, it just says that "these two
things don't go together anymore".
Elementary set theory.
John Lowry