Greg,
As I noted in a message yesterday, for data origin
authentication purposes, PEM specifies checking "current" CRLs along
the certification path. I agree that this is the practical thing to
do for most communication. Going to a CA to request a current CRL is
potentially better that getting it from some other source, but PEM
does not levy a requirement that CAs provide such a service, but PCAs
are required to provide access to a global CRL database. For
non-repudiation, the more stringent requirement is that one acquire
and save the "next" CRL for each of the points along the path. There
are also other non-repudiation requirements (e.g., signing the message
by a "timestamp notary") that make it more onerous than simple data
origin authentication.
As for predicting the time interval over which the next CRLs
can be acquired, that is completely deterministic and addressed in RFC
1422. Each PEM CRL carries a NextUpdate filed that specifies the next
scheduled issuance time and date for that CRL. Examination of this
field tells a user (UA) when to request the next scheduled CRL for
each PCA and CA. Obviously the CA/PCA in the path with the most
distant (in time) NextUpdate time is the gating factor.
Steve