Christian,
Looks like the only way to solve the "very stringent
requirement" that you mention is to either wait a couple of
[months, weeks, days, hours] or to have an "online" exchange
with the CA... Do we envisage to deploy that? I was under the
impression that real safe CAs were off line for security reasons!
Each PCA establishes its own policy about frequency of CRL issuance,
so if there is a demand for fairly frequent CRL issuance by a
(commercial?) community, I hope a PCA will arise to meet that demand.
In the US, significant consumer financial transactions (e.g., major
loans) mandate a "right of recision" period of 2-3 days, suggesting
that we could live with a little latency anyway. Also, because each
PCA provides access to the global CRL database, one can always querry
one's PCA (not CA) to get the latest CRL issued by any CA. (This
includes emergency CRLs issued before the next scheduled issue date.)
Admittedly, there is still some delay between a CA becoming aware of a
situation that merits revocation and the posting of a CRL, but it's
not clear how great the delay will be. Finally, there is no
requirement that the equipment used to provide access to the CRL
database is the same as that used by the PCA to sign its CRLs, and a
prudent PCA would certainly employ separate equipment for these
different functions.
Steve