Why is this so hard ?
A certificate is an assertion of a binding between an identity (in the form of
a DN) and a
public key. The purpose of PCAs and their policies is to help establish how
much faith to place
in the veracity of the stated identity.
A CRL is a revocation of the assertion instantiated in the certificate.
(Shouting now...)
THAT IS ALL IT IS !
Those of you who have different needs, for authorizations, for complete
representation of
cause for revocation, for carrying a digitized image of the certificate subject
will just have
to figure out another means of doing what you want.
The certificate based key management in PEM must not be overloaded. Be
creative. USE
this mechanism as a component of whatever value added system you wish to offer
but
don't seek to break it by making it the solution itself.
Enough said,
John Lowry