[riquito]

>> Why is the power of revocations in cert issuer's hands? As long as the private key is private

>Because a major reason for revocation is when the private key has been compromised.

His point is that whoever compromised the key is not interested to put it in the revocation list. If he does it... well, he did the good thing.

[andreasvc]

I see. Using the private key to revoke the certificate would be a denial of service attack, so requiring the CA for revocation avoids that, but admittedly it's not the first thing to worry about when a private key is compromised.