[...] when in reality all that needs to happen is the CRL/OCSP remain in operation, which in the event of a CA going bust> [...]
Good CA pay an insurance to cover that case. If they go bust, their insurance pays someone to insure that minimal service.
Normally if your bank goes bust, some other banks make arrangements, and you account is transferred to another bank just like nothing happened.
So it does happen in other areas.
[...] Although the problem with this is how does a user revoke an existing certificate between a CA ceasing operation and their certificate expiring...
The insured minimal service should cover that too.
In your case, you could pay advance hosting charge that covers at least the longuest validity length for the user certificates you emit.
The day you go bust, you close the enrolment URLs, and the rest runs on it's own until the end of the already paid period.
You could have an arrangement with some people/institution, so that they will check it stays in working order.
It should be possible to find a solution that way, where these people would just have to be able to do some basic maintenance, *not* correct bugs, and would not pay any hosting charge.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
