I'm currently setting up a PKI for my company and while I have come up with a good layout and planned the overall policy of certificate issuance, I'm still puzzled by what role the CRL plays.
By looking at other root CA certificates installed in browsers, we concluded that we could go without a revocation list for our root CA.
We also based it on the fact that our certificate chain will be installed in strictly firewalled and closed environments on our customer sites, which means retrieving the CRL from our HTTP site won't work.
Is it a bad idea not to include a CRL in the root? And would applications (IIS, IE, Firefox) behave badly or need additional configuration to work right?
I'm aware that by not having CRL's, I lose the ability to revoke a certificate, but this is currently not an issue. The question concerns the root, the subordinate CA would, or could, have a CRL, depending on the Class (Class 1 = production, Class 3 = testing etc.) according to our CP.
If you're willing to scrap the root CA completely the event that it's used to issue a bad certificate, or an issued certificate is compromised, then it should be no problem.
If the certificate doesn't specify CRL distribution points, then (as far as I'm aware) browsers and other certificate validators should have no qualms about validating the certificate.
Even if an unreachable CDP is specified, browsers are very.. lax about allowing the certificate anyway - this is why the recent certificate authority compromises have prompted OS and browser vendors to issue patches blacklisting the certificates, instead of just trusting browsers to check the CRL properly.