The ability to quickly revoke a compromised key is critical to
the security of any public-key infrastructure. Regrettably, most
traditional certificate revocation schemes suffer from latency,
availability, or privacy problems. These problems are exacerbated
by the lack of a native delegation mechanism in TLS, which
increasingly leads domain owners to engage in dangerous practices
such as sharing their private keys with third parties.

We analyze solutions that address the long-standing delegation
and revocation shortcomings of the web PKI, with a focus on
approaches that directly affect the chain of trust (i.e., the
X.509 certification path). For this purpose, we propose a
19-criteria framework for characterizing revocation and
delegation schemes.  We also show that combining short-lived
delegated credentials or proxy certificates with an appropriate
revocation system would solve several pressing problems.