Revocation seems really nasty to deal with.

The whole chain of trust model is that your browser vouches for an authority that vouches for a website that everything is legit.

You can't just ducktape on an idea like that cert for "www.xyz" is totally legit unless I takesies-backies'd my vouch at some point, so just double-check.

If you want that sort of "continuous" trust scheme, then what makes more sense is something like having short-lived certificates.