A Layered Revocation Resilience Model: CRL, OCSP, and Bounded Fail-Open Policy in Internet-Scale PKI

Certificate revocation is a critical yet structurally fragile component of Public Key Infrastructure. While cryptographic mechanisms for revoking trust are well-specified, their real-world effectiveness depends on factors that extend well beyond protocol design, including network availability, infrastructure reachability, client-side implementation behavior, and the operational realities of distributed systems at Internet scale. This article examines certificate revocation through a resilience-oriented lens, proposing a layered model that integrates Certificate Revocation Lists, the Online Certificate Status Protocol, and bounded fail-open behavior as complementary trust signals rather than competing alternatives. In the revocation architecture, every mechanism plays an important role and contributes a distinct and non-substitutable property. For instance, CRL provides durable and cacheable baseline coverage that is consistent across infrastructure interruptions. OCSP delivers high temporal fidelity when connectivity permits, and with stapling, latency and responder dependency can further be reduced. Bounded fail-open behavior manages remaining uncertainties with the help of policy-driven eligibility conditions instead of silent defaults. Together, these layers enable trust evaluation to degrade gracefully under partial failure conditions. The model reframes revocation from a binary enforcement problem into a resilience challenge, one in which the objective is not to eliminate uncertainty but to make it explicit, bounded, and manageable. The architectural trade-offs among security enforcement, availability continuity, and trust predictability are examined as first-class design considerations relevant to modern PKI deployments.