PKIs, if any, is no useful for authentication on consumable
credential. The only merit of PK with CA over shared key with
KDC is that no communication with CAs is necessary for every
transaction. However, it means that there is no entity to check
the amount of remaining credential. So, if an attacker has a
certificate to be used for 1,000USD of transaction, the attacker
can use the certificate for 1,000 second 1,000 times a second
from 1,000 different locations, total damage of which is
1,000,000,000,000USD for personal benifit of the attacker or for
economical terrorism to ruin the world wide economy.
It should be noted that CRLs are, because of obvious operational issues, expected to be updated weekly or monthly and quite unlikely hourly, even in which case, CRLs can not prevent the attacks above mentioned.
Masataka Ohta
