Problem with certificate validation with CRL?

["Martin Szotkowski" <martin.szotkowski@xxxxxx>]

Hi all,
we have two root CA keys:
1. CA1 with subject S1, issue certificates C1x and CRL1x from time T1 to T2
(validity of CA1 is from T1 to T3)
2. CA2 with subject S2 (issue C2x and CRL2x) from time T2 to T4 (validity of
CA2 is from T2 to T5)
T1 < T2 < T3 < T4 < T5
S1 != S2
T3 - T2 >= maximum validity of C1x (every issued C1x is always valid in all
validity time of CA1)

**** in time T1-T2 ****
C1x and CRL1x are issued (with CA1)
C1x have CRL Distribution Point CDP1
-- all is OK

**** in T2-T3 ****
C2x and CRL2x are issued (with CA2)
C2x have CDP2
CA1 doesn't issue CRL1x (see below idea 1.)
C2x is OK
-- *but* some C1x are still valid but CDP1 is pointing to *last* CRL1x !?

How can we resolve this problem?

My ideas are these, but I don't know which one is the best / conformable to
RFC

in time T2-T3
1. issue CRL1x with CA1 and CRL2x with CA2
 -- but for this I must issue two CRLs and must keep CA1 private key! - this
is for us unworkable
 -- In our policy is that private key is after T2 destroyed. New CA2 key is
on HW generated.
2. CDP1 == CDP2
  -- this we use, but when is checked validity C1x with CRL2x Internet
Explorer faild! (issuer for C1x and CRL2x is different!) I think, that IE is
right!
  - maybe we need put into C1x CDP1 cRLIssuer and into CRL2x too. But how do
it? (CDP1 must be then different to CDP2). Help this in IE? Is it
implemented in other applications?
3. don't put CDP into all certificates
 -- (:-<)
4. set S1 ==  S2
 -- Does this help us? Will this work; two CAcerts with same subject and
different keys in one CA?
5. some other way

thanks for all advices

Martin
(excuse my easy English)