Offline Root CA with valid CRL hierachie

["Haaino Beljaars" <beljaars@xxxxxxxxxxxx>]

Hi,

Hopefully somebody can help me out.

I want to create the following hierarchie:

An offline Root CA and 2 intermediate CA's which are directly issues by the
Root CA.

The following is the problem. Since the Root CA is offline, it can not CRL's
on a frequent base.
How can I then revoke one of the intermediate CA's?
As far as I know there are at least two possible scenarios.

1) The intermediate CA revokes itself. But that could be difficult in case
of a key compromise. And
I wonder whether or not it is possible for a CA to revoke itself????

2) The Root CA revokes the intermediate CA's.
But since this is a offline CA, this could be difficult. I cannot create a
constantly valid CRL as far as I know?
Solution a) could be that I create a CRL when an enormous time to live,
which I think is not the
way to go because no application sees any reason to retrieve a new CRL.
Solution b) could be that
I let a different CA issue the CRL for the Root CA. But this solution also
have some probles,
according to RFC 3280, par. 5.0 "Conforming applications are NOT REQUIRED to
support processing
of delta CRLs, indirect CRLs, or CRLs with a scope other than all
certificates issued by one CA."
And what if the CRL issuing CA is the CA that has to be revoked?

Could anybody help me out? How can I create a hierachie with an offline Root
CA, which has a valid CRL structure?

Best regards,
Haaino