Pursuant to recent discussions, here is a draft design that
formalises and (as of initial draft) proposes some changes to
FreeIPA's certificate revocation behaviours.
Nothing is set in stone. Every change is up for debate. There are
some open questions (search for **TODO** and **QUESTION** in the
document). The general idea is to eliminate inconsistency,
redundancy, potential confusion, and command complexity in how
revocation is handled in IPA, so that the commands and behaviours
are easy for operators to understand.
With the creation of this design proposal and the corresponding
ticket, the ticket and PR that began the recent discussion have