Certificate revocation is a really interesting problem, because it's obviously vital but also pretty rare. Currently, to validate a certificate, every client has to walk through every certificate in the chain and ask for the CRL or make an OCSP query, just in case. It's incredibly wasteful and subject to all sorts of problems. It's really fun verifying file signatures on a machine with no direct internet access.

It would be nice to have a centralized push-based solution or something. I dunno, hard problem.