In DOEGrids ... I am not sure about every other IGTF PKI however ... end entity certificates can revoke themselves. It's often done. For instance, when a security issue arose at one site, several customers revoked their own certificates until local problems were cleared up.
Why wouldn't we permit this idea to be extended to proxy certs? That is, why shouldn't a proxy cert be permitted to revoke itself? What conditions would speak against that?
It does cerate an interesting denial of service possibillity in that if I compromise a machine that has proxy certs going thru it, I can revoke all subsequent proxies for the whatever proxy certs I find on that machine. If a higher level had to do the revocation then I would have to know something about the proxy certs generated by apps using those proxies, and it would seem more difficult t get that information. BC