Certificate revocation has been broken from the beginning. Not only do you need to worry about careless CAs, but stealing certs is way too easy given the security state of web applications. Other important parts of SSL is also broken, such as the ability to delegate and trust a particular cert only on your subdomains.
I wish we could just use DNSSEC for this, but things move very slowly. While I understand the concern that DNS is not identity, I strongly believe that is not the common use case. I am much more often concerned that the certificate I am presented with is legitimate for "lwn.net", than that it belongs to "Eklektix Inc."