I see a problem: before you revoke the certificate, the kernel must be updated, or the machine won't boot.
But if it is a dual-boot system, then either Windows Update can update Linux and apt-get/yum can update Windows, or the other system will be made unbootable once the CRL is applied.
I guess that in principle it should be possible to store the kernels as EFI applications along with an update URL and do exactly that (and then have the kernel alone be capable of updating the rest of the system before it loads it), but I wonder if anyone really thought about this.
In addition, it won't be possible to install operating systems from disk media without an Internet connection, since the kernel on the disk would be almost surely revoked, but that's probably not such a huge concern.
IMHO this whole mess will just get disabled by anyone tech-savvy.