As far as I'm aware there was no technical solution for key revocation when the EU Covid Certificate was first launched in July. The only possibility I saw for revocation was to revoke the whole CA, instead of e.g CRL check.
Can you elaborate what makes you think that key revocation is built into the system?
AWS Elasticsearch was one of the last services which didn't support VPC until late 2017 [1], moreover if you had created a cluster without VPC support the migration is very cumbersome and application changes (to enable double writes) are required to execute it without any downtime [2].
HaveIBeenPwned now has feature set to find e-mail addresses which were breached under a domain, there is normally no need to search for separate aliases if you own the e-mail domain.
Can you elaborate what makes you think that key revocation is built into the system?