That sounds like a lot of extra steps. How do I validate the authenticity of a signing request? Should my signing machine be able to challenge the requester? (This means that the CA key is on a machine with network access!!)
Replacing the distribution of a revocation list with short-lived certificates just creates other problems that are not easier to solve. (Also, 1h is bonkers, even letsencrypt doesn't do it)
FWIW, when entering my CPGE [0] in France, our math teacher asked we forget everything about math except: natural numbers (0, 1, etc.), addition and multiplication. Everything needed to be scraped and "taught correctly", and it took only 2 years to get back up to speed (the entire program for the school year is available (in French): https://prepas.org/ups.php?entree=programmes).
Math is incredibly simple to build from scratch (as in: doesn't require a ton of knowledge) [1]. How long it takes for it to "click" though is another matter: I've had a very hard time with calculus and basic logic in first year, and thoroughly failed my second year.
I don't have a book to recommend though (everything was taught in class, no textbook); though I remember vaguely some books that others here do recommend.
I do it differently on my own DNS ad blocker: it returns the IP of my "happy" webserver that always returns `204 No Content`, whatever query you send to it. Of course, there's still the issue of https failing, but I've never had any performance issues - much more the opposite actually.
Replacing the distribution of a revocation list with short-lived certificates just creates other problems that are not easier to solve. (Also, 1h is bonkers, even letsencrypt doesn't do it)