Would be cool to export the ca revocation signatures encrypted to a given cert
Presumably, the ca admin is also part of the ca user group (or at least his cert is nearby). Encrypting the revocation certificates for the ca's cert minimizes potential for (accidental) misuse.