PKI: presence of CRL for a CA shall be verified on certificate validation
For now the presence of a CRL for each CA present in trusted or issuer certificates is verified on PKI creation and CA with missing CRLs are removed from the PKI. This behavior is not suitable for the backward compatibility of self-signed application certificate properties (part 6) which have the CA bit set to true. Indeed, we do not need CRL for this usage but since such a certificate might still be a root CA issuing certificates we are not able to identify those during PKI creation.
Note: there is a constraint on the pathLen self-signed CA certificate to have value 0 but it is still possible for that CA to issue leaf certificates which are not CA (in this latter case CRL will be necessary).
As a consequence, we shall verify the CRL presence during certificate validation for each certificate in the chain except the leaf certificate.