[1] The dominant method used for this purpose is to host a certificate revocation list (CRL) for download via the HTTP or LDAP protocols.
To reduce the amount of network traffic required for certificate validation, the OCSP protocol may be used instead.
While a validation authority is capable of responding to a network-based request for a CRL, it lacks the ability to issue or revoke certificates.
While the root CA itself will be unavailable to network traffic, certificates issued by it can always be verified via the validation authority and the protocols mentioned above.
The ongoing administrative overhead of maintaining the CRLs hosted by the validation authority is typically minimal, as it is uncommon for root CAs to issue (or revoke) large numbers of certificates.