I have some user information ( with certificate ) ,like

cn = bob, dc= one, dc = two ,dc = org
sn: ..
userCertificate;binary::...
.. : ...

someday , if he would be revoked, should i move it to another entry ( replace a new dn ), like

cn = bob, dc = crl ,dc = two ,dc = org

or maybe I use the same entry , like

cn = bob, dc= one, dc = two ,dc = org
sn: ..
userCertificate;binary::...
.. : ...
revoked : true/false
revokeTime : ...

gtalk:freeespeech@gmail.com