Again nice idea, but PKI does not work that way. If my business had a scum employee who ran off with a private key for one of my certs signed by my CA (dated before 3/24/2013) who handed it to hackers it before that date, it would still need some mechanism to be invalidated by a CRL to revoke the cert (even if counter-signed) prior to that date in the event of a defection of a trusted officer, with a way to issue a replacement cert.
Naturally. I don't see much alternative to that. The purpose of the extensions I want to see is to provide at least some protection against untrustworthy certificate authorities. Right now if a honestbank.com uses certificates from a really good CA, but someone figures out how to get a careless CA (who's on the "trusted" list of many browsers) to issue a certificate for honestbank.com, most browsers would accept a new certificate from the careless CA without batting an eye. I would suggest that there should be a way by which an organization should suggest that any future certs from that organization will be signed using keys whose public half is contained in the old certs.
If a hacker steals a copy of the private keys for honestbank.com, it would be necessary to publish a revocation notice. I don't see any reason the entity requesting the revocation of its key shouldn't, in almost all cases, be able to sign with the old key a notice revoking the old key and assigning a new one. Such a notice should also be signed by a CA, of course. If for some reason an organization can't sign its revocation notices or new certs using its old ones, it should be able to provide public notice of this fact, as well as a means of ensuring that a claimed cert is valid.