Why does a PKI need a means to cancel or invalidate certificates? Why is it not sufficient for the PKI to stop distributing a certificate after it becomes invalid?

What will be an ideal response?

Certificates can be forged or can have the private keys used to create them compromised. When such an event is discovered,any questionable certificates are added to certificate revocation lists; it is the duty of the system that checksa certificate for validity (e.g., the web browser) to also check the certificate revocation lists for that certificate. Certificates can have long lifespans (sometimes years) so, without the possibility of revocation, a compromised certificate could cause problems for a very long time.