diff --git a/keystone/common/policies/token_revocation.py b/keystone/common/policies/token_revocation.py
index 1c2f81b036..28d17b08da 100644
--- a/keystone/common/policies/token_revocation.py
+++ b/keystone/common/policies/token_revocation.py
@@ -10,10 +10,18 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+from oslo_log import versionutils
 from oslo_policy import policy
 
 from keystone.common.policies import base
 
+DEPRECATED_REASON = """
+The identity:revocation_list policy isn't used to protect any APIs in keystone
+now that the revocation list API has been deprecated and only returns a 410 or
+403 depending on how keystone is configured. This policy can be safely removed
+from policy files.
+"""
+
 token_revocation_policies = [
     policy.DocumentedRuleDefault(
         name=base.IDENTITY % 'revocation_list',
@@ -25,7 +33,11 @@ token_revocation_policies = [
         scope_types=['system', 'project'],
         description='List revoked PKI tokens.',
         operations=[{'path': '/v3/auth/tokens/OS-PKI/revoked',
-                     'method': 'GET'}])
+                     'method': 'GET'}],
+        deprecated_for_removal=True,
+        deprecated_since=versionutils.deprecated.TRAIN,
+        deprecated_reason=DEPRECATED_REASON
+    )
 ]
 
 
diff --git a/releasenotes/notes/bug-1818845-05f8c3af5ea9abc7.yaml b/releasenotes/notes/bug-1818845-05f8c3af5ea9abc7.yaml
new file mode 100644
index 0000000000..9c6048d240
--- /dev/null
+++ b/releasenotes/notes/bug-1818845-05f8c3af5ea9abc7.yaml
@@ -0,0 +1,9 @@
+---
+deprecations:
+  - |
+    [`bug 1818845 <https://bugs.launchpad.net/keystone/+bug/1818845>`_]
+    The ``identity:revocation_list`` policy has been deprecated for removal.
+    This policy didn't actually protect the revocation list API since that API
+    is unenforced and unprotected. It only returns an ``HTTP 410`` or ``HTTP
+    403`` depending on how keystone is configured. This policy can be safely
+    removed.