diff --git a/msp/mspimpl.go b/msp/mspimpl.go
index 4d6f7ed3c28..b2c4c62795a 100644
--- a/msp/mspimpl.go
+++ b/msp/mspimpl.go
@@ -629,7 +629,7 @@ func (msp *bccspmsp) SatisfiesPrincipal(id Identity, principal *m.MSPPrincipal)
 		}
 
 		if bytes.Equal(id.(*identity).cert.Raw, principalId.(*identity).cert.Raw) {
-			return nil
+			return principalId.Validate()
 		}
 
 		return errors.New("The identities do not match")
diff --git a/msp/revocation_test.go b/msp/revocation_test.go
index 0499b1f3730..6faffb8c169 100644
--- a/msp/revocation_test.go
+++ b/msp/revocation_test.go
@@ -19,10 +19,11 @@ package msp
 import (
 	"testing"
 
+	"github.com/hyperledger/fabric/protos/msp"
 	"github.com/stretchr/testify/assert"
 )
 
-func TestRevocation(t *testing.T) {
+func getRevocationMSP(t *testing.T) MSP {
 	// testdata/revocation
 	// 1) a key and a signcert (used to populate the default signing identity);
 	// 2) cacert is the CA that signed the intermediate;
@@ -36,6 +37,12 @@ func TestRevocation(t *testing.T) {
 	err = thisMSP.Setup(conf)
 	assert.NoError(t, err)
 
+	return thisMSP
+}
+
+func TestRevocation(t *testing.T) {
+	thisMSP := getRevocationMSP(t)
+
 	id, err := thisMSP.GetDefaultSigningIdentity()
 	assert.NoError(t, err)
 
@@ -43,3 +50,20 @@ func TestRevocation(t *testing.T) {
 	err = id.Validate()
 	assert.Error(t, err)
 }
+
+func TestIdentityPolicyPrincipalAgainstRevokedIdentity(t *testing.T) {
+	thisMSP := getRevocationMSP(t)
+
+	id, err := thisMSP.GetDefaultSigningIdentity()
+	assert.NoError(t, err)
+
+	idSerialized, err := id.Serialize()
+	assert.NoError(t, err)
+
+	principal := &msp.MSPPrincipal{
+		PrincipalClassification: msp.MSPPrincipal_IDENTITY,
+		Principal:               idSerialized}
+
+	err = id.SatisfiesPrincipal(principal)
+	assert.Error(t, err)
+}