Google's solution is to push CRLs directly to the client (well, the client pulls CRL updates, but you get the point):
http://www.imperialviolet.org/2012/02/05/crlsets.html I agree that a combination of OCSP Response stapling plus pinning of the fact that the server does OCSP Response stapling would be nice. That's not quite what you propose. But in any case, it seems that it's getting late for OCSP to come to the rescue, though I really hope not. IMO OCSP always wanted to be stapled. Nico -- _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
