If the certificate was issued with must-staple flag, then the server can refuse to connect if the handshake did not include an OCSP response.

web servers can refresh OCSP responses in the background and cache valid responses to add some tolerance against temporarily downtimes in the OCSP server.

▲

thayne 2 days ago | parent [-]

Right, but the vast majoriry of servers don't use must-staple certs. So browsers would need to do something (even if that something is not checking revocations) for all the other connections anyway.

It's really a chicken and egg problem. Browsers don't want to support must-staple because not enough servers use it. And servers don't use it, because browsers don't require it (or even implement it). And now CAs don't support it, because hardly anyone was using it.

Now if CAs started requiring must-staple, that might push it into widespread use. But that would cause a lot of disruption.

	▲	Dylan16807 a day ago \| parent [-]
		If you're willing to put in the effort to implement OCSP in the first place, why not take the couple percent extra time to add must-staple support? This seems like it would have been a very easy to solve chicken and egg problem.