[shog]

Maybe instead of failing silently, the browser should cease to function at all if it can't reach its OCSP data source for a public CA, and complain loudly - providing we can make revocation lookups cheap and highly available.

It could be available via anycast akin to DNS, or p2p as gojomo suggests. Lots of places use DNS to operate blacklist/RBLs - some with very large datasets which would break the internet if they ever become unavailable.

[gojomo]

Yes, if you're so encircled by bad guys that you can't reach any blacklist providers, but have received a gossipy hint (via a leak in the blockade) that there's a new version you don't yet have, blatant alarms should go off.

You're no longer on "the internet", you're on some attacker-chosen & time-lagged subset... and you need to know that before connecting to sensitive sites.