Kelvin Yiu of Microsoft gave a very interesting presentation about MS strategy for managing revocation in VISTA, which I think has some relevance for us. Among other things, he really pushed the lightweight OCSP profile (not sure if that is finished in IETF PKIX but it is close). Among other things he mentioned the use of TLS stapling - this is from RFC 3546 section 3.6 http://www.ietf.org/rfc/rfc3546.txt where an OCSP response is bundled into the TLS handshake. I hope the slide deck will be made available, but in lieu of that here are some of the best practices from KY's slides (paraphrased a bit): Use HTTP not LDAP - better thruput, can cache Set Etag & cache-control Keep it simple 1 OCSP & 1 CDP that is accessible User overlapping validity periods Max-age should be less than overlap period Support the litewgt OCSP profile for hi volume envs Pre-generate OCSP response if sec rqmts permit - don't do real time stuff Support stapling - push for it in new protocols