...

Clients are off the net all the time, for a large number of reasons. The relying party decisions are often time critical -- need to be made now, not 2 hrs from now when the router is fixed and the remote OCSP responder is visible again.

If a client is off the net, it is not going to be easy to validate a certificate on-line because only if the certificate is on the localCRL/OCSPcache the client will be sure of its status. Hopefully, most certificates being used should be valid. Therefore, they won't be present in the localCRL.

Sorry to be responding to this a week later but I have to point out that attacks are not random events, they are often coordinated. That means, unless you KNOW an OCPS responder is down because of a hardware problem or something similar, then it could well be "not responding" PRECISELY because you, the relying party, are about to be asked to verify a newly compromised certificate. The point I'm trying to make is that from a securit perspective it is foolish to assume the events "OCSP responder is inaccessible" and "asked to validate a compromised certificate" are independent events ... as soon as we assume that, we create a vulnerability that can be exploited. Bob Cowles