I have always been annoyed by OCSP being HTTP. It is really the fault of the standard that this is the way we revoke certificates. I basically agree that Apple should just be downloading revoked certificates and checking them locally. This is what we are doing at various SaaS companies that have to check these in order to avoid downtime. We have also mistakenly failed-closed. We now default to fail-open but customers have the option to change that if they are paranoid.