OCSP is the preferred X.509 revocation mechanism. X.509 certificates
        can contain a URL from which can be fetched a signed response saying
        "this certificate is valid until $x" (where $x is usually 7 days in the
        future). These are called OCSP responses and they can also be included
        in the TLS handshake itself ("OCSP stapling")

R=rsc, r
CC=golang-dev
https://golang.org/cl/1875043