The real solution here is OCSP Stapling (http://en.wikipedia.org/wiki/OCSP_stapling). It allows a server to present (i.e. 'staple') a signature specifying that the cert is still valid at the SSL handshake. Therefore, a legitimate connection with the server will also have the staple. The problem is that we need to make it standard to the point of "if the OCSP stapling is missing, then the cert should be rejected."