What would be the advantage compared to using the OCSP and relying on the duration of the validity of the answer?
If the website uses OCSP stapling, with Certbot 1.3.0 who check the OCSP answer, I think any downtime can be avoided:
- When the certificate is expired, until the new OCSP - revoke - answer is signed, the server can still serve the valid previous valid OCSP answer
- The OCSP revoked answer is published
- Certbot detects it and renew the certificate
- During that time the server continue to provide the old valid OCSP response
If the server fetch every day a fresh OCSP response and run Certbot every day, when the certificate is revoked the server have then around six days to renew it (because fresh OCSP response are signed daily and are valid 7 days: OCSP server update frequency and/or schedule?)
I fell it’s better for the ecosystem to improve OCSP stapling than extending the ACME protocol in that case (but both solution can be complementary!): https://letsencrypt.org/fr/docs/integration-guide/#implement-ocsp-stapling