Wikipedia:OCSP is the Online Certificate Status Protocol.
To understand why certificate revocation is important, read about Encryption, the most dramatic case being the recent corruption of Akamai keys because of a security flaw in OpenSSL on Debian.
Pulling validation
OCSP is a pull technology rather than push. Given a necessity to use a certification infrastructure (see also Encryption) it is better to have, than to have no revocation system at all.
Some aspects that may be worth criticizing:
- Privacy: You trust your certification authorities not to recycle your browsing habits for other purposes. Especially when you are exchanging data with your own or a friend's private HTTPS server, why should a CA know about that? Thus, OCSP shifts more power to the CAs.
- Paranoia: OCSP does not address the problem with most TLS clients not having persistent storage of certificates, thus any certification authority can issue fake man in the middle certificates allowing to impersonate the target service. OCSP would then request verification from the rogue CA rather than the one in charge of the service, making it useless in this scenario.
Pushing validation
If PSYC were a stable and established technology, it could serve as a notification infrastructure to provide all computers on earth with that extra information needed to know that a certificate is no longer valid.
Your browser would simply subscribe to a certification authority's revocation channel in a long-term relationship approach using PSYC's decentralized infrastructure, specifically it would maintain a connection/subscription to a close-by server node, either by UDP or TCP, which in turn handles the multicast channel subscription. Servers maintain a multicast infrastructure as PSYC servers usually do, no matter if based on TCP, UDP or even IP Multicast.
Since certificate revocations are rare, it should be enough to just subscribe to all revocations of an authority, rather than to subscribe to specific channels for certificates. This enhances your privacy in exchange for a little network noise of broken certificates that you aren't using anyhow.
To address the paranoia problem, you must still teach your web browser to store all certificates it works with and detect when a webserver is suddenly presenting another authority's certificate. Security cannot be volatile.
- On a side note, DNS wouldn't work for this, as DNS only scales when it caches information, and the fact that such a cache could be providing wrong information for hours or days defeats the usefulness of a certificate revocation system.
Realistically speaking
It is unlikely that a next step beyond OCSP will be of much interest when OCSP isn't even properly deployed yet, largely expected to become a viable solution and there are bigger problems on the Internet than the two pointed out above.
It is unlikely especially considering the large amount of effort necessary to make PSYC or a comparable technology stable, scalable and deployed enough to serve this purpose.
Still it is an interesting mental exercise to understand how many profound changes an established worldwide multicast infrastructure would bring to today's Internet, if people could realistically move beyond the HTTP pull paradigm to a multicast push paradigm. Making a better OCSP is just an example.