I just read news that fake SSL certificates were issued by Comodo CA, but more interestingly, browser updates were issued to blacklist the certificates. Why this was necessary since we already have a protocol for doing just that?
I found out from this post on the torproject blog that talks about how OCSP is not properly implemented in browsers:
The browsers treat revocation errors as soft errors and a MITM is deadly for revocation. The browsers believe they have to treat them as soft errors because the CAs are failing to do their job properly and are almost entirely unaccountable.
Here’s how some other browsers fare when OCSP fails.