OCSP Stapling

A TLS extension (RFC 6066) where the server periodically fetches a signed time-stamped OCSP response from the CA and attaches ('staples') it to the TLS handshake. The client can verify the stapled response without contacting the CA directly, eliminating the privacy leak of direct OCSP queries and removing the latency of a separate round trip to the CA's OCSP responder. Expired or absent stapled responses may cause browsers to perform a live OCSP check, and the OCSP Must-Staple certificate extension can require stapling as a hard requirement.