Comment by ben509

You could absolutely use a simple certificate revocation list instead of OCSP. I don't know how large that would be, though. It could run into problems if there was a heartbleed like issue that required revoking many certs.

All the extra connections are enough of an issue that there's OCSP stapling, where a web server attaches a copy of the OCSP check to the response.

Seems like it'd be possible to inject a file into Cool.app/Contents/ocsp.staple in a downloaded .dmg.

That could be considered valid for a few days so that, for the common case of "download app and try it out", there's no need to phone home.