You could absolutely use a simple certificate revocation list instead of OCSP. I don't know how large that would be, though. It could run into problems if there was a heartbleed like issue that required revoking many certs.
All the extra connections are enough of an issue that there's OCSP stapling, where a web server attaches a copy of the OCSP check to the response.
Seems like it'd be possible to inject a file into Cool.app/Contents/ocsp.staple in a downloaded .dmg.
That could be considered valid for a few days so that, for the common case of "download app and try it out", there's no need to phone home.
All the extra connections are enough of an issue that there's OCSP stapling, where a web server attaches a copy of the OCSP check to the response.
Seems like it'd be possible to inject a file into Cool.app/Contents/ocsp.staple in a downloaded .dmg.
That could be considered valid for a few days so that, for the common case of "download app and try it out", there's no need to phone home.