Ignore OCSP checks for short-lived certificates

[Seirdy]

Firefox skips OCSP checks for certificates with a lifetime of under 10 days. At this point, OCSP stapling becomes redundant: since the whole certificate will renew within days, an additional parameter that only serves to expire after a similar duration isn't very meaningful.

Ready's OCSP stapling check should allow certs with short lifetimes to automatically pass. Certain CAs support the ACME notBefore and notAfter parameters to control lifetimes (Sectigo's ZeroSSL and Google Trust Services are two examples), and can issue such short-lived certificates.

I'll share a PR with a (messy) PoC, but I don't know of any domains to test it with.

[Seirdy]

Perhaps Ready should actually penalize the use of OCSP stapling on short-lived certificates, as OCSP is unnecessary overhead when a cert is too short-lived for week-long revocation cycles to make sense.