As already stated, both OCSP and CRLs have the problem of not working when requests to those services are blocked, so they're actually bad solutions. We need to do better in terms of certificates/keys for encrypted communications (I'm not sure the word "secure" is even correct for those), and both OCSP and CRL are not good answers to CA breaches. One possible proposal for this is being described at https://kuix.de/mecai/
On the other topic, sandboxing is IMHO hyped more than it's actually useful. It's one reasonable idea of how to possibly prevent exploits from going worse, but 1) if you (in theory) don't have exploits in the first place, it's useless, and 2) there's lot of security/privacy-relevant flaws where it has no effect at all, esp. in the area surrounding XSS. Also see http://hackademix.net/2012/02/16/sandboxes-are-overrated-... and stuff linked from there.