As an Apache user, I’ve yet to look into enabling OCSP stapling so thanks for this informative post. I presume the developer you are referring to is (one of) the developers mod_ssl. I found the bug report[1] where the Apache developers state that they won’t enable stapling by default because “it would enable a "phoning home" feature (to the CA's OCSP responders) as a side effect of configuring a certificate”. That seems reasonable to me. However, the other behaviour that you’ve mentioned seems less so. Do you have any references (mailing list discussions, links to bug reports, etc.) for this?
By the way, your opening line should probably be edited to say something like which is bad news if anybody's private key gets stolen or misused and they need to revoke the corresponding key(s). Most readers of this discussion will know what you mean but some who are still learning about PKI may be confused.
Wikipedia has a good description on what OCSP Stapling is[1] and how it works. When I read the Apache projects' WONTFIX reason, I presumed that it was related to how plain OCSP requires the client to "phone home" in order to check whether a certificate has been revoked or not – which has implications for the privacy of the browser.
However, now that I know OCSP Stapling works (the web server caches and proxies time-stamped OCSP responses that are signed by the CA), the Apache position is much less reasonable. As a Let’s Encrypt user, I “phone home” every couple of months to renew my X.509 key and certificate. That’s not a privacy concern for me or anyone else who happens to browse my site.
I also found a good article by Hanno Böck[2] which provides more details on how OCSP Stapling is thoroughly broken on Apache as described by tialaramex).
By the way, your opening line should probably be edited to say something like which is bad news if anybody's private key gets stolen or misused and they need to revoke the corresponding key(s). Most readers of this discussion will know what you mean but some who are still learning about PKI may be confused.
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=50740#c20