This sounds fine if there are only good people using the OCSP service.

But would be a bad idea if Trudy is the person serving the SSL site today, and knowing the SSL cert might be revoked, but still serving valid OCSP responses from his own webserver...

Isn't that right?

The OCSP responses are signed by the CA; they can't pass on valid responses if the cert has been revoked.