OCSP is turned off by default in mozilla, because frankly, a lot of home-grown CAs put out certs that claimed they did OCSP, when they didn't. So, mozilla would get one of their certs (e.g. from an https server), try to contact the OCSP server (and fail), and then claim the cert is revoked (the RIGHT THING to do in that circumstance), much to the browser user's dismay!
While it might be the right thing to do long term, surely if it fails ignore the check took place might be the easiest approach, or perhaps, disable for a CA on failures over 10 days or something, I'm not sure, just seems to me your trying to by pass the failure when you could just ignore it instead, may not be as secure, but what you're suggesting is in the same boat anyways...
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
