As part of the planned fix for bug 551429 discussed with Alexei, revocation checking of OCSP response signers will be disabled by default in all cases, even when CERT_GetUsePKIXForValidation has been called. However, some applications may want to do revocation checking of OCSP response signer certs, so CERT_PKIXVerifyCert should provide an option for enabling that revocation checking. That option should include the ability to control whether the id-pkix-ocsp-nocheck extension is honored. See http://tools.ietf.org/html/rfc2560#section-126.96.36.199.1
You need to log in before you can comment on or make changes to this bug.