If the OCSP server returns a status of “unknown”, Firefox will display the “SEC_ERROR_OCSP_UNKNOWN_CERT” error in a non-overrideable error message, regardless of the security.ocsp.require preference. Similarly, if the OCSP responder returns an error such as “trylater”, Firefox will display an error message.
NoteNotes: * Firefox [https://hg.mozilla.org/mozreview/gecko/rev/2249d58c94c867628b83d6c32eb0b5f64812a05c#index_header no longer] performs OCSP fetching using the HTTP GET method; Firefox uses the HTTP POST method.* Firefox caches OCSP responses until they expire or Firefox is restarted (the cache is not persistent). * If an OCSP response has no "nextUpdate", it is valid for 24 hours (plus "slop" of another 24 hours to deal with clock skew).* The maximum lifetime of an OCSP response for an end-entity is 10 days, even if the the "nextUpdate" value is farther in the future.
=== CRLite ===
