** the OCSP response gives a cert subject name to identify its signer's certificate, but no certificate by that name can be found -- not in the response, not in the database, and not in the cert chain of the certificate whose status is being checked. See [https://bugzilla.mozilla.org/show_bug.cgi?id=560091 this bugzilla bug] for more details.
=== Constrain Sub-CAs Intermediate Issuing Certificates to Authorized Domains (DRAFT) ===
'''PROPOSAL -- Needs further investigation and discussion.'''