Comment 22 for bug 332176

(In reply to comment #3)
> Not security sensitive. No exploit is disclosed here.
> The reporter apparently is unaware that there are other methods of revocation
> checking than OCSP.

Nelson, as you fully know, at the moment FF doesn't fetch any CRLs. Once it does, I suggest to fall back to CRL in case either OCSP doesn't exist or is unreachable. I also suggest that once either fails to view the connection as not encrypted.

Basically the user is to lose in case the CA revoked a certificate, but the user used a software which doesn't care about the revocation status. I think I share some of Marco's concern.