As of today, we have preference security.OCSP.require (which is OFF by default). In the long term, we should require strict revocation information for all certificates. However, we might be able to require strict revocation checking for intermediat CA certificates more quickly - for example if we implement 725991, but until a sufficient amount of servers supports OCSP stapling. I propose to introduce a new preference security.OCSP.require-CA Luckily the libPKIX validation interface allows us to have separate strictness settings for intermediates and end entity certificates.

I am proposing that we WONTFIX this. The "strict OCSP" preference we already have is confusing enough. Adding more complexity to that is making the problem worse.