Brian Smith reported that delegated Online Certificate
Status Protocol (OCSP) responder certificates fail to recognize the
id-pkix-ocsp-nocheck
extension. If this extension is present in a
delegated OCSP response signing certificate, it will be discarded if it is
signed by such a certificate. This could result in a user connecting to a site
with a revoked certificate.