This is an umbrella CR of various revocation checking enhancements. Some are deployment related. Separate CRs should be spun off as they are addressed. More enhancements may be added to this list.
1) Add an API for just checking if a certificate is revoked.
Currently you must validate a chain of certificates using a PKIX CertPathValidator to check if the certs have been revoked. This is signficant overhead, when all you want to check is if a certificate is revoked, which is a useful thing to do as a periodic check or when the revocation information becomes stale (ex: CRL is expired).
The API should return revocation information (CRLs, OCSP Responses) so that they can be cached by an implementation.
2) Add more deployment revocation checking properties
Currently, revocation checking is either enabled or disabled. It would be useful to have the following suboptions if revocation is enabled:
a) check revocation of end-entity cert only
b) allow revocation check to pass if network problem prevents checking of status
The enhancements in this RFE have been posted to OpenJDK as JEP-124: