This bug fix is needed because the impact of this issue is pretty severe with an awkward workaround. The revocation checks for a signed applet would fail, and the signed applet would fail to load, and the only workaround is to disable OCSP in the Control Panel.
So far we have only found one CA that this bug affects. However, we do not have 100% test coverage for all the CAs that we include.
Also, this bug can be triggered if the OCSP responder certificate is using stronger SHA-2 algorithms to generate the subject key identifier (see http://www.rfc-editor.org/rfc/rfc7093.txt ). So, there is an increased risk that we may encounter issues with other OCSP responders who are upgrading their certificates to use stronger algorithms.
The fix is understood, small, and should be low risk. Code Review in progress. See http://cr.openjdk.java.net/~mullan/webrevs/8031825/webrev.00/