[crehn]

Seems that Firefox skips revocation checks for CA certs [1].

[1] https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox

[marcinzm]

Where does it say that? The link says they centrally manage revocations using OneCRL and then push a single revocation list to browsers (independent of browser updates). Which means they can revoke any certificate they want using that mechanism.

[crehn]

Ah, you're correct. Seems they skip CA CRL/OCSP in favor of their own CRL. Thanks for the correction.