Do not perform online revocation checking when the user has explicitly disabled it, except for when…

net/base/x509_util_mac.h

Index: net/base/x509_util_mac.h
diff --git a/net/base/x509_util_mac.h b/net/base/x509_util_mac.h
index 9b629cc45f38767f33ce5bf0938c740c26aa996f..872df5996564c63e1bdcbda6a2f55ae999a1a6d1 100644
--- a/net/base/x509_util_mac.h
+++ b/net/base/x509_util_mac.h
@@ -41,12 +41,19 @@ OSStatus NET_EXPORT CreateSSLServerPolicy(const std::string& hostname,
 OSStatus NET_EXPORT CreateBasicX509Policy(SecPolicyRef* policy);
 
 // Creates security policies to control revocation checking (OCSP and CRL).
-// If |enable_revocation_checking| is false, the policies returned will be
-// explicitly disabled from accessing the network or the cache. This may be
-// used to override system settings regarding revocation checking.
+// If |enable_revocation_checking| is true, revocation checking will be
+// explicitly enabled.
+// If |enable_revocation_checking| is false, but |enable_ev_checking| is
+// true, then the system policies for EV checking (which include checking
+// for an online OCSP response) will be permitted. However, if the system

[wtc, 2012/08/16 23:17:39]

Nit: the system => the OS

I guess "the system" is referring to the OS.

+// does not believe the certificate is EV, no revocation checking will be
+// performed.
+// If both are false, then the policies returned will be explicitly prohibited
+// from accessing the network or the local cache, regardless of system settings.
 // If the policies are successfully created, they will be appended to
 // |policies|.
 OSStatus NET_EXPORT CreateRevocationPolicies(bool enable_revocation_checking,
+                                             bool enable_ev_checking,
                                              CFMutableArrayRef policies);
 
 // Wrapper for a CSSM_DATA_PTR that was obtained via one of the CSSM field