Yes, you are right. Radio buttons are confusing. It seems excluding options.
Now I’m doing some test with a certs with OCSP validation. It seems to be some fails. Using Wireshark to look the OCSP traffic I can see the request and a positive answer but the certificate validation fails. I’ll do some more tests. I send you the certs if you like to do these tests.
I looked that when there is OCSP URL, dirmngr tries only OCSP. I didn’t see further http traffic. (ldap requires auth and there are costs associated with ldap queries). Also I send you a crl that says “Unknown mandatory policy” when I try to import using dirmngr and then list crls. Just FYI and test usage. They are from an official CA in Spain
FNMT.zip (4.08 KB)