For Local Security Policy feature, the policy.jar file must be singed with a valid cert. But seems the status of certs that used to sign policy.jar is not checked. See logs when loading an app with policy.jar signed with a valid cert that contains ocsp info:
>>>security: Loading certificates from Deployment session certificate store
>>>......
>>>security: The OCSP support is disabled
>>>security: The CRL support is disabled
>>>security: Revocation check disabled
>>>security: Checking if certificate is in Internet Explorer TrustedPublisher certificate store
>>>policy: verification succeeded for signed policy file C:\windows\Sun\Java\Deployment\policy.jar
>>>...

Steps to reproduce:
1 Enable trace from JCP and make sure there is no proxy set in your test browser/system
2 Copy policy.jar that is signed with a valid cert which contains ocsp info to deployment_system_home
3 Load app: javaws http://sqeweb.us.oracle,.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsLocalSecurityPolicy/jnlp/testUnsignedSandboxJNLP.jnlp
4 Check java console, if "Revocation check disabled" is shown and app is loaded successfully, then this bug is reproduced.

Some other questions:
1 The OCSP/CRL check options in JCP can not control the revocation check of policy.jar? For now, revocation check disabled for policy.jar while the OCSP/CRL check in JCP is enabled.
2 If there is no OCSP extension in cert that used to sign policy.jar, but the OCSP check is enabled, then there will be "Status Unknown" exception. This is also a kind of bad cert and if it's used to sign policy.jar, the policy will not work, right?