A new system property, `jdk.security.certpath.ocspNonce`, has been added to enable the OCSP Nonce Extension. This system property is disabled by default, and can be enabled by setting it to the value `true`. If set to `true`, the JDK implementation of `PKIXRevocationChecker` includes a nonce extension containing a 16 byte nonce with each OCSP request. See [RFC 8954](https://tools.ietf.org/html/rfc8954) for more details on the OCSP Nonce Extension.