diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
index b6e54d48c83..bd72761e22a 100644
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -39,7 +39,7 @@
  * Implementation of OCSP services, for both client and server.
  * (XXX, really, mostly just for client right now, but intended to do both.)
  *
- * $Id: ocsp.c,v 1.47 2008-02-06 17:27:47 kaie%kuix.de Exp $
+ * $Id: ocsp.c,v 1.48 2008-02-07 23:30:33 kaie%kuix.de Exp $
  */
 
 #include "prerror.h"
@@ -4558,7 +4558,7 @@ ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single,
 /* Return value SECFailure means: not found or not fresh.
  * On SECSuccess, the out parameters contain the OCSP status.
  * rvOcsp contains the overall result of the OCSP operation.
- * Depending on input parameter ignoreOcspFailureMode,
+ * Depending on input parameter ignoreGlobalOcspFailureSetting,
  * a soft failure might be converted into *rvOcsp=SECSuccess.
  * If the cached attempt to obtain OCSP information had resulted
  * in a failure, missingResponseError shows the error code of
@@ -4567,7 +4567,7 @@ ocsp_SingleResponseCertHasGoodStatus(CERTOCSPSingleResponse *single,
 SECStatus
 ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID, 
                                         int64 time, 
-                                        PRBool ignoreOcspFailureMode,
+                                        PRBool ignoreGlobalOcspFailureSetting,
                                         SECStatus *rvOcsp,
                                         SECErrorCodes *missingResponseError)
 {
@@ -4595,7 +4595,7 @@ ocsp_GetCachedOCSPResponseStatusIfFresh(CERTOCSPCertID *certID,
              * However, if OCSP is optional, a recent OCSP failure is
              * an allowed good state.
              */
-            if (!ignoreOcspFailureMode &&
+            if (!ignoreGlobalOcspFailureSetting &&
                 OCSP_Global.ocspFailureMode == 
                     ocspMode_FailureIsNotAVerificationFailure) {
                 rv = SECSuccess;
@@ -4675,7 +4675,7 @@ CERT_CheckOCSPStatus(CERTCertDBHandle *handle, CERTCertificate *cert,
     if (!certID)
         return SECFailure;
     rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
-        certID, time, PR_FALSE, /* do not ignore global failure mode */
+        certID, time, PR_FALSE, /* ignoreGlobalOcspFailureSetting */
         &rvOcsp, &dummy_error_code);
     if (rv == SECSuccess) {
         CERT_DestroyOCSPCertID(certID);
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c
index 75e0e2eab1d..073e632b67e 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspcertid.c
@@ -168,9 +168,14 @@ PKIX_PL_OcspCertID_Create(
         }
 
         cid->certID = CERT_CreateOCSPCertID(cert->nssCert, time);
+        if (!cid->certID) {
+                PKIX_ERROR(PKIX_COULDNOTCREATEOBJECT);
+        }
+
         *object = cid;
         cid = NULL;
 cleanup:
+        PKIX_DECREF(cid);
         PKIX_RETURN(OCSPCERTID);
 }
 
@@ -226,15 +231,9 @@ PKIX_PL_OcspCertID_GetFreshCacheStatus(
         }
 
         rv = ocsp_GetCachedOCSPResponseStatusIfFresh(
-                cid->certID, time, PR_TRUE, /* ignore OCSP failure mode */
+                cid->certID, time, PR_TRUE, /*ignoreGlobalOcspFailureSetting*/
                 &rvOcsp, missingResponseError);
 
-        /* We ignore rvBasedOnOcspFailureMode, we are interested in the
-         * real result. 
-         * XXX This may change in the future, when libpkix allows the
-         * application to specify the desired failure behavior.
-         */
-
         *hasFreshStatus = (rv == SECSuccess);
         if (*hasFreshStatus) {
                 *statusIsGood = (rvOcsp == SECSuccess);