What policy is NSURLSession using for its NSURLAuthenticationChallenge serverTrust?

Under the SecPolicy header, the SecPolicyCreateRevocation documentation states that

"Note: it is usually not necessary to create a revocation policy yourself unless you wish to override default system behavior (e.g. to force a particular method, or to disable revocation checking entirely.)"

The Technical Note TN2232‌ under "Enforcing Stricter Server Trust Evaluation" states that

SecPolicyCreateRevocation lets you create a security policy that specifically checks for certificate revocation (for example, via OCSP or a CRL).

This thread, Re: Evaluation of certificates revocation (CRL/OCSP) suggests that iOS does support CRL/OCSP however "done under very limited circumstances."

From the Apple Trust Policy Module Functional Specification

Emphasis mine.

2.4.2 Revocation policies

Revocation Policies refer to those policies implemented by the TP which (optionally) check whether the certificates in a given cert chain have been revoked by their issuer. There are currently two revocation policies: Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP). Both of these policies optionally involve fetching items from the Internet during the verification of a cert; both involve caching of said items both in the TP (in-memory, on a per-process basis) and elsewhere in the system (on disk, in a cache shared by all users);


With that in mind,

  1. What revocation policy is NSURLSession using for the server trust? (i.e. referring to Revocation Policy Constants under the SecPolicy header)
  2. What are the circumstances under which a certificate is checked whether it has been revoked by the issuer?
  3. How long is the CRL/OCSP response cached for and who or what controls that cache?
  4. Should URLSession:didReceiveChallenge:completionHandler:‌ be used to create a revocation policy using SecPolicyCreateRevocation and set it to the server trust in the NSURLAuthenticationChallenge using SecTrustSetPolicies?
  5. Are both Extended Validation (EV) and Simple Domain Validation certificates checked using CRL/OCSP?

Can you please clarify what version of iOS (8, 9, 10) the answers are applicable to?

Thank you