diff --git a/librewolf.cfg b/librewolf.cfg
index a9e8800..c933666 100755
--- a/librewolf.cfg
+++ b/librewolf.cfg
@@ -201,6 +201,8 @@ defaultPref("security.ssl.treat_unsafe_negotiation_as_broken", true);
 /**
  * our strategy with revocation is to disable OCSP as it is slower and less privacy minded, and to use
  * CRL instead, particularly the CRLite solution with no OCSP fallback.
+ * switching to crlite mode 3 (v99+) would allow us to detect false positive with OCSP. this would require
+ * enabling OCSP and setting it to hard-fail. OCSP is stapled by default.
  */
 defaultPref("security.OCSP.enabled", 0); // disable ocsp fetching
 defaultPref("security.remote_settings.crlite_filters.enabled", true);