Thinking about that OCSP cert validation, that's done on a per-domain basis isn't it?

So... guessing here, that particular request would be checking if the domain for the Firefox update check itself has a valid cert.

If that's not what it's checking, hmmm...