CAcert has setup and operates an [http://www.openca.org/ocsp OpenCA] RFC compliant OCSP Responder. All the certificates that were issued after 16.5.2005 should have the OCSP Service URL automatically included, and your OCSP client should check periodically for certificate status. The OCSP responder issues signed responses over http, the OCSP address (it's not a normal website and can only be connected to with an OCSP client, such as [http://www.openssl.org OpenSSL], once your client is setup you can tell it to connect to http://ocsp.cacert.org or http://ocsp.cacert.org:2560 To activate OCSP in firefox use the below settings.

Enabling OCSP in Firefox:

  1. Click on the Tools menu, then select Options.
  2. After the Options window appears, select Advanced.
  3. Scroll down until you get to the Validation section, and OCSP will be the last option.
  4. By default "Do not use OCSP for certificate Validation is selected." Change that selection to the second option, "Use OCSP to validate only certificates that specify an OCSP service URL".
  5. Click OK to close the Options window.

The OCSP Responder runs on port 2560, however the following Apache configuration makes it available as a vhost in Apache on Port 80:

<VirtualHost x.x.x.x:80>
ServerName ocsp.cacert.org
DocumentRoot /tmp

RewriteEngine on
RewriteCond %{CONTENT_TYPE}   !^application/oscp-request$
RewriteRule ^/(.*)         http://localhost:2560/ [P]

CustomLog /var/log/apache/ocsp.cacert.org-access.log combined
ErrorLog /var/log/apache/ocsp.cacert.org-error.log
</VirtualHost>

We issue certificiates with the OCSP responder address listed as ocsp.cacert.org, which we plan to distributed with round-robin DNS. If/when load or bandwidth become a problem in the future, we can simply add more OCSP responders in a similar fashion as adding secondary name servers (DNS), and it would seem things could be made highly distributed quite easily with our current setup.

Due to the threat model used in developing the RFC for OCSP, high availability will be a big issue, as any clients with OCSP turned on will fail to connect to any certificate that it can't get a valid OCSP response for.