CAcert has setup and operates an [http://www.openca.org/ocspd/ OpenCA] (["RFC compliant"]) OCSP Responder. All the certificates that were issued after 2005-05-16 should have the OCSP Service URL automatically included, and your OCSP client should check periodically for certificate status. The OCSP responder issues signed responses over http, (the OCSP address is not a normal website and you can only connected to it with an OCSP client, such as [http://www.openssl.org OpenSSL]) once your client is setup you can tell it to connect to http://ocsp.cacert.org or [http://ocsp.cacert.org:2560]. To activate OCSP in firefox use the below settings.

Enabling OCSP in Firefox:

  1. Click on the Edit menu, then select Preferences.
  2. After the Preferences window appears, select Advanced.
  3. Scroll down until you get to the Validation section, OCSP will be the last option.
  4. By default "Do not use OCSP for certificate Validation" is selected. Change to the second option, "Use OCSP to validate only certificates that specify an OCSP service URL".
  5. Click OK to close the Options window.

We run our OCSP Responder on port 2560 ([http://www.openca.org/ocsp/ OpenCA] default), however the following Apache configuration allows us to also make this available as a vhost in Apache on Port 80, which will be important for anyone stuck behind a firewall and unable to connect to ports other then 80 or 443.

<VirtualHost x.x.x.x:80>
ServerName ocsp.cacert.org
DocumentRoot /dev/null
RewriteEngine on
RewriteCond %{CONTENT_TYPE} !^application/ocsp-request$
RewriteRule ^/(.*) http://localhost:2560/ [P]
CustomLog /var/log/apache/ocsp.cacert.org-access.log combined
ErrorLog /var/log/apache/ocsp.cacert.org-error.log
</VirtualHost>

We issue certificiates with the OCSP Responder URI address listed as [http://ocsp.cacert.org]. We plan to distributed servers around the world via round-robin DNS. If/when load or bandwidth become a problem in the future, we can simply add more OCSP responders in a similar fashion as adding secondary name servers (DNS), and it would seem things could be made highly distributed quite easily with our current configuration.

Due to the threat model used in developing the RFC for OCSP, high availability will be a key issue in running/maintaining OCSP services, as any clients with OCSP turned on will fail to connect to any certificate that it can't get a valid OCSP response for. As far as I'm aware mozilla products currently do not have any form of OCSP caching, so reading signed/encrypted email on a plane in [http://www.mozilla.org/thunderbird/ ThunderBird] could be difficult at this point in time. Microsoft is apparently developing an OCSP client for it's next version of Windows/MSIE that apparently does some caching, although it will be interesting to see how well this works.