If you ever are involved with any sort of event trying to promote CAcert, this question at one point or another is bound to come up, and Microsoft has given us the best answer to date. With the new release of long horn comes a number of changes in the way Microsoft handles PKI, in particular the biggest change most likely to effect people with having OCSP turned on by default.
This will mean that if you’re publishing self signed certificates and no OCSP responder approves the certificate, Internet Explorer and other programs will reject the connection and you will have to go back to using no encryption or buying a certificate from a commercial provider.
At this stage CAcert isn’t running an OCSP responder either, this is in part due to the testing of different OCSP options in the past and having no sucess with any of the free software options actually workin properly, most software was returning a lot of false positives and false negatives. Having an OCSP responder is something that we need to address before betas are being officially released to ensure we don’t get left behind either, but at the same time it can be used as leverage as to why people should use us compared to self signing.
One suggestion on which OCSP responder to use is the one RedHat recently bought when it acquired some of the remaining Netscape assets from AOL. So far I’m not sure that anything has been released at all or what RedHat’s plans go for any time line.
One other minor note about OCSP in general, the protocol states that if you can’t talk to the responder to verify the status you have to assume it’s not a valid certificate, this could potentially lead to major disruptions on the Internet if CAs are being attacked via denial of service on their responder, which in turn could have the potential of wiping them out as a company if a lot of their customers’ websites are no longer usable.
One other situation that is similar to a denial of service attack, which will be a lot more common is when people are sitting in a plane or similar and not having Internet access, although apparently Microsoft have attempted to solve this via a OCSP caching solution, but will this actually be any better then the caching that Internet Explorer does? Something to think about at least I guess.