Conclusions: We should recommend CA operators include an AIA URL for OCSP, and stand up a server. Since not every CA can do this, we should recommend some agency (IGTF? commercial?) stand up clearinghouse OCSP responders which can become well-known & trusted resources A protocol for permitting authenticated updates (registering of revoked proxy certs) may need to be developed OCSP client software must ignore "unknown" responses about proxy certs - no info is no info in this case.
Following up on discussions at the EUgridPMA and post-meeting discussiions, I'm really nervous about the fragility of a network of OCSP responders.... that's just for the CA's and doesn't really address the issue that Mike raises of how we set up a network of responders that will do what we want with proxy certificates. For what it's worth, there seem to be a number of wireless providers in airports, etc. that I'm seeing recently who are supplying OCSP information that Firefox chokes on and so it won't allow me connect to the site. Being a typical user, I don't give damn about the PKI infrastructure, I just wantto chckmy email and I don't want have to spend an even longer time screwing around ... as a result, I now use IE to connect to wireless systems for payment, registration etc. Also, IE doesn't seem to cache the DNS and so as I move from airport to airport, it is more likely to do the redirection to the new registration page in a timely fashion than Firefox. (I suspect that the same issue is involved in the OCSP error code I receive, but I haven't bothered to look it up. BC