Implementation of TLS OCSP Stapling

dovecot at flut.demon.nl dovecot at flut.demon.nl
Thu Mar 3 12:15:51 UTC 2016


On 03-03-16 13:04, A. Schulze wrote:
>
> dovecot:
>
>> So I would like to know if Dovecot is planning to feature OCSP stapling.
>> That way I know for sure my "must staple" certificates can be used by
>> Dovecot. And in my opinion, every TLS offering daemon should be up to
>> par to the capabilities of TLS.. Not lag behind :)
>>
>> What's your opinion on this matter?
>
> OCSP stapling [c|s]hould be implemented on a server if clients *use*
> that data.
> For WebBrowser this is true.
>
> But I'm not aware of any MUA or MTA that validate certificates via OCSP.
>
> Andreas

Well, that's a nice case of the chicken vs. egg problem, now isn't it ;)

Unfortunately, certificate validation doesn't have a very good track
record when it comes to MTA's.. They'll accept self-signed certificates,
untrusted certificates, heck, they'll trust as far as I know almost
anything! Luckily, MUA's are a little bit more security-concerened, as
is Google/GMail.

But is that really a reason *not* to implement a feature? Shouldn't a
developer think: "OK, I want my MTA to be the best! I want to be on the
top of the list of all the MTA's out there." in stead of thinking "OK,
I'm fine with being mediocre, I don't care.."? :)



More information about the dovecot mailing list