Implementation of TLS OCSP Stapling

aki.tuomi at dovecot.fi aki.tuomi at dovecot.fi
Thu Mar 3 12:58:43 UTC 2016


> On March 3, 2016 at 2:15 PM dovecot at flut.demon.nl wrote:
> 
> 
> On 03-03-16 13:04, A. Schulze wrote:
> >
> > dovecot:
> >
> >> So I would like to know if Dovecot is planning to feature OCSP stapling.
> >> That way I know for sure my "must staple" certificates can be used by
> >> Dovecot. And in my opinion, every TLS offering daemon should be up to
> >> par to the capabilities of TLS.. Not lag behind :)
> >>
> >> What's your opinion on this matter?
> >
> > OCSP stapling [c|s]hould be implemented on a server if clients *use*
> > that data.
> > For WebBrowser this is true.
> >
> > But I'm not aware of any MUA or MTA that validate certificates via OCSP.
> >
> > Andreas
> 
> Well, that's a nice case of the chicken vs. egg problem, now isn't it ;)
> 
> Unfortunately, certificate validation doesn't have a very good track
> record when it comes to MTA's.. They'll accept self-signed certificates,
> untrusted certificates, heck, they'll trust as far as I know almost
> anything! Luckily, MUA's are a little bit more security-concerened, as
> is Google/GMail.
> 
> But is that really a reason *not* to implement a feature? Shouldn't a
> developer think: "OK, I want my MTA to be the best! I want to be on the
> top of the list of all the MTA's out there." in stead of thinking "OK,
> I'm fine with being mediocre, I don't care.."? :)

We will take this feature under consideration and see if it can be implemented
in future release. Thank you for your suggestion!

---
Aki Tuomi
Dovecot Oy


More information about the dovecot mailing list