On 11/07/2023 5:33 pm, novoMedia via dovecot wrote:
I am not exactly sure what hosts have to do with this. The must-staple extension is a (cryptographically ensured) flag that is 'ingrained' into a certificate. It tells a client to only accept the certificate if a valid and recent OCSP response was stapled along with the certificate.
It wasn't clear that you were talking about using the same certificate across many services on a single host. That's fair but I will point out there is nothing stopping you from using several certificates for the same server. One with the extension and one without. Every application on that server can have a certificate tailored to it's own needs if need be. And with free CA's available, it's actually pretty easy. It's really an argument about manageability. It would be _nice_ to be able to use one certificate for all services on a server. And so it would be _nice_ if Dovecot supported OCSP stapling.
Counter question: Why should John Doe connecting over HTTPS, doing - let's say - sensitive banking applications, be deprived of the security advantages of the 'must-staple' extension? Just because Thunderbird or Outlook does not support it? What does John Doe using Chrome have to do with Thunderbird/Outlook? Seems like a confused argument. Why would John Doe's bank and John Doe's email provider be forced to use the same certificate for their respective servers. I'd argue that a single scientific paper (from admittedly reputable universities) is hardly an industry poised to move back. In all honesty, this looks like an attempt to clout OCSP with undeserved doubts - for reasons unknown to me. But I think it's fair to say that Dovecot users finally deserve what is common practice in Nginx/HTTP and Exim/SMTP since ~8 Years(!) already.
I've go no axe to grind here, just calling it as I see it.. FireFox and Chrome have already moved on this. Both browsers already support a CRL 2.0 type mechanism and have stated they intend to stop checking OCSP. I don't know what the other browsers are doing, but this seems to be the direction things are heading in. If the web doesn't want OCSP any more, will it stay around. I dunno.
If my response came across as confrontational I apologize in advance. It is not my intention to seek contention. I only want to find solutions. But after Years of waiting for this feature and reading arguments that mostly contradict all of my real life experiences, I feel compelled to speak as clearly and concisely as possible.
No confrontation here. I support you with your quest. It's just not something I think I would ever use or need - so I didn't vote for it. I also didn't vote against it - it would be nice to have,.
Sean.
-- This email has been checked for viruses by AVG antivirus software. www.avg.com