Currently, Dovecot does not offer any support for OCSP, leaving system administrators with a dilemma: choosing between security or compatibility.
- What is OCSP?
OCSP (Online Certificate Status Protocol) is a network protocol used to check the validity and revocation status of digital certificates in real-time.
- What is Must-Staple?
"Must-Staple" is a certificate extension that enforces the inclusion of OCSP stapling information, requiring servers to present the certificate's revocation status during the TLS handshake.
- What advantages does the use of Must-Staple offer?
The inclusion of a 'must-staple' flag in a certificate mandates the presence of an OCSP response during a TLS handshake, ensuring that a revoked certificate remains (at worst) only usable until the expiration of the latest OCSP response, rather than the expiration of the certificate itself (subject to specific client/implementation).
https://www.reddit.com/r/selfhosted/comments/aye79v/the_case_for_ocsp_mustst...
- What is the current issue with Dovecot?
Presently, any system administrator who intends to issue must-staple certificates, faces the dilemma to either chose to
a) Refrain from issuing must-staple certificates at all, resulting in the loss of a valuable security feature. b) Issue must-staple certificates without an OCSP response in Dovecot, thereby breaking the TLS RFC (and “hope for the best” on the client side…).
A "stuck between a rock and a hard place" situation.
- Any other reasons to implement OCSP?
Regulatory frameworks such as HIPAA, PCI-DSS and more require the implementation of OCSP to enhance privacy and security. Personally, this requirement does not impact me since I am neither located in the United States nor have customers there. Nonetheless, it is worth noting this requirement for individuals or entities who are subject to these regulations.
- Is there demand for OCSP in Dovecot?
https://github.com/mjhas/dovecot/issues/44 (First GitHub Google hit for “dovecot ocsp”) https://serverfault.com/questions/830434/do-postfix-and-dovecot-support-ocsp... https://dovecot.org/pipermail/dovecot/2018-October/113368.html https://www.dovecot.org/list/dovecot/2016-March/103395.html
- Summary
By implementing a simple OCSP solution, Dovecot could effectively solve this predicament without any drawbacks for its users. The focus here is on simplicity. It is unnecessary to employ a comprehensive OCSP resolver/responder like the one used in Nginx; rather, it would suffice to allow the definition of a simple file path containing the OCSP response alongside the certificate (honoring TLS SNI).
Please kindly consider my motion.