On 03-03-16 13:58, aki.tuomi@dovecot.fi wrote:
On March 3, 2016 at 2:15 PM dovecot@flut.demon.nl wrote:
On 03-03-16 13:04, A. Schulze wrote:
dovecot:
So I would like to know if Dovecot is planning to feature OCSP stapling. That way I know for sure my "must staple" certificates can be used by Dovecot. And in my opinion, every TLS offering daemon should be up to par to the capabilities of TLS.. Not lag behind :)
What's your opinion on this matter? OCSP stapling [c|s]hould be implemented on a server if clients *use* that data. For WebBrowser this is true.
But I'm not aware of any MUA or MTA that validate certificates via OCSP.
Andreas Well, that's a nice case of the chicken vs. egg problem, now isn't it ;)
Unfortunately, certificate validation doesn't have a very good track record when it comes to MTA's.. They'll accept self-signed certificates, untrusted certificates, heck, they'll trust as far as I know almost anything! Luckily, MUA's are a little bit more security-concerened, as is Google/GMail.
But is that really a reason *not* to implement a feature? Shouldn't a developer think: "OK, I want my MTA to be the best! I want to be on the top of the list of all the MTA's out there." in stead of thinking "OK, I'm fine with being mediocre, I don't care.."? :) We will take this feature under consideration and see if it can be implemented in future release. Thank you for your suggestion!
Aki Tuomi Dovecot Oy Thank *you* for taking security seriously! Let's hope client development will also take a interest in OCSP stapling, including the TLS Feature Extension, if there are servers out there who actually implement it :)