On 03-03-16 13:04, A. Schulze wrote:
dovecot:
So I would like to know if Dovecot is planning to feature OCSP stapling. That way I know for sure my "must staple" certificates can be used by Dovecot. And in my opinion, every TLS offering daemon should be up to par to the capabilities of TLS.. Not lag behind :)
What's your opinion on this matter?
OCSP stapling [c|s]hould be implemented on a server if clients *use* that data. For WebBrowser this is true.
But I'm not aware of any MUA or MTA that validate certificates via OCSP.
Andreas
Well, that's a nice case of the chicken vs. egg problem, now isn't it ;)
Unfortunately, certificate validation doesn't have a very good track record when it comes to MTA's.. They'll accept self-signed certificates, untrusted certificates, heck, they'll trust as far as I know almost anything! Luckily, MUA's are a little bit more security-concerened, as is Google/GMail.
But is that really a reason *not* to implement a feature? Shouldn't a developer think: "OK, I want my MTA to be the best! I want to be on the top of the list of all the MTA's out there." in stead of thinking "OK, I'm fine with being mediocre, I don't care.."? :)