While I am always for security improvements, the utility of this unclear. I will ABSTAIN from this poll.
Presently, any system administrator who intends to issue must-staple certificates, faces the dilemma to either chose to
a) Refrain from issuing must-staple certificates at all, resulting in the loss of a valuable security feature. b) Issue must-staple certificates without an OCSP response in Dovecot, thereby breaking the TLS RFC (and “hope for the best” on the client side…).
or c) use must-staple on a host-by-host basis
Question) Do any popular email user agents validate an OCSP response if stapled? (gut feeling is MAYBE/NO)
Question) Do any query an OCSP server if the OCSP response is not stapled? (gut feeling is NO)
Observation) The industry seems poised to move back to (a reincarnation of) CRL's. https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland17.pdf
Question) Has OCSP really got a future? (gut feeling - a few years at least)
p.s. this seems like a Run-Before-You-Walk situation. I've been pushing to get Dovecot to check the client certificate presented to the LMTP server, with little apparent success. I think it's better to get the fundamentals right first. But it's certainly possible to both :)
-- This email has been checked for viruses by AVG antivirus software. www.avg.com