Hello Sean,
Thank you for your fast reply.
or c) use must-staple on a host-by-host basis
I am not exactly sure what hosts have to do with this. The must-staple extension is a (cryptographically ensured) flag that is 'ingrained' into a certificate. It tells a client to only accept the certificate if a valid and recent OCSP response was stapled along with the certificate.
Do any popular email user agents validate an OCSP response if stapled?
While I acknowledge that present MUA support for "must-staple" is underwhelming, it is also completely irrelevant for the argument I am making. The security level of one's server should not be determined by Thunderbird/Outlook (or in extension Mozilla/Microsoft).
Counter question: Why should John Doe connecting over HTTPS, doing - let's say - sensitive banking applications, be deprived of the security advantages of the 'must-staple' extension? Just because Thunderbird or Outlook does not support it? What does John Doe using Chrome have to do with Thunderbird/Outlook?
I am not trying to be obnoxious here but this point is crucial do understand: Lack of OCSP in Dovecot has security implications for the entirety of the server - not only for IMAP or Dovecot. Certificates are shared over multiple Daemons across different Protocols.
This is the entire point I am trying to make here. System Administrators currently only have the choice to either disable must-staple or break the TLS RFC for IMAP and "hope for the best" for IMAP clients. A completely unnecessary situation that could easily be resolved if Dovecot could provide basic(!) OCSP support.
Do any query an OCSP server if the OCSP response is not stapled?
I am again not sure if I understand the question correctly. The purpose of must-staple is that an "unstapled" certificate gets rejected by default. Everything else would render must-staple meaningless.
Observation) The industry seems poised to move back to (a reincarnation of) CRL's.
I'd argue that a single scientific paper (from admittedly reputable universities) is hardly an industry poised to move back. In all honesty, this looks like an attempt to clout OCSP with undeserved doubts - for reasons unknown to me. But I think it's fair to say that Dovecot users finally deserve what is common practice in Nginx/HTTP and Exim/SMTP since ~8 Years(!) already.
Has OCSP really got a future?
Reading this makes me feel like living in a parallel universe. Most certainly. In the HTTP world, this is not even up for debate but called 'best practice'.
If my response came across as confrontational I apologize in advance. It is not my intention to seek contention. I only want to find solutions. But after Years of waiting for this feature and reading arguments that mostly contradict all of my real life experiences, I feel compelled to speak as clearly and concisely as possible.
Best regards novoMedia