Implementation of TLS OCSP Stapling
dovecot at flut.demon.nl
dovecot at flut.demon.nl
Thu Mar 3 13:04:07 UTC 2016
On 03-03-16 13:58, aki.tuomi at dovecot.fi wrote:
>> On March 3, 2016 at 2:15 PM dovecot at flut.demon.nl wrote:
>>
>>
>> On 03-03-16 13:04, A. Schulze wrote:
>>> dovecot:
>>>
>>>> So I would like to know if Dovecot is planning to feature OCSP stapling.
>>>> That way I know for sure my "must staple" certificates can be used by
>>>> Dovecot. And in my opinion, every TLS offering daemon should be up to
>>>> par to the capabilities of TLS.. Not lag behind :)
>>>>
>>>> What's your opinion on this matter?
>>> OCSP stapling [c|s]hould be implemented on a server if clients *use*
>>> that data.
>>> For WebBrowser this is true.
>>>
>>> But I'm not aware of any MUA or MTA that validate certificates via OCSP.
>>>
>>> Andreas
>> Well, that's a nice case of the chicken vs. egg problem, now isn't it ;)
>>
>> Unfortunately, certificate validation doesn't have a very good track
>> record when it comes to MTA's.. They'll accept self-signed certificates,
>> untrusted certificates, heck, they'll trust as far as I know almost
>> anything! Luckily, MUA's are a little bit more security-concerened, as
>> is Google/GMail.
>>
>> But is that really a reason *not* to implement a feature? Shouldn't a
>> developer think: "OK, I want my MTA to be the best! I want to be on the
>> top of the list of all the MTA's out there." in stead of thinking "OK,
>> I'm fine with being mediocre, I don't care.."? :)
> We will take this feature under consideration and see if it can be implemented
> in future release. Thank you for your suggestion!
>
> ---
> Aki Tuomi
> Dovecot Oy
Thank *you* for taking security seriously! Let's hope client development
will also take a interest in OCSP stapling, including the TLS Feature
Extension, if there are servers out there who actually implement it :)
More information about the dovecot
mailing list