dovecot 2.3.x, ECC and wildcard certificates, any issues

ѽ҉ᶬḳ℠ vtol at gmx.net
Tue Jul 31 05:36:09 EEST 2018


>> That is one of the reasons I do not bother since long with public CAs
>> but rather deploy my own, including own OSCP responder.
> May I ask, how you create a CA which is valid for clients without them
> having to install your root cert?
>

> and CA trust in clients. Latter though could be easily overcome if
browser and email clients were to support DNSSEC/DANE validation.

That is where DANE/TLSA comes in but it requires DNSSEC/DANE validation
in the client and of course DNSSEC and TLSA records in the domain's DNS.
Notwithstanding that the upstream DNS resolvers utilized by clients need
to support DNSSEC queries/answers as well.

Whatever the reasons for lacking such validation support in most of the
clients (incl. web browsers) one speculative is that it would kill
commercial CAs (as such Let's Encrypt is one too through their
sponsors), or at least has the potential to diminish their business (model).

Suppose we are not hijacking this thread furthermore and avoid earning a
discontent eventually ... ;)



More information about the dovecot mailing list