Hi all,
About a year ago, Torsten already asked for OCSP stapling
(http://dovecot.org/pipermail/dovecot/2015-April/100632.html).
Unfortunately, there was no answer to his question.
Now RFC 7633 ("TLS Feature Extension",
https://tools.ietf.org/html/rfc7633, a.k.a. "Must Staple") has landed,
revocation is getting serious! I personally would like to embed all my
TLS certificates with the must-staple extension. The great project Let's
Encrypt already supports it:
https://github.com/letsencrypt/boulder/pull/1224
I'm aware most MTAs don't really care about the certificate, but big
players as Google take TLS encryption very seriously:
https://googleblog.blogspot.nl/2016/02/building-safer-web-for-everyone.html
So I would like to know if Dovecot is planning to feature OCSP stapling.
That way I know for sure my "must staple" certificates can be used by
Dovecot. And in my opinion, every TLS offering daemon should be up to
par to the capabilities of TLS.. Not lag behind :)
What's your opinion on this matter?
Thanks in advance for any anwser!
Greets, Osiris
dovecot:> So I would like to know if Dovecot is planning to feature OCSP stapling. > That way I know for sure my "must staple" certificates can be used by > Dovecot. And in my opinion, every TLS offering daemon should be up to > par to the capabilities of TLS.. Not lag behind :) > > What's your opinion on this matter?OCSP stapling [c|s]hould be implemented on a server if clients *use* that data. For WebBrowser this is true. But I'm not aware of any MUA or MTA that validate certificates via OCSP. Andreas
On 03-03-16 13:04, A. Schulze wrote:> > dovecot: > >> So I would like to know if Dovecot is planning to feature OCSP stapling. >> That way I know for sure my "must staple" certificates can be used by >> Dovecot. And in my opinion, every TLS offering daemon should be up to >> par to the capabilities of TLS.. Not lag behind :) >> >> What's your opinion on this matter? > > OCSP stapling [c|s]hould be implemented on a server if clients *use* > that data. > For WebBrowser this is true. > > But I'm not aware of any MUA or MTA that validate certificates via OCSP. > > AndreasWell, that's a nice case of the chicken vs. egg problem, now isn't it ;) Unfortunately, certificate validation doesn't have a very good track record when it comes to MTA's.. They'll accept self-signed certificates, untrusted certificates, heck, they'll trust as far as I know almost anything! Luckily, MUA's are a little bit more security-concerened, as is Google/GMail. But is that really a reason *not* to implement a feature? Shouldn't a developer think: "OK, I want my MTA to be the best! I want to be on the top of the list of all the MTA's out there." in stead of thinking "OK, I'm fine with being mediocre, I don't care.."? :)
Op 3-3-2016 om 13:04 schreef A. Schulze:> > dovecot: > >> So I would like to know if Dovecot is planning to feature OCSP stapling. >> That way I know for sure my "must staple" certificates can be used by >> Dovecot. And in my opinion, every TLS offering daemon should be up to >> par to the capabilities of TLS.. Not lag behind :) >> >> What's your opinion on this matter? > > OCSP stapling [c|s]hould be implemented on a server if clients *use* > that data. > For WebBrowser this is true. > > But I'm not aware of any MUA or MTA that validate certificates via OCSP.OCSP stapling [c|s]hould be implemented on a client if servers *provide* that data. So, who's going to be first... the chicken or the egg? :) Regards, Stephan.
Op 3-3-2016 om 13:04 schreef A. Schulze:> > dovecot: > >> So I would like to know if Dovecot is planning to feature OCSP stapling. >> That way I know for sure my "must staple" certificates can be used by >> Dovecot. And in my opinion, every TLS offering daemon should be up to >> par to the capabilities of TLS.. Not lag behind :) >> >> What's your opinion on this matter? > > OCSP stapling [c|s]hould be implemented on a server if clients *use* > that data. > For WebBrowser this is true. > > But I'm not aware of any MUA or MTA that validate certificates via OCSP.BTW, I can imagine that Thunderbird can already do that, as it shares much of the Firefox code base. At least it should be relatively easy to add/enable there. Regards, Stephan.