On 03-03-16 13:04, A. Schulze wrote:> > dovecot: > >> So I would like to know if Dovecot is planning to feature OCSP stapling. >> That way I know for sure my "must staple" certificates can be used by >> Dovecot. And in my opinion, every TLS offering daemon should be up to >> par to the capabilities of TLS.. Not lag behind :) >> >> What's your opinion on this matter? > > OCSP stapling [c|s]hould be implemented on a server if clients *use* > that data. > For WebBrowser this is true. > > But I'm not aware of any MUA or MTA that validate certificates via OCSP. > > AndreasWell, that's a nice case of the chicken vs. egg problem, now isn't it ;) Unfortunately, certificate validation doesn't have a very good track record when it comes to MTA's.. They'll accept self-signed certificates, untrusted certificates, heck, they'll trust as far as I know almost anything! Luckily, MUA's are a little bit more security-concerened, as is Google/GMail. But is that really a reason *not* to implement a feature? Shouldn't a developer think: "OK, I want my MTA to be the best! I want to be on the top of the list of all the MTA's out there." in stead of thinking "OK, I'm fine with being mediocre, I don't care.."? :)
> On March 3, 2016 at 2:15 PM dovecot at flut.demon.nl wrote: > > > On 03-03-16 13:04, A. Schulze wrote: > > > > dovecot: > > > >> So I would like to know if Dovecot is planning to feature OCSP stapling. > >> That way I know for sure my "must staple" certificates can be used by > >> Dovecot. And in my opinion, every TLS offering daemon should be up to > >> par to the capabilities of TLS.. Not lag behind :) > >> > >> What's your opinion on this matter? > > > > OCSP stapling [c|s]hould be implemented on a server if clients *use* > > that data. > > For WebBrowser this is true. > > > > But I'm not aware of any MUA or MTA that validate certificates via OCSP. > > > > Andreas > > Well, that's a nice case of the chicken vs. egg problem, now isn't it ;) > > Unfortunately, certificate validation doesn't have a very good track > record when it comes to MTA's.. They'll accept self-signed certificates, > untrusted certificates, heck, they'll trust as far as I know almost > anything! Luckily, MUA's are a little bit more security-concerened, as > is Google/GMail. > > But is that really a reason *not* to implement a feature? Shouldn't a > developer think: "OK, I want my MTA to be the best! I want to be on the > top of the list of all the MTA's out there." in stead of thinking "OK, > I'm fine with being mediocre, I don't care.."? :)We will take this feature under consideration and see if it can be implemented in future release. Thank you for your suggestion! --- Aki Tuomi Dovecot Oy
On 03-03-16 13:58, aki.tuomi at dovecot.fi wrote:>> On March 3, 2016 at 2:15 PM dovecot at flut.demon.nl wrote: >> >> >> On 03-03-16 13:04, A. Schulze wrote: >>> dovecot: >>> >>>> So I would like to know if Dovecot is planning to feature OCSP stapling. >>>> That way I know for sure my "must staple" certificates can be used by >>>> Dovecot. And in my opinion, every TLS offering daemon should be up to >>>> par to the capabilities of TLS.. Not lag behind :) >>>> >>>> What's your opinion on this matter? >>> OCSP stapling [c|s]hould be implemented on a server if clients *use* >>> that data. >>> For WebBrowser this is true. >>> >>> But I'm not aware of any MUA or MTA that validate certificates via OCSP. >>> >>> Andreas >> Well, that's a nice case of the chicken vs. egg problem, now isn't it ;) >> >> Unfortunately, certificate validation doesn't have a very good track >> record when it comes to MTA's.. They'll accept self-signed certificates, >> untrusted certificates, heck, they'll trust as far as I know almost >> anything! Luckily, MUA's are a little bit more security-concerened, as >> is Google/GMail. >> >> But is that really a reason *not* to implement a feature? Shouldn't a >> developer think: "OK, I want my MTA to be the best! I want to be on the >> top of the list of all the MTA's out there." in stead of thinking "OK, >> I'm fine with being mediocre, I don't care.."? :) > We will take this feature under consideration and see if it can be implemented > in future release. Thank you for your suggestion! > > --- > Aki Tuomi > Dovecot OyThank *you* for taking security seriously! Let's hope client development will also take a interest in OCSP stapling, including the TLS Feature Extension, if there are servers out there who actually implement it :)
On 3/03/2016 11:58 PM, aki.tuomi at dovecot.fi wrote:> We will take this feature under consideration and see if it can be implemented > in future release. Thank you for your suggestion!As much as I hate Outlook (Look Out!), there are loads of people using really old versions; 2003 is no longer supported, but loads of people use 2007. Thunderbird can be expected to be far more up to date. Implementing features to work with older clients will always be a problem. Just a simple example, almost unrelated here, but this is either wrong by TB or wrong by Outlook (versions 2007, 2010 and 2013 that I know of). When the IMAP server sends a message, OL will pop up a window that requires the user to acknowledge the message via a popup. TB just pops up the message in the normal 'new mail' notify if that is configured and it might be lost if notify isn't set to show. Either way, the implementation is different b/w the two client products. Is OL right or is TB right... IMAP doco says that the message should be made to be acknowledged by the client; OL's version can't easily be ignored or missed, but TB's can easily be missed. But TB's implementation is more user friendly if the server wants to keep sending messages from time to time. I considered using this for MOTD type stuff and maybe random inspirational or motivational messages; even to remind or inform users to do certain things [one example in the dovecot wiki is to advise that the vacation message is still active]. A TB notification is next to harmless, but an OL one needs to be acknowledged every time, which would be very painful. Anyway, the point is that if a feature is added for OCSP stabling support, you couldn't really expect older versions of Look Out to comply with it (even though M$ could patch it easily, they care less about older versions than getting people to subscribe to Office 365 these days). Cheers A.