While I am always for security improvements, the utility of this
unclear. I will ABSTAIN from this poll.
Presently, any system administrator who intends to issue must-staple
certificates, faces the dilemma to either chose to
a) Refrain from issuing must-staple certificates at all, resulting in
the loss of a valuable security feature.
b) Issue must-staple certificates without an OCSP response in Dovecot,
thereby breaking the TLS RFC (and “hope for the best” on the client
side…).
or c) use must-staple on a host-by-host basis
Question) Do any popular email user agents validate an OCSP response if
stapled? (gut feeling is MAYBE/NO)
Question) Do any query an OCSP server if the OCSP response is not
stapled? (gut feeling is NO)
Observation) The industry seems poised to move back to (a reincarnation
of) CRL's.
https://obj.umiacs.umd.edu/papers_for_stories/crlite_oakland17.pdf
Question) Has OCSP really got a future? (gut feeling - a few years at least)
p.s. this seems like a Run-Before-You-Walk situation. I've been pushing
to get Dovecot to check the client certificate presented to the LMTP
server, with little apparent success. I think it's better to get the
fundamentals right first. But it's certainly possible to both :)
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
