> On March 3, 2016 at 2:15 PM dove...@flut.demon.nl wrote: > > > On 03-03-16 13:04, A. Schulze wrote: > > > > dovecot: > > > >> So I would like to know if Dovecot is planning to feature OCSP stapling. > >> That way I know for sure my "must staple" certificates can be used by > >> Dovecot. And in my opinion, every TLS offering daemon should be up to > >> par to the capabilities of TLS.. Not lag behind :) > >> > >> What's your opinion on this matter? > > > > OCSP stapling [c|s]hould be implemented on a server if clients *use* > > that data. > > For WebBrowser this is true. > > > > But I'm not aware of any MUA or MTA that validate certificates via OCSP. > > > > Andreas > > Well, that's a nice case of the chicken vs. egg problem, now isn't it ;) > > Unfortunately, certificate validation doesn't have a very good track > record when it comes to MTA's.. They'll accept self-signed certificates, > untrusted certificates, heck, they'll trust as far as I know almost > anything! Luckily, MUA's are a little bit more security-concerened, as > is Google/GMail. > > But is that really a reason *not* to implement a feature? Shouldn't a > developer think: "OK, I want my MTA to be the best! I want to be on the > top of the list of all the MTA's out there." in stead of thinking "OK, > I'm fine with being mediocre, I don't care.."? :)
We will take this feature under consideration and see if it can be implemented in future release. Thank you for your suggestion! --- Aki Tuomi Dovecot Oy
