Currently, Dovecot does not offer any support for OCSP, leaving system
administrators with a dilemma: choosing between security or compatibility.
- What is OCSP?
OCSP (Online Certificate Status Protocol) is a network protocol used to
check the validity and revocation status of digital certificates in
real-time.
- What is Must-Staple?
"Must-Staple" is a certificate extension that enforces the inclusion of
OCSP stapling information, requiring servers to present the
certificate's revocation status during the TLS handshake.
- What advantages does the use of Must-Staple offer?
The inclusion of a 'must-staple' flag in a certificate mandates the
presence of an OCSP response during a TLS handshake, ensuring that a
revoked certificate remains (at worst) only usable until the expiration
of the latest OCSP response, rather than the expiration of the
certificate itself (subject to specific client/implementation).
https://www.reddit.com/r/selfhosted/comments/aye79v/the_case_for_ocsp_muststaple/
- What is the current issue with Dovecot?
Presently, any system administrator who intends to issue must-staple
certificates, faces the dilemma to either chose to
a) Refrain from issuing must-staple certificates at all, resulting in
the loss of a valuable security feature.
b) Issue must-staple certificates without an OCSP response in Dovecot,
thereby breaking the TLS RFC (and “hope for the best” on the client side…).
A "stuck between a rock and a hard place" situation.
- Any other reasons to implement OCSP?
Regulatory frameworks such as HIPAA, PCI-DSS and more require the
implementation of OCSP to enhance privacy and security. Personally, this
requirement does not impact me since I am neither located in the United
States nor have customers there. Nonetheless, it is worth noting this
requirement for individuals or entities who are subject to these
regulations.
- Is there demand for OCSP in Dovecot?
https://github.com/mjhas/dovecot/issues/44 (First GitHub Google hit for
“dovecot ocsp”)
https://serverfault.com/questions/830434/do-postfix-and-dovecot-support-ocsp-stapling
https://dovecot.org/pipermail/dovecot/2018-October/113368.html
https://www.dovecot.org/list/dovecot/2016-March/103395.html
- Summary
By implementing a simple OCSP solution, Dovecot could effectively solve
this predicament without any drawbacks for its users. The focus here is
on simplicity. It is unnecessary to employ a comprehensive OCSP
resolver/responder like the one used in Nginx; rather, it would suffice
to allow the definition of a simple file path containing the OCSP
response alongside the certificate (honoring TLS SNI).
Please kindly consider my motion.
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
