Hello Sean,
Thank you for your fast reply.
> or c) use must-staple on a host-by-host basis
I am not exactly sure what hosts have to do with this. The must-staple
extension is a (cryptographically ensured) flag that is 'ingrained' into
a certificate. It tells a client to only accept the certificate if a
valid and recent OCSP response was stapled along with the certificate.
> Do any popular email user agents validate an OCSP response if
stapled?
While I acknowledge that present MUA support for "must-staple" is
underwhelming, it is also completely irrelevant for the argument I am
making. The security level of one's server should not be determined by
Thunderbird/Outlook (or in extension Mozilla/Microsoft).
Counter question: Why should John Doe connecting over HTTPS, doing -
let's say - sensitive banking applications, be deprived of the security
advantages of the 'must-staple' extension? Just because Thunderbird or
Outlook does not support it? What does John Doe using Chrome have to do
with Thunderbird/Outlook?
I am not trying to be obnoxious here but this point is crucial do
understand: Lack of OCSP in Dovecot has security implications for the
entirety of the server - not only for IMAP or Dovecot. Certificates are
shared over multiple Daemons across different Protocols.
This is the entire point I am trying to make here. System Administrators
currently only have the choice to either disable must-staple or break
the TLS RFC for IMAP and "hope for the best" for IMAP clients. A
completely unnecessary situation that could easily be resolved if
Dovecot could provide basic(!) OCSP support.
> Do any query an OCSP server if the OCSP response is not
stapled?
I am again not sure if I understand the question correctly. The purpose
of must-staple is that an "unstapled" certificate gets rejected by
default. Everything else would render must-staple meaningless.
> Observation) The industry seems poised to move back to (a reincarnation
of) CRL's.
I'd argue that a single scientific paper (from admittedly reputable
universities) is hardly an industry poised to move back. In all honesty,
this looks like an attempt to clout OCSP with undeserved doubts - for
reasons unknown to me. But I think it's fair to say that Dovecot users
finally deserve what is common practice in Nginx/HTTP and Exim/SMTP
since ~8 Years(!) already.
> Has OCSP really got a future?
Reading this makes me feel like living in a parallel universe. Most
certainly. In the HTTP world, this is not even up for debate but called
'best practice'.
If my response came across as confrontational I apologize in advance. It
is not my intention to seek contention. I only want to find solutions.
But after Years of waiting for this feature and reading arguments that
mostly contradict all of my real life experiences, I feel compelled to
speak as clearly and concisely as possible.
Best regards
novoMedia
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
