svarshavchik
commented
7 years ago Can't argue with that, patches welcome...
Open thomaszbz opened 7 years ago
svarshavchik
commented
7 years ago Can't argue with that, patches welcome...
I figured out that exim has support for OCSP stapling.
Would be great if Courier-MTA had support for OCSP stapling, too.
Use case: E.g. Let's Encrypt has an option
--must-staplewhich is an extension to TLS. With the extension applied, the certificate itself contains the information that a client must check if the certificate was revoked and that the certificate may only be trusted if the check was negative (but successfully completed!).Support for OCSP stapling would allow a client to check for revocation against the mail server (instead the CA) whereas the mailserver hosts some cached data which periodically gets signed by the CA, confirming that the certificate was not revoked (OCSP proof). As soon as the mail server caches and provides the OCSP proof, it can be applied to arbitrary setups, like restricted internet access for clients (intranet, etc.).
As long as clients must check for revocation, as specified by the TLS extension, a stolen certificate can't be used any more for new connections as soon as the validity of the OCSP proof is over after the cert got revoked.