Please consider enabling OCSP stapling, DNSSEC, and/or DANE on *

John Scott jscott at
Sat Apr 15 02:38:04 UTC 2023


I realize the subject line is quite loaded, so let me break it down.

OCSP stapling is the modern, privacy-friendly way to determine a certificate's revocation status. It incurs very little overhead on the server side. One can use curl to check if OCSP stapling is working, at least for HTTPS:

$ curl --cert-status
curl: (91) No OCSP response received

OCSP stapling is useful for other TLS applications, however, including for SMTP on the list server.

Enabling DNSSEC mitigates DNS spoofing and also ascertains the authenticity of DANE records.

DANE mitigates so-called "SSL stripping" attacks and allows users to validate the authenticity of the TLS certificates without having to rely on the traditional problematic certificate authority system.

Please let me know if there's any way I can help, be it by helping generate the records or by testing.

Thanks for your consideration.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5880 bytes
Desc: not available
URL: <>

More information about the rb-general mailing list