[Operators] Gmail federation

Dave Cridland dave at cridland.net
Fri Jan 11 13:14:44 UTC 2013


On Fri, Jan 11, 2013 at 1:05 PM, Marco Cirillo <maranda at lightwitch.org> wrote:
> I just pointed out that it's like this from 2006 which is when it was
> implemented, perhaps it can't be "suprising" also stated it's rather an
> inconveniency and that it's not compliant with the current RFC which
> requires TLS support on s2s streams (which can hardly be interpreted as "we
> do support but not deploy it").

No, it is mandatory to implement, but not to deploy, as Philip says.
Google are breaking no MUSTs here.

In Google's case, they have stated very clearly, and very often, that
TLS authentication is essentially somewhere between very difficult and
impossible for them to deploy, and (quite rightly) they've argued that
without this there's little worth in mere unauthenticated encryption.
This might explain the push for things like DANE and POSH.

I'm afraid this means that any server operating a policy of mandatory
TLS will fail to interop with Google's domains for now as a result -
but anyone who operates a server with a mandatory policy of TLS, but
doesn't also do TLS authentication *and* full revocation checks is
likely to be missing some important implications, at the very least.

The most productive thing people could do here is review the current
POSH draft and look at ways of making mass-hosted XMPP and PKIX work
together more effectively, rather than attacking the symptom.

Dave.


More information about the Operators mailing list