[Operators] Gmail federation
Philipp Hancke
fippo at goodadvice.pages.de
Sat Jan 26 08:13:44 UTC 2013
Am 11.01.2013 14:14, schrieb Dave Cridland:
[...]
> In Google's case, they have stated very clearly, and very often, that
mh... any pointers? ISTR something related to gmail and pop3s...
> TLS authentication is essentially somewhere between very difficult and
> impossible for them to deploy, and (quite rightly) they've argued that
I'd note that they could deploy TLS certificates for
gmail.com/googlemail.com/google.com.
However, how should they deal with the 95% crap certificates out there?
Enforcing the rules in 6120/6125 would be nice, but that would be quite
disruptive (aka: "bad google, why are you breaking things").
And just because everyone else ignores them doesn't mean they can do the
same because then people would yell "bad google, you are violating a
MUST here".
Apps domains (roughly 20% of the total number of xmpp-enabled domains
when I last looked) are a different matter.
> The most productive thing people could do here is review the current
> POSH draft and look at ways of making mass-hosted XMPP and PKIX work
> together more effectively, rather than attacking the symptom.
I'm still thinking that jabber.org should be spearheading an effort for
more strictness when dealing with expired certificates or certificates
with don't contain the right subject (e.g. CN=Example certificate). Just
ignoring this problem hasn't helped since
http://mail.jabber.org/pipermail/standards/2007-July/016086.html
More information about the Operators
mailing list