[Operators] Gmail federation

Philipp Hancke fippo at goodadvice.pages.de
Sat Jan 26 08:13:44 UTC 2013


Am 11.01.2013 14:14, schrieb Dave Cridland:
[...]
> In Google's case, they have stated very clearly, and very often, that

mh... any pointers? ISTR something related to gmail and pop3s...

> TLS authentication is essentially somewhere between very difficult and
> impossible for them to deploy, and (quite rightly) they've argued that

I'd note that they could deploy TLS certificates for 
gmail.com/googlemail.com/google.com.

However, how should they deal with the 95% crap certificates out there? 
Enforcing the rules in 6120/6125 would be nice, but that would be quite 
disruptive (aka: "bad google, why are you breaking things").
And just because everyone else ignores them doesn't mean they can do the 
same because then people would yell "bad google, you are violating a 
MUST here".

Apps domains (roughly 20% of the total number of xmpp-enabled domains 
when I last looked) are a different matter.

> The most productive thing people could do here is review the current
> POSH draft and look at ways of making mass-hosted XMPP and PKIX work
> together more effectively, rather than attacking the symptom.

I'm still thinking that jabber.org should be spearheading an effort for 
more strictness when dealing with expired certificates or certificates 
with don't contain the right subject (e.g. CN=Example certificate). Just 
ignoring this problem hasn't helped since 
http://mail.jabber.org/pipermail/standards/2007-July/016086.html


More information about the Operators mailing list