On Fri, Jan 11, 2013 at 1:05 PM, Marco Cirillo <[email protected]> wrote: > I just pointed out that it's like this from 2006 which is when it was > implemented, perhaps it can't be "suprising" also stated it's rather an > inconveniency and that it's not compliant with the current RFC which > requires TLS support on s2s streams (which can hardly be interpreted as "we > do support but not deploy it").
No, it is mandatory to implement, but not to deploy, as Philip says. Google are breaking no MUSTs here. In Google's case, they have stated very clearly, and very often, that TLS authentication is essentially somewhere between very difficult and impossible for them to deploy, and (quite rightly) they've argued that without this there's little worth in mere unauthenticated encryption. This might explain the push for things like DANE and POSH. I'm afraid this means that any server operating a policy of mandatory TLS will fail to interop with Google's domains for now as a result - but anyone who operates a server with a mandatory policy of TLS, but doesn't also do TLS authentication *and* full revocation checks is likely to be missing some important implications, at the very least. The most productive thing people could do here is review the current POSH draft and look at ways of making mass-hosted XMPP and PKIX work together more effectively, rather than attacking the symptom. Dave.
