Am 11.01.2013 14:14, schrieb Dave Cridland: [...]
In Google's case, they have stated very clearly, and very often, that
mh... any pointers? ISTR something related to gmail and pop3s...
TLS authentication is essentially somewhere between very difficult and impossible for them to deploy, and (quite rightly) they've argued that
I'd note that they could deploy TLS certificates for gmail.com/googlemail.com/google.com.
However, how should they deal with the 95% crap certificates out there? Enforcing the rules in 6120/6125 would be nice, but that would be quite disruptive (aka: "bad google, why are you breaking things"). And just because everyone else ignores them doesn't mean they can do the same because then people would yell "bad google, you are violating a MUST here".
Apps domains (roughly 20% of the total number of xmpp-enabled domains when I last looked) are a different matter.
The most productive thing people could do here is review the current POSH draft and look at ways of making mass-hosted XMPP and PKIX work together more effectively, rather than attacking the symptom.
I'm still thinking that jabber.org should be spearheading an effort for more strictness when dealing with expired certificates or certificates with don't contain the right subject (e.g. CN=Example certificate). Just ignoring this problem hasn't helped since http://mail.jabber.org/pipermail/standards/2007-July/016086.html
