On Fri, Jan 11, 2013 at 3:45 PM, Marco Cirillo <mara...@lightwitch.org> wrote: > I'd like to also point out, expecially how STARTTLS is handled xmpp wise, > that you can't know what gets implemented and what doesn't explicitly as > long as you don't have the software, it's code or the implemented thing > reaches "the wire" or worse, getting into a world of pointless assumptions.
And that's fine. The point is that if you're providing XMPP software, you must support it - I can't go and buy an XMPP server implementation from someone and it not have TLS support. Deploying without TLS is acceptable from the protocol point of view, this doesn't make you non-compliant. So in cases where the implementation is the deployment, like Google's, there's no practical foul from a compliance PoV to them not enabling/coding TLS. Which isn't to say that we wouldn't like them to support TLS, or indeed that they wouldn't like to support TLS. /K
