> I see your point. But I suspect it illustrates a significant > limitation of the SSL/TLS protocol - in that SSL/TLS seems to assume > that an IP address and port number are used by only one named service. > It's been awhile since I looked at the TLS protocol but I don't recall > any way for the client to say "prove to me that you are authorized to > provide the SMTP service associated with DNS name foo.com". or did I > just forget that feature? There's no reason a protocol can't be spec'd to let the client convey the name of the resource before the TLS handshake begins. (In some cases, you might want to repeat that information after the stream is protected.) The problem is that popular existing protocols don't do that. Look at the contortions you have to choose among to support HTTPS "virtual hosting".