On Wed, 12 Mar 2003 09:09:09 -0600 "Matt Crawford" <crawdad@fnal.gov> wrote: > > I see your point. But I suspect it illustrates a significant > > limitation of the SSL/TLS protocol - in that SSL/TLS seems to assume > > that an IP address and port number are used by only one named > > service. It's been awhile since I looked at the TLS protocol but I > > don't recall any way for the client to say "prove to me that you are > > authorized to provide the SMTP service associated with DNS name > > foo.com". or did I just forget that feature? > > There's no reason a protocol can't be spec'd to let the client convey > the name of the resource before the TLS handshake begins. no, there isn't. but it still wouldn't give the client a way to verify that the server is authoritative for that domain.