"Matt Crawford" <crawdad@fnal.gov> writes:
> > > Not clear. SMTP can relay a single copy of a message to multiple
> > > recipients at multiple domains. Your suggestion would force a
> > > separate TLS session, or a separate SMTP session, for every distinct
> > > recipient domain.
> >
> > Yes, that's true, but that's inherent in the "one certificate"
> > model.
>
> Not quite inherent -- if you verify against a SubjectAltName dNSName
> you can decide the certificate is valid for many domains.
Yes, this is true in theory, but I want to know how you're going
to get VeriSign to issue you a certificate with subjectAltNames
corresponding to a bunch of unrelated domains. And remember
that ever time the ISP gets a new customer they have to get a new
cert from VeriSign with yet another subjectAltName? This seems
impractical.
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/