"Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx> writes: >>I object to that limitation. I believe it is important that any >>solution in this space supports different certificates for different >>ports/protocols on the same host. > > Whynot have both. One being a shared cert as acceptable and the > option of one for each? >> >>My experience with how protocols are deployed is that it is common for >>both web (HTTPS) and e-mail (SMTP with STARTTLS) to be hosted on the >>same domain name but with different certificates. >> >>For example, the host "lists.debian.org" is reachable with HTTPS (with a >>matching certificate) and also through SMTP with STARTTLS (also with a >>matching certificate). The services are using different certificates! > > i see nothing wrong with this and conversly nothing wrong with both > using a shared cert for each. Good point -- let me clarify that I believe it should be up to each administrator to decide whether to use one certificate for multiple services or use one certificate per service. A standard in this area should not rule out one alternative. Both alternatives are too common for that. /Simon _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf