On Wed, Jul 09, 2014 at 09:45:45PM -0400, Phillip Hallam-Baker wrote: > Umm every major email client already has STARTTLS using PKIX Authentication > using the WebPKI roots. Go take a look at them. The MUA-to-MTA use-case is completely different. I am not talking about the MUA-to-MTA use-case. > So how can it be impractical to do something that has already been routing > for over a decade? Easy, we're talking about completely different things. MUAs are the most robust use-case for PKIX, because they are statically configured to use a single MSA. MTAs are the least compatible with PKIX, because of MX indirection, lack of user-clicks-OK fallback and need to send email to every dark corner of the internet. -- Viktor.