On 10/07/14 02:51, Viktor Dukhovni wrote: > MUAs are the > most robust use-case for PKIX, because they are statically configured > to use a single MSA. Even that is a PITA though. If I setup a domain with mail then I think in most cases I pretty much have to deal with the MUA getting a certificate warning of some sort when connecting to the MS and where that cert warning is essentially meaningless. In other words, I agree with Viktor that we're talking about >1 radically different scenario (in terms of TLS or the UTA wg.). S.