Den 02. des. 2015 15:28, skrev John Levine: >> As I read that spec, it says mandatory to implement, not mandatory to >> use (it's up to the application whether it claims to be capable of using >> it or not) - but it permits servers to mandate its use. *Almost* there - >> but if this draft wishes to mandate its use, it will have to say so (and >> say which identifier it's going to send - AFAIK, it only gets to send one.) > > Even with SNI, we still have the problem that there's no way for the > CA to tell what SRV-IDs it should sign other than using RFC 6186 > lookups. But the MUA can do the same 6186 lookup, and that scales a > lot better for the many mail systems that handle large and changing > sets of client domains. I don't think having the certificate changed and signed every time you turn up a new customer scales anyway. With an in-house CA, it's possible to generate a new certificate for every new customer - but signing your customer list and publishing it? That seems like a Bad Idea, as well as unscaleable.