While discussing this topic in non-list email. I had other points that came up.
(1) The cert for a domain does not necessarily have the same CA as all other certs for users in a domain.
Example: admin@xxxxxxxxxxx may have a CA assigned by the example.com, it could be self signed. doug@xxxxxxxxxxx may have a cert provided by an unrelated CA to admin@xxxxxxxxxxx Which can be a different cert from the site: https://virtual-host.com That happens to be hosted on example.comReal life example, DouglasRoyer@xxxxxxxxx has a cert, the CA is StartCom. (This email is signed by that StartCom cert).
And it is not the same CA used by dns-admin@xxxxxxxxxx Both are at google.com, both have a different CA.(2) Certificate chains. Doug@xxxxxxxxxxxxxxx may have a cert signed by the eng.example.com, and the eng.example.com cert may be signed by the example.com CA. The example.com CA, could be self signed, or be signed by an outside CA.
-- Doug Royer - (http://DougRoyer.US http://goo.gl/yrxJTu ) DouglasRoyer@xxxxxxxxx 714-989-6135
<<attachment: smime.p7s>>