Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu> writes:
I need to look at server_host again. But one way to ask the question is
- if a host has a cert that allows it to act as a web server for domain
X, does that mean it has the authority to act as an MX for domain X?
Basically if you want to have confidence that the mail is really going
to the right place, you need different kinds of certs for the two
situations. And to do that you're going to need more than a TLS
extension.
Ah, yes. I'm sure that X.509 has a way to express things like this, but
I'm equally sure that no significant clients are currently verifying those
sorts of properties.
--
Russ Allbery (rra(_at_)stanford(_dot_)edu)
<http://www.eyrie.org/~eagle/>