Robert A. Rosenberg wrote:
Why not use a Certificate with CN=*.*.s8??.psmtp.com (or whatever is
needed to map the s8XX section) to solve this issue? - or is more than
one wild card level invalid or having more than one certificate with
different specificity levels also invalid?
First thing I thought of. :-)
Alas, RFC 6125 explicitly disallows multiple wildcard characters.
I want to read through the archives for the WG that published RFC 6125
so I understand their reasoning better; although they reference RFC
4954, I'm still wondering if the WG had any input from anyone in the
SMTP space. As Tony noted, matching at a single level is incompatible
with DNS's own wildcard semantics. And the document's writing style and
voice feels much more like a BCP, not a standards track protocol
specification.
<csg>