I've read the draft now. It looks good.
§3 specifies that the hostname MUST be in the cert as an DNS-ID and
also MAY be there as a CN-ID.
I suspect there are enough MXs in use still using certs generated (with
long validity periods) which were genreated back when only CN was used
for the dns names.
Should the draft allow either-or? Or is there too much precedent in the
TLS specs to allow that in a new rfc?
Otherwise it looks spot on.
-JimC
--
James Cloos <cloos(_at_)jhcloos(_dot_)com> OpenPGP: 1024D/ED7DAEA6