Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu> writes:
It's true that this is a backward compatibility problem
in that STARTTLS as currently defined doesn't actually contain
the domain name. As I indicated before, I consider this to
be a design error. There wouldn't have been a compatibility
problem if the domain name had been included in STARTTLS from
the beginning.
Not clear. SMTP can relay a single copy of a message to multiple
recipients at multiple domains. Your suggestion would force a
separate TLS session, or a separate SMTP session, for every distinct
recipient domain.
Yes, that's true, but that's inherent in the "one certificate"
model. Like I said earlier, if you want to have some set of
certificates vouching for MX records, then you want DNSSEC.
-Ekr