"Matt Crawford" <crawdad(_at_)fnal(_dot_)gov> writes:
Not clear. SMTP can relay a single copy of a message to multiple
recipients at multiple domains. Your suggestion would force a
separate TLS session, or a separate SMTP session, for every distinct
recipient domain.
Yes, that's true, but that's inherent in the "one certificate"
model.
Not quite inherent -- if you verify against a SubjectAltName dNSName
you can decide the certificate is valid for many domains.
Yes, this is true in theory, but I want to know how you're going
to get VeriSign to issue you a certificate with subjectAltNames
corresponding to a bunch of unrelated domains. And remember
that ever time the ISP gets a new customer they have to get a new
cert from VeriSign with yet another subjectAltName? This seems
impractical.
-Ekr
--
[Eric Rescorla ekr(_at_)rtfm(_dot_)com]
http://www.rtfm.com/