My objections to the draft would be alleviated if the abstract was
changed to:
This document describes an experimental TLS server identity
verification procedure
for SMTP Submission, IMAP, POP and ManageSieve clients that is
appropriate for
mail servers that host a small number of domains under a single
administration.
When used, it replaces
Section 2.4 of RFC 2595, updates Section 4.1 of RFC 3207, updates
Section 11.1 of RFC 3501, updates Section 2.2.1 of RFC 5804.
Procedures that scale to servers that host a large number of domains are
for further study.
And in the security considerations section:
Because of the lack of client identification of the target domain,
the email server certificate described in this document has to contain
the complete list of names that the client will be looking for. If
RFC 6186 is in use, this means that the mail server certificate will hold
a list of all domains served by this service. This reveals information
about
other customers of the service, which may not be a desirable result.
Note that I'm OK with pushing this as *experimental*. Given the lack of
general applicability, I'm not OK with pushing this for standards-track.
Harald