Yes, this is true in theory, but I want to know how you're going to get VeriSign to issue you a certificate with subjectAltNames corresponding to a bunch of unrelated domains. And remember that ever time the ISP gets a new customer they have to get a new cert from VeriSign with yet another subjectAltName? This seems impractical.
If you are talking about TLS certs (not S/MIME certs) then the ISP can issue them to the customer directly (be a CA for connections from their customers over TLS connections). I have read that the customer can be given instructions on how to add the ISP cert as a trusted CA for that usage on M$ products.
I have no idea how to get M$ products to use that cert :-) as I do not use M$ products. I know how to do that on Unix.
--
Doug Royer | http://INET-Consulting.com -------------------------------|----------------------------- [EMAIL PROTECTED] | Office: (208)612-INET http://Royer.com/People/Doug | Fax: (866)594-8574 | Cell: (208)520-4044
We Do Standards - You Need Standards
smime.p7s
Description: S/MIME Cryptographic Signature