> The forced host name is not relevant to TLS, just like the IP address > that it resolves to. All that matters is the desired Jabber domain. Users > have a bad enough time trying to determine whether or not something is > secure, and adding further rules/exceptions would only make it worse.
The rules can be hidden from the user. If a user forces a server, then the client application can accept either the cert for the forced server or for the user's domain.
