>4.1. Notes on handling of SRV-ID by Certification Authorities >5.1. Notes on hosting multiple domains
The multiple domain stuff still needs work, and there seems to be confusion between the domain name of the server (CN or SRV-ID) and the domain name(s) for the mail it handles (DNS-ID.) In nearly every case the server and the mail will have different domain names, usually with no lexical connection, e.g. a zillion little hosted mail domains all pick up their mail from imap.gmail.com. The SNI discussion is wrong because SNI only affects CN or SRV-ID, and anyway at the time the TLS connection is made, the client can tell the server the name of the server it wants, e.g. imap.gmail.com, but not the domain of the mail it's planning to pick up, since the first place the mail domain is mentioned is the login which happens after the TLS session is set up. Separate domain names and SNI could work if there's a separate server name per mail domain all pointing at the same server, e.g. smallco.biz.imap.gmail.com, but that scales poorly, and there's still no way for a CA to sign it since there's no way for a CA to tell what mail domains go with which servers. It's pretty ugly, too. I suggest taking out most of the multiple domain stuff and say that there's currently no automated way to match mail domain to server domain in other than a few special cases, and it needs more standards work, like telling people to use DNSSEC+RFC 6186. R's, John _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
