> address. Naturally we'll need to clarify this in rfc3920bis, but my > question now is: how do existing clients and servers handle this?
We do this on the server side with a separate cert for each domain -- even conference, users, and other sub-domains used in s2s. Some client software packages present a warning when certificates aren't correct (domain mismatch, etc) but many do not and just use the certificates for encryption, not authentication. -JD Conley
