Having read over the history of TLS-SNI as reported in the draft spec, I feel like it might be prudent to mention that a significant part of the failure of TLS-SNI was Apache httpd and its (nonsensical, IMO) behavior of sending certificates for domains that don’t match the SNI request.
The write-up mentions “service providers”; for what it’s worth, I feel like a more complete and accurate picture would also indicate that “popular server software” (e.g., Apache … maybe others?) will happily serve up a certificate that has no connection with the SNI request, and that this is also a significant part of why TLS-SNI did not work. -Felipe Gasper Mississauga, ON _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme