http://code.google.com/p/pop3pipe/source/browse/trunk/SecLib/
We see the listener:
http://code.google.com/p/pop3pipe/source/browse/trunk/SecLib/Security/Ssl/SecureTcpListener.cs
we see code to verify the signature (authenticating use of the cert/private key)
we see code to get at particular cert extensions (that just delegate to using windows ASN.1 decoders).
http://code.google.com/p/pop3pipe/source/browse/trunk/SecLib/Security/Certificates/Certificate.cs