Hi,
I guess it’d also allow you to select different certificates depending on the CA list advertised by the server, as well as different certificates for crypto agility.
True! In RFC6614 I wrote that the CA indication is something that should be honoured (it's useful if your server is in multiple consortia and needs to have different certs) but since eduroam seems to be the only large dynamic discovery + Radsec consortium, this was never urgent to actually do. Which doesn't mean it shouldn't be done :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66