Stefan WINTER wrote:
In eduroam however, the RADIUS/TLS trust is pre-existing because all RADIUS servers receive server certificates from the same, one, pre-determined, CA.
This is something I'm a bit unclear on: How do we deal with a situation where a large number of administratively distinct realms decide to pool resources and send all requests to the same server? Does every change to the membership list of that group require a new certificate to be generated to change the alternative subject names? What does a relay do when it gets a request that DNS says should go up an established RADSEC pipe, but that RADSEC pipe does not have a x509 alt subject corresponding to that realm... tear down the RADSEC pipe and renegotiate it to look for a fresher cert, or is there an in-band mechanism for things such as this tucked away in TLS (a spec which I have very limited familiarity with)?