Hi,
How do we deal with a situation where a large number of administratively distinct realms decide to pool resources and send all requests to the same server? Does every change to the membership list of that group require a new certificate to be generated to change the alternative subject names?
Yes. Unless the name is a wildcard name and the new name is already covered by the wildcard. Which (in eduroam at least) is probably common for *.tld proxy servers.
What does a relay do when it gets a request that DNS says should go up an established RADSEC pipe, but that RADSEC pipe does not have a x509 alt subject corresponding to that realm... tear down the RADSEC pipe and renegotiate it to look for a fresher cert, or is there an in-band mechanism for things such as this tucked away in TLS (a spec which I have very limited familiarity with)?
There's (secure) Server/Client-initiated TLS renegotiation (both ways are possible). That happens inband without tearing down the session. (and yes, there's also an INsecure variant of this which made the news a few years back. Don't use that one :-) ) Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66