libeap does not support comparing the key.
Otherwise I'd agree comparing the key would be a useful thing to do.
Note that this is a somewhat more constrained problem than metadata for
SAML. You only need to provision trust for your IDPs not for anything
beyond that.
This is not to describe the RADIUS trust; this the EAP trust.
For provisioned identities--that is cases where you can download some
information along with the identity, I think you have a couple of good
options.
1) Download a CA cert along with a name to expect.
The advantage here is that you can support both key rollover at the IDP
and not be dependent on the specific cert at the IDP.
The disadvantage of course is that the IDP needs to actually have a CA
(commercial or otherwise).
The other option I think it makes sense to support is
2) Hash of cert. Hash of key would be better but we cannot currently do
that.
The tricky question seems to be what happens when a user tries to add an
identity given an issuer name, username and password.
|