through my experience with wireless networks and having faced problems like rogue access points with spoofed mac addresses and ssid as the legitimate ones i wonder if could be implemented a new feature of secure ssid with public (client) and private (access point) key for open hotspot networks. of course the wifi system needs to be upgraded too as the network managers of various os (windows,linux) will support ssid certification method witch will occur likely during assosiation with an access point. the first time someone connects to a "secure" ssid will ask user to continue and save the access point certificate.. if a rogue access point appears with same ssid,mac while user tries to connect will popup warning message that the key does match the saved one so a user will understand that this is not the same access point... like htts but not encrypting traffic cause of open network only ssid name certification. this is just my wonder and is not mikrotik specific and if is possible to be implemented the whole wireless system has to change (access points, clients).

How correct client that just have forgotten the certificate could get certificate again? Or it becomes untrused for eternity?

i havent expressed my thoughts exactly as i imagine them yet. i will make a detailed plan and i will post a reply about that. the basic idea is that the client during association to some unencrypted wifi will exchange some keys (as https does) to verify that the ssid is legitimate but to know that is legitimate will have to connect once to receive keys from legitimate access point and store them in the system. of course the legitimate is relative every access point will generate its own unique keys and in case of duplicate ssid and mac address will not have the same keys to certify itself to an already certified access point to a client.