- From: Angelo Veltens <angelo.veltens@online.de>
- Date: Wed, 01 May 2013 13:10:29 +0200
- To: public-webid@w3.org
Hi all, I am going to implement a WebID-Authentication for my web applications and need some advise to assure that my approach is correct. I successfully configured Apache Webserver to request a client certificate as described in [1] I've set "SSLVerifyClient optional_no_ca" for a specific login url and "SSLOptions +StdEnvVars +ExportCertData" to make the certificate available to my Java application running on Apache Tomcat (using mod_jk) The Browser's certificate dialog pops up at the login url and a certificate object is available in my application. So far, so good. I am now uncertain, what exactly to do within my application. Will I have to check the certificate signature or something? I think that has already be done by Apache, hasn't it? So I can be sure that the certificate is valid in the way, that the user is the owner of the private key of the public key I have at this point? So, I think, the only things I have to do are: 1) get all the URIs in the SubjectAlternativeName (type 6) 2) request the WebID-Profiles of that URIs 3) watch out that the public key is present in one of the profiles What about certificate expiration? Do I have to check this in my application or is it done by Apache Webserver? Anything else I might miss or be mistaken about? I find the WebID spec quite abstract and missing concrete examples on how to actually implement it. Any HowTo I have overlooked? I've seen that WebIDauth used by my-profile.eu is checking a SSL_CLIENT_VERIFY variable [2], but I don't know how to access that and if it is really necessary with optional_no_ca setting... Thanks in advance! Best regards, Angelo [1] http://www.w3.org/2005/Incubator/webid/wiki/Apache_Configuration [2] https://github.com/WebIDauth/WebIDauth/blob/master/WebIDauth.php#L292
Received on Wednesday, 1 May 2013 11:14:15 UTC