W3C home > Mailing lists > Public > public-webid@w3.org > May 2013

Implementing WebID-Authentication

From: Angelo Veltens <angelo.veltens@online.de>
Date: Wed, 01 May 2013 13:10:29 +0200
Message-ID: <5180F825.7020006@online.de>
To: public-webid@w3.org
Hi all,

I am going to implement a WebID-Authentication for my web applications
and need some advise to assure that my approach is correct.

I successfully configured Apache Webserver to request a client
certificate as described in [1]

I've set "SSLVerifyClient optional_no_ca" for a specific login url and
"SSLOptions +StdEnvVars +ExportCertData" to make the certificate
available to my Java application running on Apache Tomcat (using mod_jk)

The Browser's certificate dialog pops up at the login url and a
certificate object is available in my application.

So far, so good. I am now uncertain, what exactly to do within my
application. Will I have to check the certificate signature or
something? I think that has already be done by Apache, hasn't it? So I
can be sure that the certificate is valid in the way, that the user is
the owner of the private key of the public key I have at this point?

So, I think, the only things I have to do are:

1) get all the URIs in the SubjectAlternativeName (type 6)
2) request the WebID-Profiles of that URIs
3) watch out that the public key is present in one of the profiles

What about certificate expiration? Do I have to check this in my
application or is it done by Apache Webserver?

Anything else I might miss or be mistaken about?

I find the WebID spec quite abstract and missing concrete examples on
how to actually implement it. Any HowTo I have overlooked?

I've seen that WebIDauth used by my-profile.eu is checking a
SSL_CLIENT_VERIFY variable [2], but I don't know how to access that and
if it is really necessary with optional_no_ca setting...

Thanks in advance!

Best regards,
Angelo

[1] http://www.w3.org/2005/Incubator/webid/wiki/Apache_Configuration
[2] https://github.com/WebIDauth/WebIDauth/blob/master/WebIDauth.php#L292
Received on Wednesday, 1 May 2013 11:14:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:43 UTC