Re: Implementing WebID-Authentication from Andrei Sambra on 2013-05-02 (public-webid@w3.org from May 2013)

From: Andrei Sambra <andrei.sambra@gmail.com>
Date: Thu, 2 May 2013 12:41:11 +0200
To: Angelo Veltens <angelo.veltens@online.de>
Cc: public-webid <public-webid@w3.org>
Message-ID: <CAFG79ej3Z56efWbd12z16tAsNErHCpiReNhKEAHRL3xkGUkQ6A@mail.gmail.com>

Hi Angelo,


On Wed, May 1, 2013 at 1:10 PM, Angelo Veltens <angelo.veltens@online.de>wrote:

> Hi all,
>
> I am going to implement a WebID-Authentication for my web applications
> and need some advise to assure that my approach is correct.
>
> I successfully configured Apache Webserver to request a client
> certificate as described in [1]
>
> I've set "SSLVerifyClient optional_no_ca" for a specific login url and
> "SSLOptions +StdEnvVars +ExportCertData" to make the certificate
> available to my Java application running on Apache Tomcat (using mod_jk)
>
> The Browser's certificate dialog pops up at the login url and a
> certificate object is available in my application.
>
> So far, so good. I am now uncertain, what exactly to do within my
> application. Will I have to check the certificate signature or
> something? I think that has already be done by Apache, hasn't it? So I
> can be sure that the certificate is valid in the way, that the user is
> the owner of the private key of the public key I have at this point?


Apache checks two things: the certificate is valid by itself (i.e. keys
match, expiration date), and also that a valid chain of certification
exists (i.e. it has been issued by a known CA).  The first check takes
place all the time. The second one (CA check) can be skipped by using
optional_no_ca (read below).


> So, I think, the only things I have to do are:
>
> 1) get all the URIs in the SubjectAlternativeName (type 6)
> 2) request the WebID-Profiles of that URIs
> 3) watch out that the public key is present in one of the profiles
>
> What about certificate expiration? Do I have to check this in my
> application or is it done by Apache Webserver?
>
> Anything else I might miss or be mistaken about?
>
> I find the WebID spec quite abstract and missing concrete examples on
> how to actually implement it. Any HowTo I have overlooked?
>
> I've seen that WebIDauth used by my-profile.eu is checking a
> SSL_CLIENT_VERIFY variable [2], but I don't know how to access that and
> if it is really necessary with optional_no_ca setting...
>

The optional_no_ca does exactly what the name implies. It allows Apache to
use cert authentication even if the client certificate is self-signed (no
CA). Checking SSL_CLIENT_VERIFY is necessary in order to make sure that
keys match.

Let me know if you have other questions about WebIDauth, since I'm the
maintainer. :)


>
> Thanks in advance!
>
> Best regards,
> Angelo
>
> [1] http://www.w3.org/2005/Incubator/webid/wiki/Apache_Configuration
> [2] https://github.com/WebIDauth/WebIDauth/blob/master/WebIDauth.php#L292
>
>
>

Received on Thursday, 2 May 2013 10:41:59 UTC