W3C home > Mailing lists > Public > public-webid@w3.org > May 2013

Re: Implementing WebID-Authentication

From: Andrei Sambra <andrei.sambra@gmail.com>
Date: Thu, 2 May 2013 12:41:11 +0200
Message-ID: <CAFG79ej3Z56efWbd12z16tAsNErHCpiReNhKEAHRL3xkGUkQ6A@mail.gmail.com>
To: Angelo Veltens <angelo.veltens@online.de>
Cc: public-webid <public-webid@w3.org>
Hi Angelo,

On Wed, May 1, 2013 at 1:10 PM, Angelo Veltens <angelo.veltens@online.de>wrote:

> Hi all,
> I am going to implement a WebID-Authentication for my web applications
> and need some advise to assure that my approach is correct.
> I successfully configured Apache Webserver to request a client
> certificate as described in [1]
> I've set "SSLVerifyClient optional_no_ca" for a specific login url and
> "SSLOptions +StdEnvVars +ExportCertData" to make the certificate
> available to my Java application running on Apache Tomcat (using mod_jk)
> The Browser's certificate dialog pops up at the login url and a
> certificate object is available in my application.
> So far, so good. I am now uncertain, what exactly to do within my
> application. Will I have to check the certificate signature or
> something? I think that has already be done by Apache, hasn't it? So I
> can be sure that the certificate is valid in the way, that the user is
> the owner of the private key of the public key I have at this point?

Apache checks two things: the certificate is valid by itself (i.e. keys
match, expiration date), and also that a valid chain of certification
exists (i.e. it has been issued by a known CA).  The first check takes
place all the time. The second one (CA check) can be skipped by using
optional_no_ca (read below).

> So, I think, the only things I have to do are:
> 1) get all the URIs in the SubjectAlternativeName (type 6)
> 2) request the WebID-Profiles of that URIs
> 3) watch out that the public key is present in one of the profiles
> What about certificate expiration? Do I have to check this in my
> application or is it done by Apache Webserver?
> Anything else I might miss or be mistaken about?
> I find the WebID spec quite abstract and missing concrete examples on
> how to actually implement it. Any HowTo I have overlooked?
> I've seen that WebIDauth used by my-profile.eu is checking a
> SSL_CLIENT_VERIFY variable [2], but I don't know how to access that and
> if it is really necessary with optional_no_ca setting...

The optional_no_ca does exactly what the name implies. It allows Apache to
use cert authentication even if the client certificate is self-signed (no
CA). Checking SSL_CLIENT_VERIFY is necessary in order to make sure that
keys match.

Let me know if you have other questions about WebIDauth, since I'm the
maintainer. :)

> Thanks in advance!
> Best regards,
> Angelo
> [1] http://www.w3.org/2005/Incubator/webid/wiki/Apache_Configuration
> [2] https://github.com/WebIDauth/WebIDauth/blob/master/WebIDauth.php#L292
Received on Thursday, 2 May 2013 10:41:59 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:43 UTC