Implement SSL client certificate authentication for OpenID provider
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Triaged
|
Wishlist
|
Unassigned | ||
isd |
Confirmed
|
Low
|
Unassigned |
Bug Description
On the mailing list, it was suggested that we implement (optional?) SSL client certificate authentication for the Launchpad OpenID provider.
Given our current setup, the certificate validation would need to be done in Apache. To perform optional client certificate validation, something like this would need to be added:
SSLCACertif
SSLVerifyDepth 1
SSLVerifyClient optional
[There is a note that this last option does not work with all browsers, so some testing would be necessary]
We can then use mod_headers to pass on certain info from the certificate to Launchpad with the RequestHeader directive (making sure that the user can't pass these headers directly). At a minimum we should pass SSL_CLIENT_VERIFY to see whether the certificate is valid. We probably also want to pass SSL_CLIENT_I_DN (issuer DN) and SSL_CLIENT_M_SERIAL (certificate serial number) to match the certificate against a certificate issued by Launchpad.
Checking the serial number also allows for us to easily mark a certificate as revoked. If Launchpad sees that the user presented a verified certificate, it would then log the user in as the appropriate account.
We would then need code that can create certificates from the certificate authority, and associate them with Launchpad accounts. Launchpad would also need to be able to serve the certificate to the user in a form that will cause their browser to prompt to install.
Changed in launchpad-foundations: | |
importance: | Undecided → Wishlist |
status: | New → Triaged |
Changed in canonical-identity-provider: | |
importance: | Low → Wishlist |
tags: | added: openidrp |
Changed in canonical-isd: | |
status: | Confirmed → Fix Released |
Changed in canonical-identity-provider: | |
status: | Triaged → Fix Released |
Changed in canonical-isd: | |
status: | Fix Released → Confirmed |
Changed in canonical-identity-provider: | |
status: | Fix Released → Triaged |
Changed in canonical-isd: | |
assignee: | nobody → Al-basha@mail.net.sa (al-basha) |
assignee: | Al-basha@mail.net.sa (al-basha) → nobody |
information type: | Public → Private |
information type: | Private → Public |
We could consider prototyping this with webid. Here are some useful links:
* http:// esw.w3. org/WebID esw.w3. org/Foaf% 2Bssl/RelyingPa rties foaf.me/ sometestthing# me reward. me/
* http://
* http://
* http://