Shibboleth Developers

[Chad La Joie <>]

I was doing some more thinking about certificate validation in Tomcat on 
my way home today, and I had some more questions.

During the Shib call today we said that the current 1.3 Apache/Tomcat 
set up takes a client cert and basically passes it to the IdP and the 
IdP now does all the trust verification (unless I misunderstood 
something).  And we said that this would be the preferred operation in a 
Tomcat only environment so that people didn't have to mess with trust 
stores.  And currently, without messing with the trust store (copying 
the certs from the metadata file into the trust store) a request will 
fail, if it's using client-cert auth.

Here's my question though, if we just pass the client-cert auth 
employing request on, with the SSL info in the appropriate headers, for 
the IdP to verify are we weakening the security that people expect from 
the client-cert authentication?  Also, are the headers that we're 
placing this data in defined in a standard (HTTPS standard perhaps)?

All that said, I think, from my initial look at the Tomcat code, it 
should be relatively easy now to change the JSSE socket used for 
handling the SSL connection, which means it should be easy to make 
Tomcat do what we want it to.

My only concern with all this is portability to other containers.
--
Chad La Joie             315Q St. Mary's Hall
Project Sentinel         202.687.0124