Shibboleth Developers

["Scott Cantor" <>]

> Here's my question though, if we just pass the client-cert auth 
> employing request on, with the SSL info in the appropriate headers, for 
> the IdP to verify are we weakening the security that people expect from 
> the client-cert authentication?  Also, are the headers that we're 
> placing this data in defined in a standard (HTTPS standard perhaps)?

The J2EE spec defines a request parameter where the certificate ends up.
It's not actually a header, in the normal sense. I have no idea how to
inject that, but presumably we'd be able to let Tomcat do that as usual.

As far as security, well, I would imagine you're right (though how many
people are we talking about?), but then again, couldn't we set things up so
that one vhost did this and another didn't?

> My only concern with all this is portability to other containers.

Yep.

-- Scott