Shibboleth Developers

[Lukas Haemmerle <>]

This is slightly offtopic but nevertheless probably very relevant for 
Shibboleth IdP Admins.
For the attribute request on the AA, it is recommended to set

SSLVerifyClient optional_no_ca

Now, today I had a discussion with our PKI-guru (Kaspar Brand) about the 
clientAuthentication usually done during the Shib attribute request and 
he asked me what exactly is validated with optional_no_ca.

Because on
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient
it says "optional_no_ca is actually against the idea of authentication 
(but can be used to establish SSL test pages, etc.)", can one be sure 
that at least the proof of possession (of the private key used by the SP 
during the SSL hand-shake) is checked by Apache? I know that no CA 
validation is supposed to be done, which makes sense to me but what else 
is checked/not checked? How about e.g. the  expiration date of the 
certificate?

I have been assuming that proof-of-possesion is checked but now I am not 
so sure anymore regarding this. Before I look in the source-code, can 
anyone (Scott?) confirm this

If this is not checked either, it apparently could be possible to inject 
any (public) certificate into the IdP container because there is no PoP.

Lukas

--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
,
 http://www.switch.ch