Shibboleth Developers

["Scott Cantor" <>]

> Now, today I had a discussion with our PKI-guru (Kaspar Brand) about the
> clientAuthentication usually done during the Shib attribute request and
> he asked me what exactly is validated with optional_no_ca.

If you want a precise answer, you're going to have to look at the code.
Every version of mod_ssl is slightly different. Some of them seem to check
chain length and certificate usage, and some don't. I point this out in the
wiki.

> Because on
> http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient
> it says "optional_no_ca is actually against the idea of authentication
> (but can be used to establish SSL test pages, etc.)", can one be sure
> that at least the proof of possession (of the private key used by the SP
> during the SSL hand-shake) is checked by Apache?

Apache doesn't ever do this, OpenSSL does. The handshake is what does PoP.
By the time Apache gets the data, a session key has been exchanged and the
data has been decrypted by OpenSSL and returned from the SSL socket.
 
> I know that no CA
> validation is supposed to be done, which makes sense to me but what else
> is checked/not checked? How about e.g. the  expiration date of the
> certificate?

See above. Anything it does with the certificate is:

- out of our control
- always a waste of time and effort that we'd prefer it didn't do
- irrelevant to security

-- Scott