[jira] [Commented] (FELIX-4797) Enable client certificate requesting without verifying the certificates

[Pascal Mainini (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FELIX-4797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14324253#comment-14324253
 ] 

Pascal Mainini commented on FELIX-4797:
---------------------------------------

In general, of course you are right. However for specific usecases (like the 
WebID-style authentication as explained in the description of the issue), the 
certificate is only used for conveying additional data which is then used for 
authentication. The idea here is that a user generates a self-signed 
certificate with specific extensions pointing to the authentication data. Due 
to the fact that self-signed certificates are used (and are used on purpose), a 
validation of the client certificate will fail in any case. Without having the 
possibility to disable this validation in Felix/Jetty, it is not possible to 
write applications which read this additional information out of the 
certificate and process them further. I hope this clarifies things a bit, I can 
provide deeper explanations if needed.

> Enable client certificate requesting without verifying the certificates
> -----------------------------------------------------------------------
>
>                 Key: FELIX-4797
>                 URL: https://issues.apache.org/jira/browse/FELIX-4797
>             Project: Felix
>          Issue Type: Improvement
>          Components: HTTP Service
>            Reporter: Pascal Mainini
>            Priority: Minor
>              Labels: patch
>         Attachments: 
> 0001-Patch-enabling-client-certificate-authentication-wit.patch
>
>
> This is a patch enabling requesting client certificate authentication without 
> further validation of the certificates provided by the client. Rationale:
> Enabling requests of client certificates by setting 
> "org.apache.felix.https.clientcertificate" to "wants" or "needs" requests a 
> client-certificate from any connecting client. Depending on the value set, 
> this is either an optional or mandatory step to be fulfilled by the client in 
> order to have it's HTTP-request further processed. 
> The client-certificate obtained is validated against either the 
> CA-certificates found in the truststore or - if none given - by the server's 
> certificate itself.
> For some usecases, this validation is unsuitable or not possible at all, 
> namely for supporting WebID-style (https://en.wikipedia.org/wiki/WebID) 
> authorization processed by a servlet within the container. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)