[OT] Client Certificate Authentification module?

[Ke...@uktransco.com]

I am looking for a module that will allow me to use Client 
Certificates to authenticate the users. I am pretty sure I have come 
accros this before, but I cannot find it anywhere. Anybody know where 
I can find this.

I have seached CPAN for 'cert', 'authen' and 'client', but unless I 
am overlooking something there doesn't seem to be anything there.

Thank you very much. 

Kees Vonk

Mailing Code 3
Joule 1 - Ground Floor
Wharf Lane
Solihull 



Internal:
Phone:
7249 27705

 
E-Mail:
Kees Vonk/KV002/Solihull/Transco

 
Home Page:

https://rep1prod:8081/




External:
Phone:
0121 - 705 7581 ext. 27705

 
E-Mail:
Kees.Vonk@uktransco.com



 

______________________________________________________________________

The views expressed in this email are not necessarily the views of 
Transco plc, and the company, its directors, officers or employees 
make no representation or accept any liability for its accuracy or 
completeness unless expressly stated to the contrary. 

This e-mail, and any attachments are strictly confidential and 
intended for the addressee(s) only. The content may also contain 
legal, professional or other privileged information. If you are not 
the intended recipient, could you please notify the sender 
immediately and then delete the e-mail and any attachments, you 
should not disclose, copy or take any action in reliance of this 
transmission.  Unless expressly stated to the contrary, no contracts 
may be concluded on behalf of Transco plc by means of e-mail 
communication.

You may report the matter by calling us on  +44 (0)1455 230999.

You should not copy, forward or otherwise disclose the contents of 
this e-mail or any of its attachments without express consent.

Please ensure you have adequate virus protection before you open or 
detach any documents from this transmission.  Transco plc does not 
accept any liability for viruses.

Transco plc is part of Lattice Group
Transco plc is registered in England: Company number: 2006000
Registered Office: 130 Jermyn Street, London, SW1Y 4UR
http://www.transco.uk.com

Re: [OT] Client Certificate Authentification module?

[Adam Worrall <Ad...@ft.com>]

>>>>> "KV" == Kees Vonk <Ke...@uktransco.com> writes:

    KV> I am looking for a module that will allow me to use Client
    KV> Certificates to authenticate the users. I am pretty sure I have
    KV> come accros this before, but I cannot find it anywhere. Anybody
    KV> know where I can find this.

This is an apache / mod_ssl configuration issue:

  <http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6>

I'm not aware of any mod_perl API into the SSL stuff.

I've got live configuration of a setup that uses this stuff, so mail me
if you get stuck ...

 - Adam

Re: [OT] Client Certificate Authentification module?

[Gunther Birznieks <gu...@extropia.com>]

If you download our Perl objects @ 
http://www.extropia.com/development/webware2/webware2.html, I have an 
AuthManager::Certificate which implements client certificate authentication.

Probably the best place to download the code for that is on the 
extropiaperl project at sourceforge if you want to see the implementation.

It's actually "trivial" because mod_ssl will decode the certificate into 
extra environment variables indicating stuff like the DN of the user. It's 
a requirement of SSL to make sure the certificate is valid based on the 
certificate's signature(s). At that point, then you need to deal with 
certificate revocation which is another matter. A lot of servers back up 
certificate authentication with LDAP.

So the client sends the cert which verifies that they are who they say they 
are, but LDAP needs to be used to actually get the relevant authorization 
information out. If you use the framework we have, that is accomplished by 
configuring the use of AuthManager::Certificate against Auth::LDAP. 
Auth::Cache::Session can optionally be used to speed up the process. 
Chapter 20 on the link I gave you has details on why we broke up the 
modules the way we did.

Note that this is not to be confused with a handler. This is application 
level logic. mod_ssl already handles certificate decoding so you really 
don't need a handler anymore. At that point it seems like app logic to take 
the user and figure out what you want them to do.

Of course, you can code authorization info into a cert like the roles that 
they are intended for. But I think that's IMHO, a really BAD way to do it 
because you have to revoke the cert to change the permissions of the user. 
Best to leave the cert to identify the user and allow a dynamic datastore 
to determine what they can do in most cases.

Later,
     Gunther

PS The hard part about client certificates isn't using them, its managing 
them and the customers that use them.

At 11:00 AM 3/13/01 +0000, Kees.Vonk@uktransco.com wrote:
>I am looking for a module that will allow me to use Client
>Certificates to authenticate the users. I am pretty sure I have come
>accros this before, but I cannot find it anywhere. Anybody know where
>I can find this.
>
>I have seached CPAN for 'cert', 'authen' and 'client', but unless I
>am overlooking something there doesn't seem to be anything there.
>
>Thank you very much.
>
>Kees Vonk
>
>Mailing Code 3
>Joule 1 - Ground Floor
>Wharf Lane
>Solihull
>
>
>
>Internal:
>Phone:
>7249 27705
>
>
>E-Mail:
>Kees Vonk/KV002/Solihull/Transco
>
>
>Home Page:
>
>https://rep1prod:8081/
>
>
>
>
>External:
>Phone:
>0121 - 705 7581 ext. 27705
>
>
>E-Mail:
>Kees.Vonk@uktransco.com
>
>
>
>
>
>______________________________________________________________________
>
>The views expressed in this email are not necessarily the views of
>Transco plc, and the company, its directors, officers or employees
>make no representation or accept any liability for its accuracy or
>completeness unless expressly stated to the contrary.
>
>This e-mail, and any attachments are strictly confidential and
>intended for the addressee(s) only. The content may also contain
>legal, professional or other privileged information. If you are not
>the intended recipient, could you please notify the sender
>immediately and then delete the e-mail and any attachments, you
>should not disclose, copy or take any action in reliance of this
>transmission.  Unless expressly stated to the contrary, no contracts
>may be concluded on behalf of Transco plc by means of e-mail
>communication.
>
>You may report the matter by calling us on  +44 (0)1455 230999.
>
>You should not copy, forward or otherwise disclose the contents of
>this e-mail or any of its attachments without express consent.
>
>Please ensure you have adequate virus protection before you open or
>detach any documents from this transmission.  Transco plc does not
>accept any liability for viruses.
>
>Transco plc is part of Lattice Group
>Transco plc is registered in England: Company number: 2006000
>Registered Office: 130 Jermyn Street, London, SW1Y 4UR
>http://www.transco.uk.com

__________________________________________________
Gunther Birznieks (gunther.birznieks@extropia.com)
eXtropia - The Web Technology Company
http://www.extropia.com/

Re: [OT] Client Certificate Authentification module?

[Matt Sergeant <ma...@sergeant.org>]

On Tue, 13 Mar 2001, Kees.Vonk@uktransco.com wrote:

> I am looking for a module that will allow me to use Client
> Certificates to authenticate the users. I am pretty sure I have come
> accros this before, but I cannot find it anywhere. Anybody know where
> I can find this.
>
> I have seached CPAN for 'cert', 'authen' and 'client', but unless I
> am overlooking something there doesn't seem to be anything there.
>
> Thank you very much.

http://take23.org/articles/2001/03/12/redirect.xml

Might give you some clues...

Also, you might want to trim your disclaimer and sig on mailing list
posts - you had 9 lines of email and 70 lines of sig and disclaimer!

-- 
<Matt/>

    /||    ** Founder and CTO  **  **   http://axkit.com/     **
   //||    **  AxKit.com Ltd   **  ** XML Application Serving **
  // ||    ** http://axkit.org **  ** XSLT, XPathScript, XSP  **
 // \\| // ** mod_perl news and resources: http://take23.org  **
     \\//
     //\\
    //  \\