Comments on: Use your eID to authenticate at web sites, the open source way https://www.stormacq.com/use-your-eid-to-authenticate-at-web-sites-the-open-source-way/ Some not-so random thoughts about this small IT World Mon, 25 Jan 2016 12:47:01 +0000 hourly 1 https://wordpress.org/?v=4.9.1 By: Sebastien Stormacq https://www.stormacq.com/use-your-eid-to-authenticate-at-web-sites-the-open-source-way/comment-page-1/#comment-137 Thu, 23 Jul 2009 00:07:51 +0000 https://www.stormacq.com/?p=209#comment-137 Thank Jan for pointing me to this important legal aspect.
Some possibilities :

– Do not store the certificate in the LDAP. The module will check the validity of the certificate and accept whatever valid certificate is presented. This also simplifies the provisioning process as you don’t have to copy the certificates to the Directory and maintain revoked, expired etc certificates.

– Use another identifying attribute, if there is such attribute (an email address ?)

– Sublclass (or modify the source code of the) X509 authentication module to create your own. This would allow you to store a hash key of the serial number in the LDAP and search for the hash instead.

Should anyone have other options, let’s share and discuss this !

]]>
By: Jan Van den Bergh https://www.stormacq.com/use-your-eid-to-authenticate-at-web-sites-the-open-source-way/comment-page-1/#comment-136 Wed, 22 Jul 2009 23:03:51 +0000 https://www.stormacq.com/?p=209#comment-136 We recently tried a similar approach in our test environment to authenticate use the Belgian eID. However, it is not legal to store the serial number (= national number of a person) in a database.

Do you have any suggestions on how to do this without storing this number in plain text (apparantly a salted hash is allowed).

]]>
By: Flawinne Julien https://www.stormacq.com/use-your-eid-to-authenticate-at-web-sites-the-open-source-way/comment-page-1/#comment-135 Thu, 29 May 2008 10:08:13 +0000 https://www.stormacq.com/?p=209#comment-135 Bonjour 🙂

Article très intéressent et assez détailé, j’était un des élèves de la java one after glow 😀 .

En passant, un merci pour votre présence.

++

]]>
By: Jim Klimov https://www.stormacq.com/use-your-eid-to-authenticate-at-web-sites-the-open-source-way/comment-page-1/#comment-134 Wed, 19 Mar 2008 06:15:59 +0000 https://www.stormacq.com/?p=209#comment-134 Thank you.

And is there any good document or blog detailing how the Sun Certificate Authentication Module works? Does it interact with a crypto API directly?

In particular, how does the auth module know which certificate is presented by the visitor – does the module itself participate in TLS handshake, does it process certain HTTP headers set by an SSL gateway (or the web container itself), or are there some Java flags and variables set by the web container?

]]>
By: Sebastien Stormacq https://www.stormacq.com/use-your-eid-to-authenticate-at-web-sites-the-open-source-way/comment-page-1/#comment-133 Fri, 14 Mar 2008 08:13:46 +0000 https://www.stormacq.com/?p=209#comment-133 Our Certificate Authentication Module is implementing the SSL client authentication RFC (I think it RFC 2246 : http://www.ietf.org/rfc/rfc2246.txt).

Should your configuration respects the standards, then it will work. Otherwise, writing a custom Authentication module is probably the solution.

]]>
By: Jim Klimov https://www.stormacq.com/use-your-eid-to-authenticate-at-web-sites-the-open-source-way/comment-page-1/#comment-132 Thu, 13 Mar 2008 02:53:54 +0000 https://www.stormacq.com/?p=209#comment-132 Do you by chance know, how exactly does the Certificate Auth Module work?

Does it use HTTP headers added by an HTTPS-deciphering layer or some local variables and flags in the context of the application server running AMServer/Portal/etc?

We have a project which concerns integration of proprietary cryptography with Sun Portals. There is no stable Java integration yet (the core product is "certified" and unchangeable, and I can only guess it’s written in C). Thus we can’t use the benefits of Java CryptoAPI to directly decipher the HTTPS data in the App Server context.

Instead, we use a separate program which can decipher these algorithms and forward plaintext HTTP to the backend servers (i.e. through a Sun SRA Gateway to the real-backend App Servers) and encodes the responses for the clients. You can consider it an "SSL Accelerator" or "proxy" in some common terms.

This program can also add HTTP headers (i.e. Certificate numbers chain) to the forwarded stream.

Can the Certificate Auth Module be used in this scenario, or are we bound to creation of a new Auth Module as well?

]]>