[foaf-protocols] CGI::Auth::FOAF_SSL mumblings
mail at tobyinkster.co.uk
Tue Dec 8 18:08:17 CET 2009
I've spent a few minutes this afternoon doing a little work on my Perl
Interesting features coming up:
* Now uses RDF::Trine instead of RDF::Redland. This is mostly
an internal change that only "advanced" users are likely to
* If the certificate's subjectAltName field contains more than
one URI, the previous behaviour was to only check the first
and ignore all others. Now, it keeps going until it finds a
URI which matches the certificate's modulus and exponent.
What do other implementations (e.g. libAuthentication) do
when presented with a certificate with multiple URIs?
* If the certificate has no URIs, or none of the URIs it has
match its modulus and exponent, then e-mail addresses in the
subjectAltName field are checked using Fingerpoint to find
data about the owners of the addresses.
This last point goes beyond our normal technique of validating
certificates. I'd be interested to hear what people think about it. This
provides the ability to use FOAF+SSL with certificates that have e-mail
addresses but not URIs - this may be a useful fallback as OpenSSL is
preconfigured to create certificates like this, so it's likely that
there are a lot of existing certificates like this -- perhaps many from
well-known certification authorities.
Toby A Inkster
<mailto:mail at tobyinkster.co.uk>
More information about the foaf-protocols