[foaf-protocols] CGI::Auth::FOAF_SSL mumblings

Toby Inkster mail at tobyinkster.co.uk
Tue Dec 8 18:08:17 CET 2009

I've spent a few minutes this afternoon doing a little work on my Perl
FOAF+SSL module.

Interesting features coming up:

* Now uses RDF::Trine instead of RDF::Redland. This is mostly 
  an internal change that only "advanced" users are likely to

* If the certificate's subjectAltName field contains more than
  one URI, the previous behaviour was to only check the first
  and ignore all others. Now, it keeps going until it finds a
  URI which matches the certificate's modulus and exponent.
  What do other implementations (e.g. libAuthentication) do
  when presented with a certificate with multiple URIs?

* If the certificate has no URIs, or none of the URIs it has
  match its modulus and exponent, then e-mail addresses in the
  subjectAltName field are checked using Fingerpoint[1] to find
  data about the owners of the addresses.

This last point goes beyond our normal technique of validating
certificates. I'd be interested to hear what people think about it. This
provides the ability to use FOAF+SSL with certificates that have e-mail
addresses but not URIs - this may be a useful fallback as OpenSSL is
preconfigured to create certificates like this, so it's likely that
there are a lot of existing certificates like this -- perhaps many from
well-known certification authorities.

1. http://buzzword.org.uk/2009/fingerpoint/spec

Toby A Inkster
<mailto:mail at tobyinkster.co.uk>

More information about the foaf-protocols mailing list