Implement SSL client certificate authentication for OpenID provider

On the mailing list, it was suggested that we implement (optional?) SSL client certificate authentication for the Launchpad OpenID provider.

Given our current setup, the certificate validation would need to be done in Apache. To perform optional client certificate validation, something like this would need to be added:

    SSLCACertificateFile conf/ssl.crt/ca.crt
    SSLVerifyDepth 1
    SSLVerifyClient optional

[There is a note that this last option does not work with all browsers, so some testing would be necessary]

We can then use mod_headers to pass on certain info from the certificate to Launchpad with the RequestHeader directive (making sure that the user can't pass these headers directly). At a minimum we should pass SSL_CLIENT_VERIFY to see whether the certificate is valid. We probably also want to pass SSL_CLIENT_I_DN (issuer DN) and SSL_CLIENT_M_SERIAL (certificate serial number) to match the certificate against a certificate issued by Launchpad.

Checking the serial number also allows for us to easily mark a certificate as revoked. If Launchpad sees that the user presented a verified certificate, it would then log the user in as the appropriate account.

We would then need code that can create certificates from the certificate authority, and associate them with Launchpad accounts. Launchpad would also need to be able to serve the certificate to the user in a form that will cause their browser to prompt to install.