W3C home > Mailing lists > Public > public-credentials@w3.org > June 2021

Re: VC HTTP Authorization Conversation

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Thu, 10 Jun 2021 10:54:43 -0400
To: public-credentials@w3.org
Message-ID: <fc1b4078-06ef-72c9-6043-241028ce99ed@digitalbazaar.com>
On 6/10/21 9:59 AM, David Chadwick wrote:
> one solution will be to require mutual TLS, where the authz token is the 
> caller's X.509 PKC, since this can address both authn and authz

Yes, this was brought up by one of the other implementers and is a good
example of "things we don't want to prevent from happening".

Many enterprises depend on mutual TLS to secure API endpoints and it would be
a mistake for the spec to say that doing so is not an appropriate mechanism
for securing the endpoints.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches
Received on Thursday, 10 June 2021 14:57:26 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:16 UTC