Re: VC HTTP Authorization Conversation

On 6/10/21 9:59 AM, David Chadwick wrote:
> one solution will be to require mutual TLS, where the authz token is the 
> caller's X.509 PKC, since this can address both authn and authz

Yes, this was brought up by one of the other implementers and is a good
example of "things we don't want to prevent from happening".

Many enterprises depend on mutual TLS to secure API endpoints and it would be
a mistake for the spec to say that doing so is not an appropriate mechanism
for securing the endpoints.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches

Received on Thursday, 10 June 2021 14:57:26 UTC