On Mon, Apr 16, 2018 at 9:11 AM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> A major obstacle to making access control decisions during the TLS > handshake is that at that time the server often does not yet have enough > information to determine which specific resource the client will ask to > access. There's also the problem that (at least in an SOA/"microservice architecture") people will inevitably want some resources to be accessible without a client certificate, e.g. status endpoints or anything consumed by clients which do not support TLS certificates. In these cases it really helps to force things up a level out of the TLS handshake into something at the application level like an ACL language that lets you whitelist unauthenticated access to these resources. -- Tony Arcieri
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
