On Mon, Apr 16, 2018 at 9:11 AM, Viktor Dukhovni <ietf-d...@dukhovni.org>

> A major obstacle to making access control decisions during the TLS
> handshake is that at that time the server often does not yet have enough
> information to determine which specific resource the client will ask to
> access.

There's also the problem that (at least in an SOA/"microservice
architecture") people will inevitably want some resources to be accessible
without a client certificate, e.g. status endpoints or anything consumed by
clients which do not support TLS certificates. In these cases it really
helps to force things up a level out of the TLS handshake into something at
the application level like an ACL language that lets you whitelist
unauthenticated access to these resources.

Tony Arcieri
TLS mailing list

Reply via email to