ghost
commented
3 years ago I agree
Open rschaar-logius opened 3 years ago
ghost
commented
3 years ago I agree
fterpstra
commented
3 years ago API-15 removed for now, replaced by reference to Digikoppeling. Will keep issue open as i think some further discussion is needed. The current "functioneel werkingsgebied" of digikoppeling might mandate PKIOverheid mTLS on many use cases where it is not needed
PHaasnoot
commented
3 years ago Excerpt from https://www.forumstandaardisatie.nl/open-standaarden/digikoppeling: "The exceptions are: the exchange of Geo-information (NEN3610 exists for this) and the cases in which the provider of data establishes that there is no need to authenticate the recipient of the data" or in Dutch: "Uitgezonderd zijn: de uitwisseling van Geo-informatie (daarvoor bestaat NEN3610) en de gevallen waarin de aanbieder van gegevens vaststelt dat geen noodzaak bestaat om de afnemer van de gegevens te authenticeren."
The remark "cases in which the provider of data establishes that there is no need to authenticate the recipient of the data" is part of the additional explanation and not of the paragraph "functioneel werkingsgebied", this is something to address / discuss further.
rschaar-logius
commented
3 years ago Even "no need to authenticatie" would still be too restrictive. The use of OAuth2 access tokens as method for authentication/authorization can in various cases eliminate the need for PKIo certificates. Of course PKIo can and should still be mandated for Client Authentication of confidential clients, where applicable.
sanderke
commented
2 years ago The rule block is absent, yet API-15 is still present in the list Informative Design Rules.
Rule API-15 states that PKIoverheid are to be used (MUST?) for access restricted APIs. That would be too limitative in many use cases, and conflicts the section on End-user and client authentication in the security extension.