I agree with the statements on smart. On the server we have in other profiles (PDQm) more strongly encouraged (recommend) ATNA on the server to get at-least audit logging on the server, where clients have not been required to do this.. There is an ATNA Option for use with OAuth that lowers the connection requirement to server side TLS only (so does not require mutual-auth).
impact capabilityStatement, and possibly volume 1 security section
I agree with the statements on smart. On the server we have in other profiles (PDQm) more strongly encouraged (recommend) ATNA on the server to get at-least audit logging on the server, where clients have not been required to do this.. There is an ATNA Option for use with OAuth that lowers the connection requirement to server side TLS only (so does not require mutual-auth).
impact capabilityStatement, and possibly volume 1 security section