Closed gerardsn closed 4 months ago
so either
option 1 is fine for now. Option 2 would be a good long term solution, but also requires us to monitor changes to the list of issuers. Before we move in that direction, I'd like to know how relevant this list is going to be (from nuts perspective, not use case perspective) after switching to openid4vc flows.
option 1 is fine for now. Option 2 would be a good long term solution, but also requires us to monitor changes to the list of issuers. Before we move in that direction, I'd like to know how relevant this list is going to be (from nuts perspective, not use case perspective) after switching to openid4vc flows.
if the auth flow removes mTLS requirements, not much
https://nuts-foundation.gitbook.io/drafts/rfc/rfc008-certificate-structure#id-3.1-certificate-authority-trust-chain
contains the following
The problem with this is that this list changes over time. Without inclusion criteria for the certificates (besides domain private services), the last line in the quote is causing issues for implementers.
Perhaps we should just include all certificates in the domain private services chain?