2 points | by getvictor a day ago
3 comments
I wrote up the pros and cons of mTLS vs HTTP message signatures for additional client authentication here:
https://victoronsoftware.com/posts/mtls-vs-http-signature/
No sane infrastructure engineer would let you do anything other than TLS in production. Devs are largely untrusted to get security correct.
Yes, I'm assuming you're always running TLS. The question is whether to use mTLS (mutual TLS) vs HTTP message signatures to verify that the request is coming from a trusted client.
I wrote up the pros and cons of mTLS vs HTTP message signatures for additional client authentication here:
https://victoronsoftware.com/posts/mtls-vs-http-signature/
No sane infrastructure engineer would let you do anything other than TLS in production. Devs are largely untrusted to get security correct.
Yes, I'm assuming you're always running TLS. The question is whether to use mTLS (mutual TLS) vs HTTP message signatures to verify that the request is coming from a trusted client.