...
The Framework document contains the following statement: "All REST API calls MUST take place over HTTPS. Defined mechanisms MUST be in place to establish trust in the underlying keys."
Proposal From Discussion on 16 Apr 2014 Call
The Framework should require certain characteristics, such as
- Identification of end points (at least server, perhaps client)
- Confidentiality of data (eg: SSL)
APIs may implement protocols suitable for their specific bindings so long as they are compliant with the Framework requirements.
Additionally, the Framework may define certain mechanisms as explicitly compliant, such as
- Basic auth over HTTPS
- Client side certificates via HTTPS