client to server authn | server to client authn | notes |
---|---|---|
GSSAPI | GSSAPI | Kerberos provides strong mutual authentication, tls-server-end-point ties the Kerberos authentication to the TLS channel |
Certificate | Certificate | client and server mutually authenticate via trusted CA-signed certs |
Token | Certificate |
TLS verification will initially require the presented cert to be signed by the trusted root CA. Eventually we will add hostname and/or server ID checking as well.