MP-HEALTH, Digest Auth requirement for 1.0?

[sst...@redhat.com]

As pointed out in issue #47, the current HealthCheck protocol requires Digest auth as a supported mechanism, and indicates that it should be the default. Is that something we do want to require for 1.0?

[sst...@redhat.com]

More generally, what are the security requirements we define for the 1.0 spec? I would suggest relaxing the current security section of the spec to the following:

• A producer MUST enforce security on all health check invocations if the context associated with the endpoint has been configured as secure.
  
• A producer MAY ignore security for trusted origins (e.g., localhost)
• HTTP Digest Auth SHOULD be one supported authentication mechanism.
• MP-JWT Auth SHOULD be one supported authentication mechanism.

[Heiko Braun]

Please see my (lengthy) response on https://github.com/eclipse/microprofile-health/issues/47 to this question.

That said, I would be much i favour if keeping the discussions on the github issues to keep it consistent.

[Werner Keil]

I know, prefixing messages or tags can help a bit, but wouldn't a gitter channel similar to mp-metrics also be a good idea for some aspects of health?;-)

Werner