Open
Description
Forked from #187
For exchanges, any additional security would be bootstrapped with an additional request/challenge..
So, by default they system doesn't enforce / enable other specific authorization mechanisms.
My question: how do I use zCaps to secure an exchange?
Assume I can get the zCap to the caller. That zCap contains an invocation at an exchange endpoint where they can retrieve their credential.
How do I set up the exchange to require a legitimate signed zCap?
I'll create a new issue to work on that. FWIW, it may just be implementation guide language rather than any normative changes.
What I don't want to do is allow anyone to visit that exchange. I want to require a countersigned (invoked) zCap.