I had a friend say:
We're securing our microservice with an HMAC derived from the private key in the jks file. [Where client and server shared the same private key]
I can understand the situation where you have an HMAC from a secret that is short lived - such as one derived from Hashicorp Vault.
But if the HMAC has the same lifetime as the private keys - why not just secure the microservice using SSL based on the private keys you've already installed?
My question is: Is there value to signing microservice calls with an HMAC derived from the same private key?
External links referenced by this document: