[saag] FW: [secdir] [new-work] WG Review: Workload Identity in Multi System Environments (wimse)
Roman Danyliw <rdd@cert.org> Mon, 26 February 2024 17:28 UTC
Return-Path: <rdd@cert.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CE33C14F68D for <saag@ietfa.amsl.com>; Mon, 26 Feb 2024 09:28:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uILVcT4hwntW for <saag@ietfa.amsl.com>; Mon, 26 Feb 2024 09:28:43 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0085.outbound.protection.office365.us [23.103.209.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EFAAC15108C for <saag@ietf.org>; Mon, 26 Feb 2024 09:28:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ND60ujDCNIPvq+Ol3DEvn2/Vcf72VgP7ZBhWoc0wXnoc3RF4mOkH78m8Jghu2F77Db72s51qC2rN5uudgyHnUBPMiuj1f6ldu5wryE8YpE8/4nz2YP6aziJalPrUUSYTht20dz1MmTL87BajgXatk/khcJhs1AkF2+6GCVC/Q0AbyjuTy563GPZTLfsXjvQ3bQD7es9jvG3FHWX2w6BhGFyc2uX8JEhEbWc+cqD4uEvZtzNwSirGMHSaTKvGzUvcUgnPRTLerrvqvNMpOV3/kKeLPy3pIEx5MhwvVfMZF57UMRNQ6EXuvzTpY+7nLAURTuNQMX0wXajvflggd5nAOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=p7N7R9CDWbndgNr9Q+RnKijPX4AcOuULeGK3r3JoxFc=; b=lH1zB4MHtwg0sOtjfynW6DqU4jaojF1w/WHx7id8HoPjwRevkdmgSFIf/ZLiJ6HuTcLSjz4y55tR+YYRCYuK5PbwOdk47YsPwsKM6LkbsWsCULzMz8baCxlacoX77WfM9KxGzn6CZTvqgL50VvYyr5KTK3CSbc1CyGGxEhZ1lL7d7XdRtJXh9vKv1BOCCyGCkYh4dBA7GwM+86T8U+e65oIFv+N1CnXNXNI5d+pj7X9T2OqEDR5XT6CFSzN5pO/ckFjPSskEmO8xFpNlKrg7MoNtaX4rCQXncz4YMd1sngJBKgDjkgIvBtmVY6j0UeVi8Hj8KIGK7qnQRN6xDeqh7w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=p7N7R9CDWbndgNr9Q+RnKijPX4AcOuULeGK3r3JoxFc=; b=ooV6VP3zVYuRZ/gL9RRuLvKj+uYePPeaBdjZzizI3srokaqYZzoDyoMOIlhjfacNBK8nXexM5jugkMN2ZZIEYyg9tnHcI+uCW/tkKjcvJ4uQfqOGttWYEbugFS3KbDC97Nx3gp0FFjT+wMhNBbRygb24+55CwOwWmddB6b4HgZQ=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1637.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17b::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7270.47; Mon, 26 Feb 2024 17:28:40 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::acd1:6591:c445:e0b]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::acd1:6591:c445:e0b%5]) with mapi id 15.20.7270.047; Mon, 26 Feb 2024 17:28:40 +0000
From: Roman Danyliw <rdd@cert.org>
To: saag <saag@ietf.org>
Thread-Topic: [secdir] [new-work] WG Review: Workload Identity in Multi System Environments (wimse)
Thread-Index: AQHaaNg2dMcnO8PSiU2yYvDQ7Vgu9rEc3/Hw
Date: Mon, 26 Feb 2024 17:28:40 +0000
Message-ID: <BN2P110MB11074CD2DE1703784BF53045DC5AA@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <170896766995.46597.4589575257943050478@ietfa.amsl.com>
In-Reply-To: <170896766995.46597.4589575257943050478@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1637:EE_
x-ms-office365-filtering-correlation-id: 20040479-d35d-467d-aeeb-08dc36f05fd4
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8AIcsKWH4R++JZOtXTPt5Q7T6yjDwBseVjg89Ri8+ADHA3dOzDUPFbyCidTbaFprxT+6MfpoaKNZ1IHJsnFajnwI3Xeqnu49lRfotsHVy1Fm/QSAQPHet7uw9al3O6a382svcUFZUWDt9olq6/E9zumqv4LxBz9Ehwl+GzaJcLU3hkRiWP7Cnsw428TFyXIYMT+nmweIXt++c4O8upowMLyLwoRHGyAquT6qWOyPYXqIJrsTKu/LRx1dsteScUjErKJbIwDy2hkaqaGbCZGkWPNcS1IaoInfZZMWqRqijLtVA5BQ85x81kUqxguk6omeTNYxNj9Istx5PQhiRcV8LmI/fo7ZZ3/sLFnpbYkUnKmRsCtwAwWL2N0Uyt/6g1vzUi8Azv23T8mUNdwi6+WZfQklfUHOILzyk6P7EdNNR2VShtD/5S5idLy3R65w6depBPrE9efo8r5YO1IIQHuslMDiju3BnRLjKjoyk5wy8fx36fOpYuzQ3f5itrymqg0li2a9ZzICCe6+mit6HxnziC7HuqwmB7AIQH6zP+HaY93l2oMC1JiXNyKPF3eoIyEDHjZTcjkyM4zSZDqPxLky1aENmryR5T66Q+oIUAeglwMn+moA9Y5MGGinYwVGTvUSYJKwrv2/APrwC4Fg2zC99Hto2l5+rr1o38nW3ptJHE4PjZCMOfiMp+uu/AV+aK27QH/bMRoIAWT9KbTqvd9bdQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(230273577357003)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4+70+K9as0+kqAh4HBvFy9FSyLvBFUuy9aakIzvBGbchtEL6kFR6qi5dfw5hauPSrqvXm+QlZTiP0Y7e6bo8KAMUYETIkZSg/lTlZRMOeNEl0Hx6W9QFoATkxfELq0hXdJ2EPjzNfjt3ZXLNcUnOpWffMroA7Nk7TJIVJZDcp7EQ/kNkL5+WYoPRmXwe27l7RukQLihgjAvJ6PvBzvCnthekgWelGQaGSnWoeMraYv0sXPK49g3/jM01V0GoET+9sKwMSeVvGoi+jV6fwFRJOskhZMZlTfrjI04+QFKfR1F+HdY5DsIW1+mrIjAFAdTDSDDD4ffmhXfB9A/LRm5ZlO4gKh99E3shyWaq/k0iZVIzmM4svPQZ1ykYA7KOWQF3rHrviNePVzXjBVn7ZvcCxHmvvT36+L+milWVD/0PDHGpSQRdquzlF7XsDagji1SBL3WzB8HmZ2oC5hJdRcFGfh8Smlyuf7+7r1T5G1uNNCd6Gh3Gtu9Gjp8JvtTh1zudN/5AWFZzfqnRzdTCJwqOG87NiYuizfdYYJjjoQ+++KIa6vlbjVTp7qBynQ4awnzAeicSFm/iSotH6jDzPckeWHjHtHWzicBUPhcUuEVG8z/9k3blWdLDjHV6I71ZznQ4bZeIejxojoZw8DbzgAFzcFKksooOEM7haGJWIiSvXpUZtSoqkqUULzyiCXu0aXpa+uAFWOL+fqK9IOeLsvR/8NOtp3xVeCl5R4ukFo2XwuGcJYJ0BfsdH6q1je3IRb3Aq7CAF6Aktlp9MJZKYHx4Rzn83u3p4pKykcbCRQWVmEc9wJ5KOW2BU+L3/zer7gV4QVUYBSYbPMn1TBXCMzv5EdJ3RH6UXGMcgEn2HM/QjLOW3W+t9E67TMYkOdq+zBfAA7vie/Zx5tqL9DKnZ6p3TI/V8JWyFuaA7Ac0fZhCjoBeUmAo0MOnQpJY6bK7XiuPcf9p14s4sh7MGcuxRtyYl721bhmoxpMxr3hqOD1TZUm+FrXG6Y9+b0GCMpjxb5Q3bVrfYvQsKAyZ5rGv0+ufDwNIl5zCrldR/PtUVu4fEkrHzd+45OdvaLW+wb4qJyOW1vsvVwOsyJSD3y1VUPKniXn+keHfBARVdXcgFi1A1FXD2Q3XqP3PbSaMcIqm7M5VBQEfCl4l0M80vTQcGoRwt+vGDqAIazx1NKehEqcOZdehZz/MqJomUsN+IDz7eX7XtYgjsvyfCkk9THCEuWmoM4ns7wD3CM3bsVtErbq6NI3KPaYkksWZkdOlBKeUVZkmellVa4s5i+jAeByqaIdegaKOWIqhh04uw8aaxyFgFnqO3kZrvrrX4NNz5a9oGpsRqJVf1pyB6uY+AK6DfdvotyuDF4K/xif3ceL93XB1ZcwM02BGcO6gj1OIZaWQR70HcC5AoGmedUiRj5hM9CUAFVb/EOR4K+1r+awKM8O/h4phHT182/aeeMx9bs5CLA4S2Jb9kUeLM5+uvVvUR9lb1XdSLDR70D8IgkH8o6IEptc=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 20040479-d35d-467d-aeeb-08dc36f05fd4
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Feb 2024 17:28:40.7325 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1637
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/kJjQ53kLuyQYsly3UxkpjCRPxC4>
Subject: [saag] FW: [secdir] [new-work] WG Review: Workload Identity in Multi System Environments (wimse)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2024 17:28:47 -0000
Raising visibility that the security-adjacent WIMSE BOF at IETF 118 is now community review on forming a WG until 2024-03-04. See below or https://mailarchive.ietf.org/arch/msg/ietf-announce/PAuVMopE2Bai6cli4zYodkWxIzA/. Roman -----Original Message----- From: secdir <secdir-bounces@ietf.org> On Behalf Of The IESG Sent: Monday, February 26, 2024 12:14 PM To: new-work@ietf.org Subject: [secdir] [new-work] WG Review: Workload Identity in Multi System Environments (wimse) Warning: External Sender - do not click links or open attachments unless you recognize the sender and know the content is safe. A new IETF WG has been proposed in the Applications and Real-Time Area. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by 2024-03-04. Workload Identity in Multi System Environments (wimse) ----------------------------------------------------------------------- Current status: BOF WG Chairs: Joseph Salowey <joe@salowey.net> Yaron Sheffer <yaronf.ietf@gmail.com> Assigned Area Director: Murray Kucherawy <superuser@gmail.com> Applications and Real-Time Area Directors: Murray Kucherawy <superuser@gmail.com> Francesca Palombini <francesca.palombini@ericsson.com> Technical advisors: Paul Wouters <paul@nohats.ca> Mailing list: Address: wimse@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/wimse Archive: https://mailarchive.ietf.org/arch/browse/wimse/ Group page: https://datatracker.ietf.org/group/wimse/ Charter: https://datatracker.ietf.org/doc/charter-ietf-wimse/ Background & Motivation The increasing prevalence of cloud computing and micro service architectures has led to the rise of complex software functions being built and deployed as workloads, where a workload is defined as a running instance of software executing for a specific purpose. This working group will focus on the unique identity and access management aspects of workloads at runtime and their execution context, particularly focusing on the propagation, representation, and processing of workload identities. Though the following items are relevant to the context of workloads, these items are not workloads and this working group will not define: * Static software identities and provenance, such as software bill of materials (SBOM) * Personal identities * Deployment chains * Supply chain management The rise of diverse service platforms and the drive for business flexibility, cost-efficiency, resilience, and compliance make maintaining least privilege access for workloads increasingly complex. As a result of the adoption of microservice architectures, services are composed of multiple workloads that need to authenticate to each other while making authorization decisions based on the original caller, their context, and the actions of other workloads that acted on a transaction. These workloads are often distributed across trust boundaries, without a single centralized controller managing the different identities or authorization policies. Workloads are often associated with complex context, including user identity, software origin, and hardware-based attestation. Communicating this context involves a unique set of challenges across different scenarios including multi-hop, long-lived and asynchronous transactions. While several standards and open-source projects offer foundational elements for secure workload identity, there remains a lack of clarity in their interoperation and combination. These technologies (specifically: OAuth, JWT, and SPIFFE) have been combined in a variety of ways in practice, but the solutions have existed in relative isolation. This ambiguity can lead to inconsistencies, interoperability issues, and potential security vulnerabilities. Goals The Workload Identity in Multi-Service Environments (WIMSE) working group is chartered to address the challenges associated with implementing fine-grained, least privilege access control for workloads deployed across multiple service platforms, spanning both public and private clouds. The work will build on existing standards, open source projects, and community practices, focusing on combining them in a coherent manner to address multi-service workload identity use cases such as those identified in the Workload Identity Use Cases I-D (draft-gilman-wimse-use-cases). The goal of the WIMSE working group is to identify, articulate, and bridge the gaps and ambiguities in workload identity problems and define solutions across a diverse set of platforms and deployments, building on various protocols used in workload environments. The WG will standardize solutions (as proposed standard) and document existing or best practices (as informational or BCP) per the Program of Work. While recognizing that the broader workload ecosystem uses a variety of application protocols (e.g., gRPC, Kafka and GraphQL), the WG will focus on only specific REST-based technologies using HTTP. WIMSE will also serve as a standing venue to discuss operational experience and requirements with workload identity. These discussions need not be restricted to technologies currently in scope to this charter. Dependencies and Liaisons The WIMSE working group will closely collaborate with: * Other IETF working groups that address topics related to identity, authentication, and authorization, including, but not limited to, OAuth, SCIM, SCITT, and RATS. * The Cloud Native Computing Foundation (CNCF), particularly with regard to the SPIFFE/SPIRE project. * The OpenID Foundation. Program of Work The WIMSE WG will focus on the following program of work: * [I] WIMSE architecture: The group will develop a document that defines common terminology, discusses workload attestation and identity, specifies a threat model, and defines a set of architectural components and several compositions of those components. The document will describe 2-3 scenarios and for each of them, it will identify key points needed for interoperability. * [PS] Securing service-to-service traffic: a JOSE-based WIMSE token solution to protect a chain of HTTP/REST calls, within and across trust domains. The document should support identification of microservices and cryptographic binding of the token to the caller’s identity and optionally, binding to the transaction. It should support associating context with the token, including but not limited to user identity, platform attestation, and SBOM artifacts. This deliverable includes both a token format and its usage, including binding to the caller’s identity. * [PS] Token issuance: A document describing a method for local issuance of WIMSE tokens where the local issuer operates with limited authority. The local issuer can be the workload itself or another workload deployed nearby. * [PS] Token exchange: Specify a protocol for exchanging an incoming token of one format for a workload-specific WIMSE token at security boundaries (possibly based on RFC 8693). Additionally, this token exchange will require specifying as proposed standard a small set of token exchange profiles (mapping of claims) between existing and new WIMSE token formats. * [I or BCP] Document and make recommendations based on operational experience to existing token distribution practices for workloads. Milestones: Nov 2024 - Submit informational document describing considerations for filesystem-based JWT delivery in Kubernetes to the IESG Mar 2025 - Submit proposed standard for a JOSE-based WIMSE token solution to protect a chain of HTTP/REST calls for workloads to the IESG Mar 2025 - Submit proposed standard document specifying a token exchange profile that maps claims from SPIFFE-identified services to OAuth-protected resources, and vice versa to the IESG Mar 2025 - Submit a proposed standard for a token exchange profile mapping the JWT BCP [RFC9068] to the JOSE-based WIMSE token to the IESG Nov 2025 - Submit a protocol as proposed standard for exchanging an incoming token of one format for a workload-specific token at security boundaries to the IESG Jul 2026 - Submit informational document describing the WIMSE architecture to the IESG _______________________________________________ new-work mailing list new-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir wiki: https://wiki.ietf.org/group/secdir/SecDirReview
- [saag] FW: [secdir] [new-work] WG Review: Workloa… Roman Danyliw