[Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
"McAdams, Darin" <darinm@amazon.com> Tue, 13 August 2024 02:29 UTC
Return-Path: <prvs=948192ff4=darinm@amazon.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D72A8C1DA2FE for <wimse@ietfa.amsl.com>; Mon, 12 Aug 2024 19:29:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.251
X-Spam-Level:
X-Spam-Status: No, score=-7.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PBteJTWzv7iS for <wimse@ietfa.amsl.com>; Mon, 12 Aug 2024 19:29:49 -0700 (PDT)
Received: from smtp-fw-9102.amazon.com (smtp-fw-9102.amazon.com [207.171.184.29]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56BE1C1D4A93 for <wimse@ietf.org>; Mon, 12 Aug 2024 19:29:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1723516190; x=1755052190; h=from:to:subject:date:message-id:mime-version; bh=lDDg4bDCvNSGbNp122SlHkoOGSgpqsF+IBAZQqGvmAA=; b=NmjH8e9dOSDR7IdbR5WlYFuW5eOM87uzVnvI4fQpb/9RlO0kZvKoFgQl FzdkrTYDS2iqVUwtO9HNS4vYkMnqHTrGUBGclnDBOLLrMKX5Tzd+3nI1N jlfXVlBPGbZflh6xBKDi3OxLo5cnGxYFwksKkOvk2EZzPzjSERYoK5jDt 0=;
X-IronPort-AV: E=Sophos;i="6.09,284,1716249600"; d="scan'208,217";a="443346714"
Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.25.36.214]) by smtp-border-fw-9102.sea19.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Aug 2024 02:29:49 +0000
Received: from EX19MTAUWA001.ant.amazon.com [10.0.38.20:32691] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.21.111:2525] with esmtp (Farcaster) id d356c888-15bb-47f5-9141-5e4aec5a98f4; Tue, 13 Aug 2024 02:29:48 +0000 (UTC)
X-Farcaster-Flow-ID: d356c888-15bb-47f5-9141-5e4aec5a98f4
Received: from EX19D008UWA003.ant.amazon.com (10.13.138.241) by EX19MTAUWA001.ant.amazon.com (10.250.64.218) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Tue, 13 Aug 2024 02:29:47 +0000
Received: from EX19D008UWA004.ant.amazon.com (10.13.138.220) by EX19D008UWA003.ant.amazon.com (10.13.138.241) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Tue, 13 Aug 2024 02:29:47 +0000
Received: from EX19D008UWA004.ant.amazon.com ([fe80::d946:a53:e254:7768]) by EX19D008UWA004.ant.amazon.com ([fe80::d946:a53:e254:7768%5]) with mapi id 15.02.1258.034; Tue, 13 Aug 2024 02:29:47 +0000
From: "McAdams, Darin" <darinm@amazon.com>
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, "wimse@ietf.org" <wimse@ietf.org>, Justin Richer <jricher@mit.edu>
Thread-Topic: [Wimse] Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
Thread-Index: AQHa7SiqnO/hl9HVVEWEVcAGzaljdg==
Date: Tue, 13 Aug 2024 02:29:47 +0000
Message-ID: <5E61E084-99E8-40F6-B0B8-EFA29A63638A@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.86.24062313
x-originating-ip: [10.13.138.67]
Content-Type: multipart/alternative; boundary="_000_5E61E08499E840F6B0B8EFA29A63638Aamazoncom_"
MIME-Version: 1.0
Message-ID-Hash: BYFCHR3ODTMCWG3M2BW3N2EHMOPICYKI
X-Message-ID-Hash: BYFCHR3ODTMCWG3M2BW3N2EHMOPICYKI
X-MailFrom: prvs=948192ff4=darinm@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/43ikk4WM5q3AO4ci3qc7zkwjlqs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
Vote (A) From: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org> Date: Monday, July 29, 2024 at 6:55 AM To: "wimse@ietf.org" <wimse@ietf.org>, Justin Richer <jricher@mit.edu> Subject: [EXTERNAL] [Wimse] Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. During the Working Group meeting in Vancouver there was discussion on the scope of the Working Group document titled Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments [1], which was adopted in accordance with the following deliverable in the charter [2]: * [I or BCP] Document and make recommendations based on operational experience to existing token distribution practices for workloads. This is intended to respond to the following milestone [3]: * Submit informational document describing considerations for filesystem-based JWT delivery in Kubernetes to the IESG Please reply to the list to indicate which of the following options represent the appropriate scope for this document: 1. Document existing practices without specific recommendations on how to obtain, protect and use OAuth Access Tokens. 2. Document existing practices along with strong recommendations on how to obtain, protect and use OAuth Access Tokens. 3. Need more information (please state what more information you need). 4. No opinion (i.e., this isn’t a topic you care strongly about). Please reply to the list by August 12th, 2024. Thank you, Pieter and Justin [1] https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-bcp/ [2] https://datatracker.ietf.org/doc/charter-ietf-wimse/ [3] https://datatracker.ietf.org/wg/wimse/about/
- [Wimse] Request for Input: Best Current Practice … Pieter Kasselman
- [Wimse] Re: Request for Input: Best Current Pract… Flemming Andreasen (fandreas)
- [Wimse] Re: Request for Input: Best Current Pract… Andrii Deinega
- [Wimse] Re: [EXTERNAL] Re: Request for Input: Bes… Arndt Schwenkschuster
- [Wimse] Re: [EXTERNAL] Re: Request for Input: Bes… Yaron Sheffer
- [Wimse] Re: Request for Input: Best Current Pract… Justin Richer
- [Wimse] Re: Request for Input: Best Current Pract… Yaron Sheffer
- [Wimse] Re: Request for Input: Best Current Pract… Joseph Salowey
- [Wimse] Re: Request for Input: Best Current Pract… Justin Richer
- [Wimse] Re: Request for Input: Best Current Pract… John Kemp
- [Wimse] Re: Request for Input: Best Current Pract… McAdams, Darin