IETF Logo Mail Archive

[Wimse] Re: Runtime costs of multiple signatures?

Yogi Porla <yogi@deeplineage.io> Tue, 23 July 2024 15:58 UTC

Return-Path: <yogi@deeplineage.io>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B09D9C14F6EA for <wimse@ietfa.amsl.com>; Tue, 23 Jul 2024 08:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rdfdNnSUy0nN for <wimse@ietfa.amsl.com>; Tue, 23 Jul 2024 08:58:26 -0700 (PDT)
Received: from NAM02-DM3-obe.outbound.protection.outlook.com (mail-dm3nam02on2104.outbound.protection.outlook.com [40.107.95.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B44ABC14F5F9 for <wimse@ietf.org>; Tue, 23 Jul 2024 08:58:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Q5ToN5qyQVEB9t9eEhkz94hSvsb6pjq4ma7Mw267/kXMKhXmDVNQrkZOSYMRxpKXyzq+USYEVmXgiM6KCksO6k776piyCudSCKbVhuHeNyN+OLOMpm7tMs/v/LZOJksfqSySCCLETtAV1Bf8zxlv/Fbyj9QKBu/+dq++tuBhH6fcTPus7QJqdQZumFGQLl6DChevvi/AomAvAu/OStpRpREtUjICVHIyFphpS1VIOqNlYC4i9uBl3HkSbW9YTThH2FV4EBxoQeVNpeqrE2vNtlaRGoLSLvemE318XvUJiBdIvmDyzPFjy3KfH9zzg+tLjbsxTGV3ctq85vGvRCX7Zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=P0XwtG2HAIqtblae45HV1C2SDEp6ONAmco52HXXAsEI=; b=MPLGtWhML9cgmpV1ksI4nvv7Xlg/zf+USGZ4Y1Jg5pA77kzu1CgER2afAWv8oP4xPtPAuUEejqq6mjgzELi9ZqqdlHsKeclTJVob6sBs4eHKU0I8t8AGW5D/LRNXwMuk8r3j+8c4JJIJqIW38d2iTeOwywSjW7PoZQjVebd6jUvH+AeO6Vvwc9BjyKzknZXjcpsBid0KxtlSE3qeLmJJ2BDnw26/OmNU9EQ8J8nXbwShVBdmUahPyl/HP8+5q607A2jDUhBqrrIV4AOwlxm3M9El5mYJslznQ7ZGpR9mFVS95cOScOe6zPeEhg2yrEdrcPOBPEs7LeVnGF2k3RmKfQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=deeplineage.io; dmarc=pass action=none header.from=deeplineage.io; dkim=pass header.d=deeplineage.io; arc=none
Received: from SJ2P222MB0970.NAMP222.PROD.OUTLOOK.COM (2603:10b6:a03:56d::20) by CO6P222MB0537.NAMP222.PROD.OUTLOOK.COM (2603:10b6:303:14c::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.29; Tue, 23 Jul 2024 15:58:19 +0000
Received: from SJ2P222MB0970.NAMP222.PROD.OUTLOOK.COM ([fe80::b24:684:72f2:3014]) by SJ2P222MB0970.NAMP222.PROD.OUTLOOK.COM ([fe80::b24:684:72f2:3014%4]) with mapi id 15.20.7784.013; Tue, 23 Jul 2024 15:58:18 +0000
From: Yogi Porla <yogi@deeplineage.io>
To: "McAdams, Darin" <darinm@amazon.com>, "wimse@ietf.org" <wimse@ietf.org>
Thread-Topic: [Wimse] Runtime costs of multiple signatures?
Thread-Index: AQHa3RUWaIEByyVNTU6yYRadh7Dg2g==
Date: Tue, 23 Jul 2024 15:57:56 +0000
Message-ID: <SJ2P222MB0970A4A80701BB6B28322521B3A92@SJ2P222MB0970.NAMP222.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=deeplineage.io;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ2P222MB0970:EE_|CO6P222MB0537:EE_
x-ms-office365-filtering-correlation-id: bc844726-ecda-4506-f5fc-08dcab30453d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|38070700018;
x-microsoft-antispam-message-info: tuBceeVZiXGpU/LzoPr3LdVIYiFt66PTzF/kWQlTglXfhMtaBUUFqfhz3oqz0h9Fc4tEV98c+NL33kKNAS0dA6gUUqC7ILgP2w7B4f7lHirpx/aKcTTyGpLIuDbd6ohoEO7jnDKpEawI5EDbesnQ7RzYhNWP+J+TXlUZYnxI9jSnDyJhdy3M6E0FgaLe37EAE5c8DEd3bmrvBQ/FTHA0Cdh7RC9c22FicGTt42qHtVQCsfzAK+MSytsANGfocpjv9hEyWyTauGpIpgW8nE4/o5/igKv2V5iejrh6GLvNY2GSO0v/ny43XT7x1SN/ismFCRZD9cg0IA1hUx+/yNl3F+HXuHxzKlAog922BPeApDj5Hg3pTajUDdjMlLyE14RzQXhaxVisqd5SxL3t/x3Clbbcmy+RAwPpYWyxlkx5o138AxdRpOdI2T9In15UHKLp4XYeNIGWKwXeFOOfRdVdZxACeMZQCVnKpYUSPYSluAmouj4kg2vzihJUFUMSW+Xtp0rJ+SvrnjUi611gJZpv9RZ1vaA9Ix3x/Qzgrn94MhBnuyXJT4t++vyz/2dK6sHgbD70zRjyYBXy4QkVvrIXdGr6IzLMwoznayBi1GPpzuoO45eWXvq3JNCpthT7TPnTf+xJaDUIB5qQV+HLyd0B8GtiSqapLkOxR9eimDYVuXaVWcVoepI+LV31uqS4ymOqlDJb3Yy6l22ohb1Bj6t85f2diroQiPRreZrVBS2OcWoUQSE9ygEyqzyRqioNfAwqFB0JvgJ3nLky7fvizyL7ZEnpP7BZySLQhSLPcH/NoQB0agXi9n5A6yxl9lhl42SROAtXkg9oKCFAJcNihkqmHSq7xzJJ5T0xqBjWFb1GXSO3NVKv0BdloueRA6QzxoF4duXd+JoEzVp19IqA9ZgASx67B2dxdJhKp87/rKoY9l2MB+I0ao+qE9QjmF+cAVRCtnnV4BjNIzPbSn7/zXfHADUeYNukIlLUS5GAIgndPnFYK4fcWjh7/dJYQWNDx3r7vQtM0UJYmIzzir8q5ZXDhSs3R7gYhklRVoI3C47GHPVc3aMQ2yxPSt4IsQGFIL8lvCJlvLmNKR/uukiN54nlPn+fNczGC5CiaRZAXeGv7XgEjcPOJJxI18dzOYV+QjsaNXkXjosnSV0XNhGaU0QaTT+GewTXUzCMzvuSXzJ3wk0D4GQxw31GR1iWjl3pi3HOWxgutfwWyLDazrTx9ytxSUlVmyM6Y0RcTKskAzbuHSKmhIDqolltmb4H8ASjS83gS96Hgj/I0fi1pmHBPHC/4vOAAavNc3oV14pTwToaueE=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SJ2P222MB0970.NAMP222.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: HgaEYpxEioxBIxKlBK6Wk7JCARQDlytKCdoJXCP+TNNejHXpdc00IQHs8LJIHABrtBKh1CvB0wAA8hYDyaFXUQmx727SB+G0Om29wgnDamf2n4UwtAqpK6DAXr/kmbA6+aJBgfXOQHd9tB9dYG9+KR0p7uQR+Zm0tZCEfKsTVVRyBubGUWH+1n6FC7VQqXobeLvBXSllCsWa4upLAS/fm1cU9a8mOFRHZHQAA+GhX200G0JFBOfrxgSbwTxTKMIx0KCnFNnu1ZU8DqfV9BWJXO12RzCyUTuWeddjVUp8jaM/6RXbkmBOeCwoigCRruy7xu1+FN5ncBg9yIggV0Mao4JhoNHHyCx/vEFwKd8cMzwIp3ewNcdFZsBlcUagwTbEThOTTbToe3NrZj1jGp8+HQoNzI3Ljfb5i73jDQo1fmaiPGQ8fVzeuYDU2ZDTynDnOngIZXqIVuGBJmZuioNhRLWa76W/4d8CJfQLl5xgkhzBjUGRTHbR4D+6fVqud7850ViaIOu7Y5p3HJQW0sg0pJoph9SLl9qeb8RwuwHBhJS0H4MMLBKwY3s315SysWFW0gCr4cPfMVht77jQ5dacAfnFa6U3vtjWR9wIf2/ux3w04WpqfMbFNhUA5HYyPZJWM8UgOjvd5zNuBpr4tM0w5CFuG2EDkGnjJ51lrrOF/PL+sIps3TLNRi3gvVO+i8uonupbpezMMAUl0z6lg9xxHgWekXwOUAo0K3gIFqR0eUivWtpO5tgmlgsmG7lSDn20aofg90pUVdOxsPUzTJoruBlPle34ugZuRr+2nr6kPQTCrVgk0/dDo5elV52R6iK8LK64l08n+wtazCV9V4TIBuce/8IIwlIKOKNaskfSuf5TrvZUmH9IFdgIzQM5SkRnKs3oJAzZN/EIWpIEPlb+w/PIDBGAkF6a+G0CJ3kiSXBjtncjCLQTu7QsM+eeomhPpttumHUv+qScCr6vjUmKSHaX+f7F/Ec2EcBuuaQ/Y2wO9QWz142Idfe7yfra+wdmBY0L21sTKVbqsZdxeKkb9+OU8mF9jcf3kj6jtIrduYO9g1LAuHeff7W6gEJ2WiYsF74Acq908FovhKV8grkGWe07bRmIGDyXhgP0nDeZ3qm/5MEQanf+sEglVP7RxYyGe9rcI42MT/HuTb16wkO10TrfCabEvoOt1W2MGGxMHOJ1gVcslmlRPKiUkqR2qBjuqV/DVCPWS/pwQyp0ZA2EuUXIwWviAAy6DQ+geW1H3Xx1jELucVhZghoqAq+RcS8wvHS7aXZKghpEKJOTEs1wSQ4egGy0lvxerFslDVRS7lQa7poW+AT8uAHUeYcedI7daZ6YDNNhj2vZmnjTY47hYpDnaqx67KayH+BxeYeZXRG3v0ZmVbAmH62TVir7J+9mSQmIUxfAxiojjfcgIcGhoud3Fb7BnTAPqg0p3roEZb4w/i5AqUJWkL2qRzLp1VfzxIRpin/oER4yEPwmJU0jylzI7BgHpf1NLtcCCfKFfWNY9Om0RO91343+vawWagYeQFfzEeyNvGfZ+m6C1Tm6JIF/D7rQwgJ8NCkSuXsKr+7zVrLyW+xuzu/lXxyygueD
Content-Type: multipart/mixed; boundary="_004_SJ2P222MB0970A4A80701BB6B28322521B3A92SJ2P222MB0970NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: deeplineage.io
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ2P222MB0970.NAMP222.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: bc844726-ecda-4506-f5fc-08dcab30453d
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2024 15:58:18.7615 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 7026d576-e17e-4a8e-aae7-ae6b57b04371
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JAnKQTyUbxxV1g7opT3zHvcvky+qw8JoVWHzuhOwTPkvjSBBfVuI1zqUNrDdL0UaQmkC4J5zbkGSX6MDIyoOcg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6P222MB0537
Message-ID-Hash: DS3OPLA74BTWAL53V4MXFEVKAVEN3LS6
X-Message-ID-Hash: DS3OPLA74BTWAL53V4MXFEVKAVEN3LS6
X-MailFrom: yogi@deeplineage.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Runtime costs of multiple signatures?
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/B8eCOczQSrgEUJhOqLycydZM5ok>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

My thoughts and opinions Highlighted below
From: McAdams, Darin <darinm@amazon.com>
Date: Monday, July 22, 2024 at 7:29 PM
To: wimse@ietf.org <wimse@ietf.org>
Subject: [Wimse] Runtime costs of multiple signatures?
Really appreciate all the work that the design teams have put into the WIMSE proposals.

I’ve been reading the docs in preparation for the IETF meeting and encountered a question I hadn’t seen discussed. The examples in service-to-service tokens<https://www.sheffer.org/wimse-s2s/draft-sheffer-wimse-s2s-protocol.html> appear to require a total of 3 or more tokens to be validated. This includes an OAuth access_token, the workload identity token, and the proof-of-possession token. The proliferation of tokens will have an impact on both the “bloat overhead” of each HTTP request, as well as the CPU and latency cost of running 3 or more asymmetric cryptographic operations. Perhaps it’s because I live in a world where a million requests per seconds is normal, but I found myself asking: “What will this cost?”. Has there been any discussion of the runtime costs of these proposals? It might be OK, or it might not, I simply don’t know and am curious.

Attached is a benchmark done by USP team who are working on the Attested Claims concept,slides 8 and 9 has benchmarks for 40 aggregations using schnorr concatenation and other schemes.Please note that this work is based on SPIRE and has some additional claims overhead for test purposes.


If this approach were pursued, audiences with efficiency concerns could raise additional questions such as: Is it acceptable to cache the validation results for a workload identity token so it’s not necessary to re-validate the same token on every HTTP request? Or, if a particular implementation has the means to do so, is it OK to distribute the token out of band so it’s not necessary to pass on every request?

Concept of TTLs for rotating certificates is used for SPIFFE workload identities , however, note that Revalidation isn’t performed by default when the certificate is issued ( note that there is a PR on SPIRE to force revalidation and this is being looked into) .   In-terms of Attested claims , given the nature of multiple workloads in transit ( User->  A-> B->C) and the potential of claims to change per request ( for instance a Claim at workload A could change based on the request), cached results may not be viable.

One other thing I noticed is that Figure 12<https://www.sheffer.org/wimse-s2s/draft-sheffer-wimse-s2s-protocol.html#name-signed-request> in the HTTP Message Signature example doesn’t include an Authorization header with a bearer-token, as in the DPoP variation. I wasn’t sure if that’s because it’s unnecessary when using HTTP Message Signatures, or if this was simply a mistake in the example. I was trying to wrap my head around the pros-and-cons of each option, and whether one requires fewer signatures.

-Darin

v2.29.0 | Report a Bug | By Email | System Status