[Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
"Saxe, Dean" <deansaxe@amazon.com> Wed, 10 July 2024 21:09 UTC
Return-Path: <prvs=914a09735=deansaxe@amazon.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0B6BC14F6E2 for <wimse@ietfa.amsl.com>; Wed, 10 Jul 2024 14:09:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.55
X-Spam-Level:
X-Spam-Status: No, score=-4.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L-ThX8sfhqQU for <wimse@ietfa.amsl.com>; Wed, 10 Jul 2024 14:09:47 -0700 (PDT)
Received: from smtp-fw-80007.amazon.com (smtp-fw-80007.amazon.com [99.78.197.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D80CAC14F6E1 for <wimse@ietf.org>; Wed, 10 Jul 2024 14:09:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1720645788; x=1752181788; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=KQL41NhNYp3kMl4m0BVtWv1+KIB08YbZAkfTWHO88n0=; b=pCtr85e0ZNRiUo+MzwGbZZcvxVfde6IEXhRVMUFOHpnNGI3fQu+/NbTQ GS3Hl50JoNbV/NzB6y1PvnqOZwCujq8W68GMfi9n0N0gWHbaN0K+/BDkx XRBYHTfRZXZM/6qIGaWAHHea4w4tGCpBmJbRnWdSHS/lJPNPaAEn94Wsm 8=;
X-IronPort-AV: E=Sophos;i="6.09,198,1716249600"; d="scan'208";a="310705112"
Thread-Topic: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.25.36.210]) by smtp-border-fw-80007.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Jul 2024 21:09:47 +0000
Received: from EX19MTAUWC002.ant.amazon.com [10.0.7.35:2953] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.36.52:2525] with esmtp (Farcaster) id 539dd16f-f2f0-4ae8-80b9-37c0611ae887; Wed, 10 Jul 2024 21:09:47 +0000 (UTC)
X-Farcaster-Flow-ID: 539dd16f-f2f0-4ae8-80b9-37c0611ae887
Received: from EX19D003UWC002.ant.amazon.com (10.13.138.169) by EX19MTAUWC002.ant.amazon.com (10.250.64.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Wed, 10 Jul 2024 21:09:37 +0000
Received: from EX19D003UWC004.ant.amazon.com (10.13.138.150) by EX19D003UWC002.ant.amazon.com (10.13.138.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Wed, 10 Jul 2024 21:09:37 +0000
Received: from EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa]) by EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa%4]) with mapi id 15.02.1258.034; Wed, 10 Jul 2024 21:09:37 +0000
From: "Saxe, Dean" <deansaxe@amazon.com>
To: Watson Ladd <watsonbladd@gmail.com>, Pieter Kasselman <pieter.kasselman@microsoft.com>
Thread-Index: AQHa0eYk5CZODXdwnEKT5iItngKqv7HuqLAAgAAD5oCAAA4VgIABRx8A
Date: Wed, 10 Jul 2024 21:09:37 +0000
Message-ID: <A2A9F5CF-6500-426B-A45F-156251DA4275@amazon.com>
References: <DBAPR83MB043778953C0CBEE5AF93CFD991DA2@DBAPR83MB0437.EURPRD83.prod.outlook.com> <26349E6F-7DFA-447D-977C-5E1C6E5E1F0D@amazon.com> <DBAPR83MB0437B1E1A87C9DDB4F2DFC3291DB2@DBAPR83MB0437.EURPRD83.prod.outlook.com> <CACsn0ckJKiFUG_SD6vd_kOh-vymudeEdZ4uc3YfVJgAGStFjWw@mail.gmail.com> <DBAPR83MB04377A8BF8F1BBEFE703F47D91DB2@DBAPR83MB0437.EURPRD83.prod.outlook.com> <CACsn0ckeudqMtV4rXqD5zBLaZU=QhWo1xxK7=Zv0vdHoiSgq7w@mail.gmail.com>
In-Reply-To: <CACsn0ckeudqMtV4rXqD5zBLaZU=QhWo1xxK7=Zv0vdHoiSgq7w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.86.24062313
x-originating-ip: [10.187.171.53]
Content-Type: text/plain; charset="utf-8"
Content-ID: <4D250A34F890CD48909875B73CAB1786@amazon.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Message-ID-Hash: 26XWHJOA6U7YQEW2INUVCUDPH3CUZD5K
X-Message-ID-Hash: 26XWHJOA6U7YQEW2INUVCUDPH3CUZD5K
X-MailFrom: prvs=914a09735=deansaxe@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "wimse@ietf.org" <wimse@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/CUJLN6YBGn9NPhOulgZpF5W45oY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
Watson, I think it's more challenging than simply making a pithy statement about shared secrets, even if I agree with the statement! In many cases, workloads operate on behalf of users. There is a need to propagate properties of the authentication event(s) to downstream systems so they may be used as part of an authorization policy. To use a FIDO specific example, two users can both authenticate with a FIDO-based credential such as a passkey. One user uses a passkey that is synced across a fabric (e.g. Dashlane, 1Password, iCloud, etc.), potentially to many devices with different, unknown security postures. The other uses a passkey bound to a hardware device like a Yubikey. Both are using credentials that are highly phishing resistant and not shared secrets (yay!). But these credentials have fundamentally different properties when we consider their storage, shareability, and recoverability. They are not equal in terms of their inherent properties. While this difference may not be impactful for all workloads, there are workloads that do need the ability to make authorization decisions based upon the properties of the authentication event(s). My example focused on end-user authentication, but I believe the same to be true for a workload-to-workload authentication event, too. -dhs -- Dean H. Saxe, CIDPRO <https://idpro.org/cidpro/> (he/him) Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS) E: deansaxe@amazon.com <mailto:deansaxe@amazon.com> | M: 206-659-7293 <tel:206-659-7293> On 7/9/24, 11:39 AM, "Watson Ladd" <watsonbladd@gmail.com <mailto:watsonbladd@gmail.com>> wrote: CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. On Tue, Jul 9, 2024 at 10:48 AM Pieter Kasselman <pieter.kasselman@microsoft.com <mailto:pieter.kasselman@microsoft.com>> wrote: > > Hi Watson > > It's not so much about use cases/justification for weak authentication, but a way to classify it, and more importantly for people defining systems to define the level of authentication they desire. > > In an ideal world, we will only have strong cryptographic techniques with hardware protection for keys and attestation mechanisms that are frequently applied to ensure a workloads identity. The reality is that bearer tokens and shared secrets where no attestation of the workload ever takes place exists, and without a way to classify these relative to the better practices (strong crypto, hardware, attestation etc) only sophisticated customers will be able to discern systems. Put another way, it is hard to avoid something that is harmful, if you have no way to tell if it is harmful (or at least not calibrated to the risks your willing to take). We can just write "Shared Secrets considered harmful" and in particular part of what we're doing is saying is how to do the service to service right. No need for a heavyweight taxonomy. I'm also really confused by saying we need hardware protection and frequent attestation: to my mind workload approximates service in Kubernetes language, and one doesn't need attestation (attest what to whom?) as the constituents of the service are defined by the service definition. You trust the admission system (but I might by rusty on the exact terms) to deal with "who gets to define the service", which I think is largely orthogonal. On reflection I think there's an underlying difference here in terms of how and where and what kinds of policies are being enforced, and it might be useful to have that discussion explicitly. Sincerely, Watson > > Cheers > > Pieter (Identity enthusiast) > > -----Original Message----- > From: Watson Ladd <watsonbladd@gmail.com <mailto:watsonbladd@gmail.com>> > Sent: Tuesday, July 9, 2024 6:34 PM > To: Pieter Kasselman <pieter.kasselman@microsoft.com <mailto:pieter.kasselman@microsoft.com>> > Cc: Saxe, Dean <deansaxe@amazon.com <mailto:deansaxe@amazon.com>>; wimse@ietf.org <mailto:wimse@ietf.org> > Subject: Re: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels > > I am very confused and not following the conversation here. > > The orchestrator definitionally authenticates workloads in the same way that e.g. a PID on a kernel identifies a process. One cannot talk about two PIDs being the same process (yes, yes linux threads, etc.) or two processes having the same PID at the same time, because the relevant data structures are indexed by PID. Conversely absent the orchestrator being trusted there's no way to know what a workload > "is": it's just some process executing on a compute environment that isn't trusted. > > When it comes to workload A directly authenticating to workload B, why not use strong crypto, per transaction? And if you have that, why do you need differentiation? It's easy to do service auth that's strong! > There might be issues with chaining, but that's what the standards effort here is to solve. > > This is different from human authentication as humans cannot multiply > 2048 bit numbers in their heads and thus have to make do with passwords, ssh keys, etc. each with their own drawbacks and hence need to talk about confidence in human to machine (and human to human: > medallion signature guarentees are a real thing!) authentication. > > What's the usecase for weak auth in service to service? > > Sincerely, > Watson Ladd -- Astra mortemque praestare gradatim
- [Wimse] Request for Agenda Item: Workload identit… Pieter Kasselman
- [Wimse] Re: Request for Agenda Item: Workload ide… Saxe, Dean
- [Wimse] Re: Request for Agenda Item: Workload ide… Pieter Kasselman
- [Wimse] Re: Request for Agenda Item: Workload ide… Watson Ladd
- [Wimse] Re: Request for Agenda Item: Workload ide… Pieter Kasselman
- [Wimse] Re: Request for Agenda Item: Workload ide… Watson Ladd
- [Wimse] Re: Request for Agenda Item: Workload ide… Saxe, Dean
- [Wimse] Re: Request for Agenda Item: Workload ide… Justin Richer
- [Wimse] Re: Request for Agenda Item: Workload ide… Dmitry Izumskiy