[Wimse] Service to service, X509, TLS, and sadness
Watson Ladd <watsonbladd@gmail.com> Fri, 12 July 2024 19:02 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EEF9C1654F2 for <wimse@ietfa.amsl.com>; Fri, 12 Jul 2024 12:02:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6WUfJPQOWlwA for <wimse@ietfa.amsl.com>; Fri, 12 Jul 2024 12:02:14 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 053B1C157927 for <wimse@ietf.org>; Fri, 12 Jul 2024 12:02:14 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id ffacd0b85a97d-36796d2e5a9so1450008f8f.3 for <wimse@ietf.org>; Fri, 12 Jul 2024 12:02:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720810932; x=1721415732; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=FzWbjKt2uX+fifhabpGZHe+3HvoqXz4hOCvC7ia2SEs=; b=lEAoE+cViLOL3Xn5h8gr95sJMB7BB+RaZB1w5YpcYAfo3VTdiXa3/4NAPhuXw3fOGd lUWwhaJpia/1nnWfygLQPQXruTSBFD4sAa8w6m9qS2+i1Bc4KoE9HLiv8MFLg3S2LoS6 19ZyTuJohO+R86wN471Ko/A3RZhK7w8slThbRfcCxOFpInV7Z6URQHuyQt0bqFOUud+l 4haVPjVkQyUHYtXbgYoz6NdBQHfxcfNBCrisWJYAsOxxFBMkGsxx/8dgh9EiXcNIl/1U /LhEWwArDue2cvzdOeTfaTzMSIuTqnlpFJr1+OoBzpUH7AlDjrIOTp/dkcFHgJ//XlhM rCQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720810932; x=1721415732; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=FzWbjKt2uX+fifhabpGZHe+3HvoqXz4hOCvC7ia2SEs=; b=n2Py4EsyAQZijVrsIudMAN73pabl29UVEY2SGIuAGKoqYXKTYFJ1sVbPSqwvddstJX YmS9HbuqtBjC2DaZH+kwtuL81g0CNDbrbUXX0FWILReDBJ5vElsgZoVyq+5TlYWG7O0h OzWIWc39DEkGadkWzhSEPzXgMl16xABADe4hZirm2xjUizV8+SUU6YBULyg1pDhNF8so DnXn5yiECvIvmIaBKT8SIzPXEeHZlL3Bb+QouqCytHtRDRYVG8wcGqEQzj3CLtRs35YD 0JCO6yjQbxwVgG4rmEcoenGgCEDpsK0RkJk4KR0joPRtM0noT8d5kBT9aQjcKelGVtMs QdSA==
X-Gm-Message-State: AOJu0YzPXRwk31IZ/ZkB87FBcnrrMZw29zfyHMuE82Uqy+EZ9YGJ2Pu4 25pUSwd81b31YlKRPPpaUmMizw+BoPWvD7DojZZvWoXFXdYsmr93ASehlXnHG4aMJepCdgnqbcD 2wWMYdA8X3rsBH5HkaPkLlORziZtB6A==
X-Google-Smtp-Source: AGHT+IEFx0wTQ/W1eFBQYa6Y8k/0UHRONnDOBDU8Fp9GUfxoiX3o5Jt4+OMGD6cyNe2dHdjauUIICDxRcsT4Z9cTAUg=
X-Received: by 2002:a5d:5f4d:0:b0:368:75:26e5 with SMTP id ffacd0b85a97d-36800752818mr2989563f8f.1.1720810931822; Fri, 12 Jul 2024 12:02:11 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 12 Jul 2024 12:02:00 -0700
Message-ID: <CACsn0ck=bV_7csWJMzXTpeNaf30Bkg9fWbnCrEH-t1nO_PC83w@mail.gmail.com>
To: wimse@ietf.org
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: MNIWYZZOPVUQOLRVNYXQ7OIR4GFNW4O5
X-Message-ID-Hash: MNIWYZZOPVUQOLRVNYXQ7OIR4GFNW4O5
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Service to service, X509, TLS, and sadness
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/Evgdbr3lpSROpmWlAodGF0H9G7A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
Dear WIMSE, I think there's some things to think about in the service to service document. This isn't surprising: TLS and X509 are complex, don't fit together well, and adding something else on top gets very complex. I certainly am not as well versed in some of this as I fear some are, so this is much more a conversation starter. First It's not clear to me that using a URI SAN is the right choice. a SAN may use otherName which has a type defined by an OID and then anything you want for that type. OIDs are extensible, so we could standardize one here for this. This would make it easier to know what sort of certificate is in play when debugging and avoids accidents with other sorts of issuance from older CAs. Putting the DNS label in works on K8S where it's known what the names used will be, but I think we have to worry about namespaces if we used the short ones. Secondly, not clear to me that trust domain is the only thing that must be matched here. Surely we don't want clients to send requests to incorrect services. Thirdly, the dichotomy presented between TLS and HTTP layer routing is incorrect. It's possible to have load balancers convey client authentication information to servers. While I understand not every deployment scenario works for this, plenty can. Making that work though depends on a certain amount of signaling at the TLS Client Hello layer, and that doesn't exist for this type of client info, but it's easy enough to specify. We also need to consider how an X509 and a HTTP auth/JWT based environment interact, and what happens with the vast complexity of things X509 allows. If we're just going to give every service both if they need to interop, that would be sad. It's also not clear to me that if we need to add additional things to tokens the X509 layer can handle them. I think its worth considering using WIMSE as the authentication for TLS without an X509 wrapper: TLS does have this extension point, but library support is less than ideal. If we can't do that, then I think we might need to drop X509 because things just won't work well that we want to put in. Sincerely, Watson -- Astra mortemque praestare gradatim