IETF Logo Mail Archive

[Wimse] Re: IDs from Token Exchange Design Team

Pieter Kasselman <pieter.kasselman@microsoft.com> Thu, 11 July 2024 11:57 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7697CC180B43 for <wimse@ietfa.amsl.com>; Thu, 11 Jul 2024 04:57:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.253
X-Spam-Level:
X-Spam-Status: No, score=-2.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6AjizmtSIAvX for <wimse@ietfa.amsl.com>; Thu, 11 Jul 2024 04:57:31 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2103.outbound.protection.outlook.com [40.107.22.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 891F6C151063 for <wimse@ietf.org>; Thu, 11 Jul 2024 04:57:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GNwmr/2HyLRrNPDM/yVQwZIQSEKO6rAa5KBtgHRp8yG2Bgj2OEBG+DZdHGJnm7I5cyGXO5zR9M8c3VkP/xQvYToECsmDndcjAHcLS+roUH+Iyjw4tVQOpL4YJ5JSl3RuE0/d8fkKWcANSWK/WRWEChcCQELuW+vMeUVDYEjmnqDvovs0fA0ffTTD8WzMs817UUTDSZ3rohDoeZfm9QKs78pw/ELaPenV1PFGyAUmCuxOLDfzuNWbjPt4u9nptEH22nMcYff/FSVfhCnfcYfTIdT/0I3nNLBEa3s0RNBrfWpwfrggzPkQp5AFIXB+RpzEv8jRskFjwhZmWgf51rCM4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LI1CgtCgJxg9Le6CichSLD9Zl+mngZvFGS94lkn1pbM=; b=H5ckPRQMrqI5bWPg2VlMSzxNj5vSyf83mm5C2slrq7TZ7knaY5QjJ7GG9nAVn3gLJVOSEdgVUYaghmicrq2LI31BZPvlbrEy54lPTa3vdVICGNFE6Fr44+8mQFR5axxJk5rqsgduK90ASS3g1hzCaYTmvnH6e1EgjgZUxjNhFwfgtOqsbWl05YLnGaFgp2g9m7PVAMKmnaoQfyGBv24y5a2p0sCObSoIohWxLfXzxx/ByB1f/8nfm5rf19TbYipKDX4+3PQKAlolBGiXKtqccbn0yVtF9zJxPzuTm326til609HSCvKW4pFXwyWX4qtICjJyPfr6jbkuSO2cl2P1Sg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LI1CgtCgJxg9Le6CichSLD9Zl+mngZvFGS94lkn1pbM=; b=TcWfAPxRooKDToxt1C5mm8u1Em3844v8JprKciMadT52HaHPLUCw9nxmh4Cb82KVkLJn6eW8e/azaBg2HR1LCdmZs784uIop+FohV9yvk8bMUPfRo39EpdTlCrkp5dQ+X0gz572Y32+Bwia59GGZ25dyDaJBUfOKy3K3t/40KL4=
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com (2603:10a6:10:19e::6) by GV1PR83MB0699.EURPRD83.prod.outlook.com (2603:10a6:150:1c9::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.6; Thu, 11 Jul 2024 11:57:27 +0000
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded]) by DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded%3]) with mapi id 15.20.7784.005; Thu, 11 Jul 2024 11:57:27 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: "Saxe, Dean" <deansaxe=40amazon.com@dmarc.ietf.org>, "wimse@ietf.org" <wimse@ietf.org>, Justin Richer <jricher@mit.edu>
Thread-Topic: IDs from Token Exchange Design Team
Thread-Index: AQHa0WreikdHrKugIk6YEpxZaoEgR7HxbhEw
Date: Thu, 11 Jul 2024 11:57:27 +0000
Message-ID: <DBAPR83MB0437E08BA1F14DAC11B2D37B91A52@DBAPR83MB0437.EURPRD83.prod.outlook.com>
References: <AD6A7885-D53C-4F40-AFDB-990C55FF7977@amazon.com>
In-Reply-To: <AD6A7885-D53C-4F40-AFDB-990C55FF7977@amazon.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=a7ce89e6-d5db-4e3f-89dc-bfb5cd830674;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-07-11T11:49:56Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0437:EE_|GV1PR83MB0699:EE_
x-ms-office365-filtering-correlation-id: 431a82ec-416e-432d-4f6f-08dca1a0a2ab
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|38070700018;
x-microsoft-antispam-message-info: PnCmyFGqiGPRbtGa20DWYflvhw9VWp/RsT3zQAVy7f8MDA2HQTk/dGXzPzkyo5l1n9Kp0OGzNo8Jb/Ctuj3bXJUXT4vl9fJV4X581bNe8hKzPHyH2H5OpKo8cK/kXbB+yEU0cL0qw+W96ItMyb3yvGzbJS7tGlD53jUnssWmn87ovRzz2nbtVW/Tgp6Gp4moYw8qRLNZLi4vLfhy4WpdEB4YCqBhod7A7wRi/Fas/zW4okTFjLI2UDSdDd40RswHjo5x107aLji/m+J1IfgceThFe5JDhrnWbhcQIVM5dGtBirWtt9VnojPlOtXM+h80BlIjtu6tM6N3goRUkq+I+mkNPxBTijyIITOz1lC9jaEt+C/VRq/K1JP6+s3GHfW+0GrdFR2lJ4xKY9UkXuIg2vRsqY9M3pTIyrn7+tSUvuJ5A0B1wzxn/8Cxgh0GKpzzxWbtSDzg65da9nP/hGY8wAbGyEEHgn3q86bWYoG7PGbDKTFkAZgnBYGRpvPtg3RmEg+S0BVuSsijMe0VfUarGUl8DE3tOIDDx+uwamapjEvxxdM+zOvfLnr+lJeL39sYbX8+Hwd5CP5U0zpheE57Yn5Zh9+iuOmkhzh3P7ZGwkykQrCWqELsKD5Wr+SYT4wSQ4KaMP8WDgPXN4PZ65A6/KJoo5rEhJbcL6IIR4aWUoCqkvC6aV9l7DSQJk7pJstV2JZ1J1uL5rXzJxooq9TaSTWojOPDBxxIjQDaKXNYr6uSZt4eov5WLSLNTcHIyLQUg+kgis3Xb2P75M/28QqGWqrjsvEo2S3IIdbFvxB3y1R60Q3i7yfvYeMXdu1t5g8cwFNfsioZahs30UZIRAPiUHO/LLD/mKp+IpWBAvgmKEiz6cw6frrZczG4Hn3YUczqecqjppeQ5esCLnrZiEwNXovlMv21WTD4WjB9butm573abVmS8QhJvx/EgygQF5P6FqPKx6RWfNrNk/SCZrut+aWxmiI8J3pQXXysZ2YZla0fY9uevfwepR9Cihp3WPuBRhSiRffo0IVXGcLVKOxnP8v6gtE/D2wgZDg6QTqtWnqw4JJ/WgMrSiFljJwhFstAQXk0g2h63Vj1pOOrtSTQs5/qJYpAPoQTEz+B0K/LpghhOYtR7sPn4GoUuaoMnRZEhP6TjvtYBM2aroXmjL24fzXbhnlnH5YO+OrMltoxxxRsoSE3xDoqnRkAMdVHG9H+bztYY7YU7vml6TdOSRIft967nygbkyd6Vyfa8XaEJkH42FRoRYnxuRmlGSo68L8nS6edWWQ7LSvPCqMyWUsnxE4nTDwzgSxO1xVH0FTNo/mubGG+tNbO6AsnjenvMI7XHhpCFWy5QjIgtbZBk6DrHAtv8avw24HdXZpB2GZ23rg=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:ko;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBAPR83MB0437.EURPRD83.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6/ol0kuymoZlXvtH/PcZbliaPaa1TeRv77phCECz184CUKgsrYf2KmzOTzgoLEBXBkSrYMlt24pZcZ/MC9qkGdD+as4OiYh8UkxWyrXqEUueIzKoBWwTZ0I7CO1thZKi262j5z6vTTPxQqiCqEFUFNLTeJ19Ouze0pGFS7Cq/XZgeNknThb/XIoRu0NTNqIbz3xTIIu4yTXahcg+5o8qfpSBGH5cPu6FCdftVpglbhVNINB9qxpkJa7FelYNxVj4gulBLiZ/z405w1A8B6XfA3bNABbQVEsb58uVkv6wAeoVy04dxlas5cLg+Y3lni16GLZoFaKjMiPIyG4EGYhnmVm/U4nS1im7gDudwxsmlvCsi2EiZGSvzOVWAsB6SYUmXfhupmDYLyxU7gyZ8x7VVPDbq67MJtPtyAqR0vgOsgJVm3nvK8B/69sLUcBP5EDjFd76cLlBT3Ez+oYpNNa8PF/tapr5fx29f1Iv+7tQ2om0YLYHw+UrYWkD/01pTxZ4eWwtD9T4NYSNPEDjgxhkpFUt0Ku10ZBJ1KvM+UTUJ1po9az+XobgV0gTZ56TZbyL8sY0yMgsWPhPqz3V2GYup2PSmQ/RL8O7zdpp34e7FaGhVeIKdHhyiDmsiydPqJTzhUSEW4WyKfkDjGgdTvAT1zTuSvLY1tUhahMmgtagD2IwEbQLVm1FJjm3DkvQLjtiuVI/hHS3j1/Bn9u1rzkuIJUaRU4LsT574SEvoO7W0mU9pr3TejJ7w36xSZxi0jFByQGH6gxEFHOb2+KV3k/rVJLMONbst6/5UWyywtNFhOIHpQoMMjdgLQZK0DxhbR/pPEgxwUvSFjadxEg55TkY1NPjvHzW0zkzYm6aZ0n0vDJ86U0+9Jpso8QnomllxfgShf+0yUk372zfilgcjxcc1PFbOrZWJ7NaWXip74UEwC+W3xSLmXsIWU27Ul8mnW0XQcUm8nySVLrYc/emvBCKU5J7IMSAAPAVnT0ozfi1KyZgXcj1BBhbDauT0SaDChjQTZtsG46qb9ZngH2zYrcZ5ruuxbZgQiw4hjWeUKvrh35lrspvO7sSm4iO9eYpqSJh2uSCTvs6c+IuR3qsfsILIJ6J7VDteaROf2Lsrmpur7TAIMuP+SlhOutqAel46D/uJq0w0rGMQK05W/dVRFkFUjQ3kC2PG8RXX2gR5Zy+/Ro5duplSOlbC4Q+JsIYMsk6BepEiDAbDdvmA5B+KeX53sSHwG12PWFRBD41ibNTx8F8iqyX5wtprMswlxXYjrTMQ6Y6cNZZLfCI2YGpp0Bz7n/wxGJYr94uCxyyDAXVqbAQGmzkB7YrvaGFePpW+MQP1rAgFjnapUSLECp2Rt2F/6UCqQG90GqqjfWolqphYGy3TxhQVMjVMmkGpk8pgyhjPoXi8pNfLDlhMf5vzq5rk7PnXRrLOv3n3U+Bi/GDuJG8ewQ/vsXbvwwz3AbOwQ4ajQTkAQruXAFoDfXC5J1FCP+pBq8dhifqKD9kzd4G9e98jJdvJEjX4VV1BquWzDiV
Content-Type: multipart/alternative; boundary="_000_DBAPR83MB0437E08BA1F14DAC11B2D37B91A52DBAPR83MB0437EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0437.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 431a82ec-416e-432d-4f6f-08dca1a0a2ab
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2024 11:57:27.5403 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cLH+KAaUKPvdUGQWWNF3OUJ0Zw96giGnm3I7M91fcolnFYDxYSVUUuePvPZFUmo90oSyp0M0xjp/FeyZpnduDT99gEKECFigQUoLCRwqMrw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR83MB0699
Message-ID-Hash: LJJDWYALJAKIR7EHUEEUITFIH7UKRDVA
X-Message-ID-Hash: LJJDWYALJAKIR7EHUEEUITFIH7UKRDVA
X-MailFrom: pieter.kasselman@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrii Deinega <andrii.deinega@gmail.com>, Dmitry Izumskiy <idimaster@gmail.com>, George Fletcher <george.fletcher@capitalone.com>, Yaroslav Rosomakho <yrosomakho@zscaler.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: IDs from Token Exchange Design Team
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/HNGJNeTrQFtA15ZiN2F4lOvYWgk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

Thank you Dean

The chairs would like to thank the design team for the time taken and effort made to prepare these drafts.

We would like to encourage all working group members to review it, open GitHub issues and bring specific points for discussion to the mailing list.

We look forward to discussing these drafts in Vancouver.

Pieter and Justin

From: Saxe, Dean <deansaxe=40amazon.com@dmarc.ietf.org>
Sent: Monday, July 8, 2024 8:13 PM
To: wimse@ietf.org
Cc: Andrii Deinega <andrii.deinega@gmail.com>; Dmitry Izumskiy <idimaster@gmail.com>; George Fletcher <george.fletcher@capitalone.com>; Yaroslav Rosomakho <yrosomakho@zscaler.com>
Subject: [Wimse] IDs from Token Exchange Design Team

As of today, there are two IDs published from the Token Exchange Design team for discussion at IETF120:

https://datatracker.ietf.org/doc/draft-rosomakho-wimse-tokentranslation-reqs/ describes the requirements and security considerations for a workload-focused token translation protocol.

https://datatracker.ietf.org/doc/draft-saxe-wimse-token-exchange-and-translation/ describes the token translation protocol and its relationship with token exchange.  In this draft we lay out a framework for discussing token exchange (as defined by RFC 8693) versus token translations which may “lose” data in translation.  Further, we identify that specific translations between different token types must be profiled elsewhere.  This choice was made to ensure that the draft does not have to define specific implementations where there may be a loss of context between different token types.  In the long run, I hope that this will allow the draft to progress faster while profiles are drafted for specific token pairs in parallel.  We have not yet specified the protocol for token translation to meet the requirements as defined in draft-rosomakho-wimse-tokentranslation-reqs-00.

I expect that these choices will lead to discussion both on the mailing list as well as at IETF120.

Two administrivia notes:

  1.  This is my last week with Amazon. I’m migrating my work with IETF to my personal email address, dean@thesax.es<mailto:dean@thesax.es>.
  2.  As part of this change, the GitHub repo for draft-saxe-wimse-token-exchange-and-translation has moved to a new location: https://github.com/deansaxe/wimse-token-exchange-and-translation.

Thank you to Andrii Deinega, ˚Dmitry Izumskiy, George Fletcher, and Yaroslav Rosomakho for their collaboration developing these IDs.  I look forward to discussing both IDs at IETF120 and hearing the WG’s input to help guide us.

Respectfully,
-dhs
--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)
E: deansaxe@amazon.com<mailto:deansaxe@amazon.com> | M: 206-659-7293<tel:206-659-7293>

v2.46.0 | Report a Bug | By Email | System Status