IETF Logo Mail Archive

[Wimse] Re: Discussing motivations and drawbacks for multiple service attestation

Watson Ladd <watsonbladd@gmail.com> Fri, 24 May 2024 14:15 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AEDAC1D6FCE for <wimse@ietfa.amsl.com>; Fri, 24 May 2024 07:15:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6w-cTLwOwXlU for <wimse@ietfa.amsl.com>; Fri, 24 May 2024 07:15:29 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAB27C1930B0 for <wimse@ietf.org>; Fri, 24 May 2024 07:15:29 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-354be94c874so2380324f8f.3 for <wimse@ietf.org>; Fri, 24 May 2024 07:15:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716560128; x=1717164928; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MaLjPf7zblg+FjNTUTo4vGfbB2+7gIJn7gRe3qEmEnc=; b=Kav1G5m30fEjCXNZUx2SkC65kQAH1x/6lIJyxD43KH2bCT3vjUkdsV9VewrFC0KSed rnkEj30roqqPYM1Se7Z2kClGdg+H9C1OSiDgWJTQaxGolSDFhbczex3gGBggdjgq4lcD SgcwOXrrTSoENuqr6ANr24JCQlhPjnvGKxtwdd/ObHjbwvCj0xwGdE+hFROpRUc0+eF/ dFLsG0oBsc7yVNxwWkdFjsP5c1zJn5OtvENz/UOjiD4W0HNqZ9w2pRNmVM4IYOTMxwXP dAC6k9Yd8kOX24uyKGdHUux8vNvRPHFJRo6giVvM7y2xm46DNPQTi2H+L0bPkEL5MWz7 +abg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716560128; x=1717164928; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MaLjPf7zblg+FjNTUTo4vGfbB2+7gIJn7gRe3qEmEnc=; b=JVyMdifKqPhdiLdT5x98huR380LPZl8pSl3Q28VVk0YdueAnVjFnQxm2uUgdhuCNSQ 5nXPl3d7Ur6GA0DnsTS3KhduT+vQSUku9C1kMkbU1AZ8R96IA/5gj+PGIEZNJk6Vuc6x Qevk/5s4gutccHaHQl1j6KvTveUeoYELnFxTtEdDpAB18R1O+pxTCXgfRy+TiUUXrWqO prjNDRjT6dJw5TUlLZRZf449jDcH1JRK0szqLpx/iLNsFan2Hl6ouzY1pc4SprErROAI ohpfqzT/N1v7NdAcoWWGhMJewLjpxe1aVDNVgXlwPYeNoAu1spPD/8LD7mu0sOqPTJ45 tJHw==
X-Gm-Message-State: AOJu0Ywnfe+NE1X8HSw8S7gsHdNIsP0IsBVQ5Qh35MLhg92jHiwK2N9w X5yRmUpf8VbGZgdr2+evtWujlFepHyKvqCYgcBvZ2aWzx1AR8NJQN9cOq/UHfcWCvbw6ZA8gfjZ naZYqKews/VhmYyfy7Fqp70NP/iw=
X-Google-Smtp-Source: AGHT+IGOfwMfEjPdNA/+2U8Ylim9juubs9FNJKQ9ezn6S/NY3wYgAAyRjiEmWx1R+Bc+68uscc+vI6pEwxGDyizf44E=
X-Received: by 2002:a5d:5909:0:b0:354:f9d9:c374 with SMTP id ffacd0b85a97d-35526c3845amr2338538f8f.26.1716560127569; Fri, 24 May 2024 07:15:27 -0700 (PDT)
MIME-Version: 1.0
References: <CAOmUX7LpryugDRLdgaDDbRLVd3mwU0jjQyfLk8hg14CQFu1cBA@mail.gmail.com>
In-Reply-To: <CAOmUX7LpryugDRLdgaDDbRLVd3mwU0jjQyfLk8hg14CQFu1cBA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 24 May 2024 10:15:16 -0400
Message-ID: <CACsn0c=NjnPwGS6J1vcciCx0kL4NkYn6FTQOevwnHOBYzYLaVQ@mail.gmail.com>
To: Daniel Feldman <dfeldman.mn@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: KZLCF5D3742JZSX5MLHAQGLZVOOOBYLS
X-Message-ID-Hash: KZLCF5D3742JZSX5MLHAQGLZVOOOBYLS
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: wimse@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Discussing motivations and drawbacks for multiple service attestation
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

My viewpoint is simple: we already have x509 to do point to point for
services. Or JWT. Or Kerberos. The only reason we need something new
in authentication is precisely the propagation, to enable fine-grained
resource controls in the face of request forgery attacks.

We do have ways to propagate client auth through load balancers like
RFC 9440. Now none of this touches on the challenge of naming that
we're also chartered to solve.

Sincerely,
Watson

v2.31.3 | Report a Bug | By Email | System Status