IETF Logo Mail Archive

[Wimse] Re: Request for Agenda Item: Workload identity authenticator levels

Justin Richer <jricher@mit.edu> Wed, 10 July 2024 21:14 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9329DC151992 for <wimse@ietfa.amsl.com>; Wed, 10 Jul 2024 14:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGgadn9JYE91 for <wimse@ietfa.amsl.com>; Wed, 10 Jul 2024 14:14:51 -0700 (PDT)
Received: from CY4PR05CU001.outbound.protection.outlook.com (mail-westcentralusazon11020112.outbound.protection.outlook.com [40.93.198.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42CDBC15153C for <wimse@ietf.org>; Wed, 10 Jul 2024 14:14:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lyCc6HRqhzTYbATe3I8DHUB4A1kEZi8HMrZdOkGorLYFMwuew8yvI+hsDgJiaS0F9vaOE/9pnCpZJhbKJuWlbInf6XL2Z6MdI0uTpIqoG5L1vthFzAUFGrRiyYgaFzewYjPQ57wqXLzWr5QHqyqFP8V/tz2HViiyDd5EHrrUCfAixKVD+wAJ131GcQIgIuE10mfA4s8GyeaE+Fhz5f4u082PvRpTBBtP7LBfRDPFTaq7HTvzE2fbk8itoBX84IhUGC+ouFelLdY914OJJt6OkW1a0EfIISpvPZwOml7x1yoL/qqFq93KySBHgz7nShbR4MYFNnfJlZeS2U4vVg58Xw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XCcYtjfNOEvVp4PwXk675gSs/UzXNIWn7Jyiw/uM9R4=; b=h2u1hV8JgaNA/h0nbt1K+MHJmJDLpP00Z5OBOX3PHiFosleIIqxK+kxsq/0L3yZ+NzEbsoCqULnbLIVg628Itrluy8JSx5sfGjWEU2CKLpZpYoHpIrJ6PfM2h6kE2vzV2YYk2doF8s60P2/6T3Lp6j1NpvLNVT15oI6fK7mYUYuF1VbSi9zU1nG/dI8jRQ4hUu1aSVOcosvW2Hcd51PiAM0jZW1ZDZ4NazyXJijE7kyYNna3Ju1/DBpPMyqo/XNTublv5Sq24KfFOOsMp6fkD4TRvtQrEPhyt3fkEJTM8rmmsz5nlFIH96rBRFiUSwfV0lTiNM+5VgRDg55yB92eEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XCcYtjfNOEvVp4PwXk675gSs/UzXNIWn7Jyiw/uM9R4=; b=drNubzk+aOjJD8LfRAAb5I0kxQSAAfiA0O9IJ6uhLca9VUwRxLWa9LL2x97jTuKtnNTAJ+wjFPBw7+lLczngqpuvUjddIsIdXlQ74B0ltNne5lcwmiJ1GbDkb6hdex8gh4En9UltDXYAqgw2rXuV75Rt98a3y1Gzjbc9n0KbsXo=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by PH0PR01MB6263.prod.exchangelabs.com (2603:10b6:510:13::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.36; Wed, 10 Jul 2024 21:14:47 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820%5]) with mapi id 15.20.7741.033; Wed, 10 Jul 2024 21:14:47 +0000
From: Justin Richer <jricher@mit.edu>
To: "Saxe, Dean" <deansaxe=40amazon.com@dmarc.ietf.org>, Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, "wimse@ietf.org" <wimse@ietf.org>
Thread-Topic: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
Thread-Index: AdrRRtypWMkjLki2Q/mH2vk9AMsC9P//5jeAgAOk8ls=
Date: Wed, 10 Jul 2024 21:14:47 +0000
Message-ID: <LV8PR01MB867743C4FA5B2F447A2014FFBDA42@LV8PR01MB8677.prod.exchangelabs.com>
References: <DBAPR83MB043778953C0CBEE5AF93CFD991DA2@DBAPR83MB0437.EURPRD83.prod.outlook.com> <26349E6F-7DFA-447D-977C-5E1C6E5E1F0D@amazon.com>
In-Reply-To: <26349E6F-7DFA-447D-977C-5E1C6E5E1F0D@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|PH0PR01MB6263:EE_
x-ms-office365-filtering-correlation-id: 09419210-6164-41cc-abda-08dca12553d7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: 6QBzVhH8RCrfZwyQQpnKrLDVPsyqIDdcaxtvk9cNHoMnRoKkhBbc/xSQWCmIXFb9Ux5lnKzoGr9R8tk9U+QFfxzcjFJObN5HQQ+zJtrpnZnCJoQEQoonReiB8PmgEvwyxhITdyWgfEugiISZxS8BL1zUBeNwkLkmsHfAdgTbmUpZUE3Zwrd5WUnm8TikcpLg+IIkJYR80FkUkVaIFzA6+YI38USVCIxk/v4Xvc9ZlReIbljZ2eWQaLKzddcuJADOYiNC0jAubthsnuxgCzeKy9K5ZtRJAlvFp6oqvqnhLTksRsMW8jD22ycLwYvX5ZjJyru2CXHK/3HrVQe8PPTIRQwssXdmg/+9WPZU4+hixI3gYL5XzN/WKh4KHtgAt89iPVPloogWYcsC2/rZmVIYTRIJQTwTjiFbFQpB+meImtCyJgwLAt+Fa8EDG7riYi5nnltHE+2JxL5/rZut2apdFPEjCn8U90NxYfpbJMa1faIo7kVuBVOfaZGq086kjHp/9vW4QZgAQeI9Ll6MExOAYBAGWU4M5EbVJdalOSgZv/kXacUjuZGOs4T169tKGZpoE2R6xPePZVyH+Bq6cL65lduEWiROHRiMrT4piFEnPnbyBHjUhy9hO5FYSRIhWEaIzwW5JreKMPo1L9slvoqzbrKxr0lmzV/mlVs93YRgsMnoQtZZRSG42V0YgW3fCncw4Jhpjd+1HnrcyBTrqSHD9FcvFiOJzVyxrT9PDsgpiXBiQuTyHI599UwsOZw6p2J9BC0Z7KOvAbETgB2rxXiNtOUGoXINV1HvBjAm9YcDF19uqg78hWyC1jo6pbMbouo5P7WlifRSOBgry2p01BpDF09eW5AntGFJLaU/Y3b2xY/Jc5QVbBR5vhWzQQOs7/qdvoKfvwVCXXdIesd67F1FEdPWkPlwLMW0usJ0MY38JY6hByA2XlaRuCfcAKdt/J1BDOpk4p9CxJgB325mLqxKS7xqWd3H+m13LrpdmI0VHne/rVsYJlgJ+WPd+tpJ5/z+6KhO8a1lp9sCRqH8iof6uOXa5vP27D3gExhFET7K3TIIcNKw8Vk+X70sSW0YbrzYg1PH/aZJAbnFK6eVOKQApHwKVEoaSJXp6QLV3kvayfIjbP1/wRkg4ZDu4dD3UKLHZE9hilNNedNb3FcRpFtoW6MqQNxHcC4LrtvPdSck0h2GHQ36lkbg6jXshaUDb85ymHgQbEv5N1PPX4t6J8B5Cg9gd4Pm94tQbAlXTXoZ1YwQyTfFeCt5oAs9N0GzSJNjuyUC4KFfYB+XhtM8VPUqF0/53lZdZ4tRqIBns1C2Hi5bR6ndpg5qS0E5+hIFZis28a9vu8UH8j/qKBRjZ3WOCJD49iXiVWqu5sfQ+/eaVPQ=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR01MB8677.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: dxrQmwkRfFjGuzc8wyI3p1iPj6OJc7FHTc8D2JFyhy+nhxA+KdiIY/SMtieeI7auXPXCU+1YEcRQ12VjmaXnGl2IA7VRLlp+xrzY/Z4KBteLT6hjax7tsA4xrsymh7c192J/AOxFtvR/EBRHaXIHSpR3LoMzfK4FOxmTmP9+MOtKSlyYtTUADS6O4ctYjclOT6UXvwVL3UHuYOqRrbia7Nx/a/4k5I0kMj7Q2j1LqfnotH+AyOGJKthSGdy5JlOK7Bo6iqXhs222XMlD0huJqW3KeFVpWGxvBUf0QSwWyZBjJ8lWE+uHlfkgFkjQ8YntTHi/GDhgrhzeDiiVTmdBNZWa8demh8Zimp4K0JWBscGY5u9qsLIapyv7b9wVzBDAbUxnkOR/4/0HIEio9S76UXPjXjxMSGm8IHt1lv++27bvyWi4ed4j7n8KEFVf6eWt5uP5UPl/fK8RLxOxvaew0G1ljLLIkfXvg9EskTWDy2EoQ0SK+J60hzp5mljv/YqFlef9fsPdaCTQO26XhlFXyW7wmZMzJiunJci+aQQiVUZwjumpl52rmO0WfE1oBaN/caJOts/HteblnLmzPTvpV5HbY1X9f6OLMDpnAkXH7gzQ1+kLjrTa60v+gK6F6tdDOuS+L3o07T/TAf3mC9qFP57Hw6J/I6VBs31i+gpOXHl5n4T7SrCvqS3CuQbmcdes7y7sCGz0a4w0rUjBcbatGq83oyH9ueyN7LGFsp5mfVzEmfOYhOtZVdRKe+zWdNn0Uiez+Mq8Fgy+h9uCeexwJSwDJKV2ssGLBOLoDYInrOgw+As0AUkwdydbiocBUDt2BXEWrkhnaknk2/oohbiI2aa2lJjiwatQsFrlsBMTpyErVD6N5bfd7+ebcS08E2/Ja+awAOD9fKtnafsp9AfC7WIHH1Nfk8M68qB0NJXK23VvBH0hDsyN0IGM7QmM1dILUKbLmz6EMFf6ItxeCwdf0P7+Zwfg0QO9RGbIkBIcswPSJwl6J/u4pEBLgL79pCdtObojhT864QbMumqYTkmc0A5YkvXVDuGMPX4Wvn5UttZsL5Krwlo+N2zLsgPBExqyRy/fsi2us4e8XaaYHVtt4daQ2+P5ue8eyORAK11gVvnlB3/Y3/Bgr251tohUF3OqL8jVrjP/3spwHC/IHTfuMh8KlhaJamerJumHZaON5o3f56xHT237TiGtB62W2yfdKdXGmFYYRBbKO4X7I/fgOsyqEoYeUIsV8xdb/2KgKEInvuijHCQTVmi/I3ocAINpY1daHIINW7frHxtwNc82I8DNZu38wqBCTe6VidiG8K+P2fchD0swbAuk/cTcXDGpEa7Ka3vnIPGTHl/eaA32ZYljhXIWgD8ePykxViCR8YEw7wajYmZCJ/bF9MnvopJ+wopuQGvvCsiFHFCkWqvuau8XVGJFdXM0uV9W5/XHEXodzyO4nBT1ZNb8AasgfdUsngsxHoQlKYriHtdcuTWy6VnCvX1KWyt3ttXcBxUFlJgV2WznpAMW86w7E2ZwQRqrSd0qwrw4vI+nS80lYnL3jnfmNHhBg9JwIwLE1rOJXRQ=
Content-Type: multipart/alternative; boundary="_000_LV8PR01MB867743C4FA5B2F447A2014FFBDA42LV8PR01MB8677prod_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 09419210-6164-41cc-abda-08dca12553d7
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2024 21:14:47.2166 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: okUpDgXHpwF10NZEv5yOoOFdVGphAPIN8dI4OG98E3MS5ot+L3R0CHUYHK6AIGuU
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6263
Message-ID-Hash: 4FSHCAVDGFXDGEMPA33PKL5PGCZ2COAM
X-Message-ID-Hash: 4FSHCAVDGFXDGEMPA33PKL5PGCZ2COAM
X-MailFrom: jricher@mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/IzAHy2npbTqa-hY587kv0gEGNPM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

Chair hat also off.

One of the important things to note about the xAL measurements and AAL in particular is that it's a measurement on the process. You can have an authenticator that's capable of AAL2 but the rest of the process also needs to fit requirements, like how the authenticator is bound to the account and how the session gets managed. I think if we saw something for machine identity we'd see something similar here.


The other thing about xAL is that it defines a floor for compliance. In other words, you can have something match AAL2 that actually exceeds it greatly on some aspect. The xALs aren't meant to give you the full picture, just the statement that it's at least as good as the defined baseline. For most cases this is pretty useful, and it's why LoA still gets used in a bunch of places - think of LoA like a pre defined combination of xALs.

If you want more detail than that, this is exactly where VoT is meant to slot in. You can say "this is AAL2 but also it's a non exportable key". The first part gives you a solid baseline that's good enough for many decisions, the second part adds detail that might make a difference to an app. Because maybe you don't need all the requirements at AAL3 but you we really keen on one aspect. People constantly ask for things like "AAL2.5" and completely miss the point of the xALs in the first place.

Different use cases are going to require different granularity. I think different scales are going to be useful in defining interoperable values. I may be biased but I still think that VoT is a solid idea that can be used to communicate both coarse and fine grained details about a system. Is there something we can do with it in WIMSE? I think that remains to be figured out.

- Justin
________________________________
From: Saxe, Dean <deansaxe=40amazon.com@dmarc.ietf.org>
Sent: Monday, July 8, 2024 4:23 PM
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>; wimse@ietf.org <wimse@ietf.org>
Subject: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels


Pieter,



With my work at the FIDO Alliance, I’ve been considering this topic quite a lot recently.  My sense is that authenticator levels as defined by NIST are a useful construct.  But over time, I fear that they lose value because a credential at Level 3 today might only meet Level 2 tomorrow.  The levels are large-grained and don’t sufficiently describe the full context of an authentication event.



Recently I have started talking with others about the idea of describing the properties of the authentication event.  Pam Dingle had two talks at Identiverse this year where she discussed this concept to include not only information about the authenticator, but also information about the account recovery process, what the activation factor was, etc.  These discussions have lead me back to read the Vectors of Trust (VoT) RFC 8485 (https://datatracker.ietf.org/doc/html/rfc8485)  Although I haven’t yet pursued anything down this path, I think the VoT mechanism is well suited to describe the authentication event as a set of vectors which can be parsed to determine the suitability of the event to authorize the workload (or human).



I’m absolutely interested in helping pursue standardization in this realm.  Please let me know how I can help.



-dhs



--

Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)

Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)

E: deansaxe@amazon.com<mailto:deansaxe@amazon.com> | M: 206-659-7293<tel:206-659-7293>



From: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
Date: Monday, July 8, 2024 at 8:06 AM
To: "wimse@ietf.org" <wimse@ietf.org>
Subject: [EXTERNAL] [Wimse] Request for Agenda Item: Workload identity authenticator levels



CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



WIMSE co-chair hat off, identity enthusiast hat on.



Hi folks,



For user authentication, the industry has well established concepts around different levels of user authentication. For example NIST Special Publication 800-63-3 defines Authenticator Assurance Levels [1]. This raises the question of whether we (workload identity practitioners) would benefit from a similar set of definitions for workload identities.



Consequently, I would like to request a short 10 minutes slot on the agenda at IETF 120 to discuss this topic, see if there are existing work we can leverage and see if there is interest in pursuing establishing some form of Workload Identity Authentication Levels.



Cheers



Pieter



[1] https://pages.nist.gov/800-63-3/sp800-63-3.html

v2.30.2 | Report a Bug | By Email | System Status