IETF Logo Mail Archive

[Wimse] Re: What is an identity and section 3.2.1 of draft-ietf-wimse-arch (or must identity be the compositum of all attributes?)

Joseph Salowey <joe@salowey.net> Tue, 02 July 2024 00:52 UTC

Return-Path: <joe@salowey.net>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 669C2C151095 for <wimse@ietfa.amsl.com>; Mon, 1 Jul 2024 17:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6WxbIxs4HxNJ for <wimse@ietfa.amsl.com>; Mon, 1 Jul 2024 17:52:30 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D461C14F5FB for <wimse@ietf.org>; Mon, 1 Jul 2024 17:52:30 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-2ee4ae13aabso37993081fa.2 for <wimse@ietf.org>; Mon, 01 Jul 2024 17:52:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1719881547; x=1720486347; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uIqpIMtxWdR/2W0sxCkyylEU82Hb71Q25POXjSp2eC4=; b=rsleEzLTJAipkjjNqNPWmXI8bfLPGB8WUOzSDmNBmIL2s2gbk0xnZddHgRywoDeEay n//+6jcUrUpHn6lgB+uHb4Y5cjYa9EgUj7UC4ppKJruWkYYJ4cBWHzJogAAc+LRf4ulJ mDwGi3CUaf0EnDpmOPlAX62ftmF/FThoLKbcisU95NpQ4uv5e2TgIZ9T2RwYYZ7AdbPY nSo+32oymoIhk5L0H6v/nOOEMci1HZw9MHGlYZjRkh3WAKe4x8srZp+t6aACf7UKR0Lm g5MHWDvzvJoByyMrf72w7ket5D1RdYIoR8F16C7fXXtt4iLajwt3q1lgJcH9TxV/EFD8 pNQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719881547; x=1720486347; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uIqpIMtxWdR/2W0sxCkyylEU82Hb71Q25POXjSp2eC4=; b=VYQDjpVCGhCOGkA+NPkSupt8hXA6DIrGczq9g63bqpC0nY10Pxk1SgrlBXQSWIHh6f b+qggzOn0CPpGY5Q1giYGumCGtPTX7Bhtu17bkIgO07pQT1xS8/bHPEI/r+0vrkJv5Ps 4HG8EJRz0oboqe8Q8JE9K8QPUTqOlySWiwd+/yercwHfxDVEYMJNLrtNjhH740rgOci0 FXczhLTeE/A/62XFXQZU7JZuWSi10JIVRHASXoy/omu5CYSI5ovvby28rWtPTP6/02Y6 /CplVNjXIDaQ+3bK9N7ngjfqrOtLAQCfIxq4X05qwN4m+y4aNRYw2cwEBxfJKa1Ej6+L 7cWA==
X-Forwarded-Encrypted: i=1; AJvYcCV3zCphWGQgALqLdv7hdSNiqcOOC3fawuz+aWlA+aK7xCXNBFtWWTv1a8vBs8aTerKMqrpcNtN74pP/5aUIBQ==
X-Gm-Message-State: AOJu0YxfYGjFgX3/J3l3GHdx9g4jrHjfgpTTNG/W26K4BBBBeyhCRm5y 2a3SngMCD27Tzuv2ChNu85wNpGc/aeuwdxqaLmiH1I9ybgOXkMrgOlOp3jamzB8v/9lrTQ8IHcs 4mkNFn1vyg4HIi/XGtJAzKPhr3waJT6e+3Aq3wg==
X-Google-Smtp-Source: AGHT+IHq3jaoPE0yt9rQne71tc2x56uakWgNiQLDjn6dIX8/d2jHLb8IUj4id79xHNKqBnPYP2fSwgDO30ifswuie3M=
X-Received: by 2002:a2e:90d3:0:b0:2ec:595a:2d1d with SMTP id 38308e7fff4ca-2ee5e36d2bamr47868121fa.19.1719881547373; Mon, 01 Jul 2024 17:52:27 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0ck4tzTV7xgYPbZ-_L1rR9RUiwmrPL4Dba_maNsuq+tdTw@mail.gmail.com> <0900E8B5-18FD-42D7-9D3F-B4E47C073061@mit.edu>
In-Reply-To: <0900E8B5-18FD-42D7-9D3F-B4E47C073061@mit.edu>
From: Joseph Salowey <joe@salowey.net>
Date: Mon, 01 Jul 2024 16:52:15 -0800
Message-ID: <CAOgPGoBK=tJzXCO0rRETr509RcioufeOQULXxipM=hdwWR=1+Q@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000aff288061c392027"
Message-ID-Hash: IZHOJE5SYF5TKKEH4HZPHPS3GTKQK4JK
X-Message-ID-Hash: IZHOJE5SYF5TKKEH4HZPHPS3GTKQK4JK
X-MailFrom: joe@salowey.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Watson Ladd <watsonbladd@gmail.com>, "wimse@ietf.org" <wimse@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: What is an identity and section 3.2.1 of draft-ietf-wimse-arch (or must identity be the compositum of all attributes?)
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/K6MAA0AUL3LDqcU-IvRqy-LUCas>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

I put together a PR (
https://github.com/ietf-wg-wimse/draft-ietf-wimse-arch/pull/36/files) for
the architecture draft to try to better describe identity in a new
section.  Please comment and let me know if it helps. Other sections will
probably need to be modified once we tighten down this section.

Cheers,

Joe

On Tue, Jun 18, 2024 at 10:11 AM Justin Richer <jricher@mit.edu> wrote:

> Thanks, Watson.
>
> [ Chair hat off ]
>
> Ah, monads, I should have known they’d crop up here eventually. :)
>
> I agree that there’s a fundamental difference between "what something is"
> and "what something can do", and on top of that there’s also "what we call
> something". All the "something" in this case is a workload in its context.
>
> In many cases, it’s tempting or even convenient to wrap these up together.
> After all, if I know who you are, then I should know what you can do based
> on that. And if your identifier — the thing I call you — gives me some of
> that information in a structured format, then all the better, right? This
> is a large part of the thinking behind the SVID concept - the name has some
> internal semantics that guide me towards understanding what to do with the
> thing that has been given that name. And this pattern has been hugely
> useful, since it lets you carry information about authorization through a
> system using something that I guarantee will be there, the identifier.
> That’s what I’m reading from that section in the WIMSE Arch draft — here’s
> a larger identity question that gets encoded into an identifier and used
> for authorization decisions.
>
> But for me, WIMSE does represent an opportunity to tease this apart better
> than it has been in the past, while still allowing us to deliberately
> collapse things in cases where it makes sense.  I should be able to figure
> out that Jessie is cow #2 without naming her "Jessie.cow[2]". But then the
> question becomes, how do I carry that information? And more importantly for
> us here, how do I do that in a way that’s interoperable on some level?
>
> And the question goes further, because I don’t believe that identifying
> the workload is where the security decisions stop. In fact, I think that’s
> just one input, and not even necessarily a required input, into an
> authorization decision. Much more important is the context of the request
> in which the workload is running. This goes beyond the identity of the
> workload itself and into the world that the identified workload finds
> itself in at runtime.
>
> I am not going to pretend to have clear answers, but I do think there’s
> merit in pursuing these questions to find them. But that said, I do believe
> that there are several concepts that are separable here, which can
> sometimes be expressed together using the same element:
>
> - an identifier for a workload that is readable by other workloads and
> systems
> - the collection of attributes that uniquely identify a workload (the
> identifier being one of them), its "identity"
> - the runtime context around a workload (request context being a big part
> of this)
> - the set of computed access rights for a workload in a context
>
> In my view, OAuth access tokens are just one input to the runtime context,
> but today they’re being used to express all of these things in different
> ways in different systems. I really do think that if we’re going to stop
> always conflating things, we need to work on fundamental differentiation.
>
>
> — Justin
>
> On Jun 17, 2024, at 7:59 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
>
> Dear wimsyists,
>
> I must confess to never having read Leibnitz, but I think section
> 3.2.1 will force me to. I hope this long rambling email explains why
> and elucidates some of what confuses me in WISME, and hopefully others
> find out they are likewise confused.
>
> Section 3.2.1 implies the identity must include a bunch of information
> that's relevant to the problem of authorizing a request, that is
> conveyed by whatever ticket brings it alongside a request.
>
> There are two notions of identity at play here. The first is the
> concept that makes one thing not like the other. The other is the name
> by which we might call a thing not like the other. E.g a farmer might
> have cow 1, cow 2, cow 3, or Bessie, Jessie, and Daisy. Bessie does
> not convey any of the relevant information about that cow, but does
> identify it uniquely among the herd. To me this is also identity, and
> indeed is the identity that would be most convenient to convey. This
> is where Leibnitz comes in.
>
> Now given a request we might want to evaluate the fundamental question
> of "who get to do what to whom". And here I think the distinction
> between authorization and authentication has been elided a bit.
> Authentication only determines the who. Authorization is about
> answering the question of if the request is in fact authorized. A
> token could speak only to authentication, but it could also provide
> authorization information. The draft is pretty ambivalent about which:
> while there is a lean towards authentication it seems the token
> issuance is also supposed to be a gating function, and the token
> needing to carry more than a simple identifier means that it starts to
> blur the line.
>
> Lastly there's a huge gap for me around what sort of policies make
> sense. Many systems I've seen and worked with had a broad class of
> services provided by various elements, and the users of such services
> might be a very dynamic set. Others had a self-serve partitioning of a
> class of resources allocated to each service calling in. Other times
> we might have systemic policies, e.g. "Infosec says all services must
> do X, which we can determine at build time, and those that don't can't
> run". Expressing these policies in human understandable form argues
> for a simple identifier as a human readable policy depends on such
> identifier. I don't think a complex identifier works for that.
>
> In conclusion I think we need to make an explicit choice. Either the
> token carries a workload identifier (akin to a Service in K8S or
> something else?) or it carries a grab bag of attested environmental
> attributes over which policies run. And I think we need to figure out
> what policies should be expressable and which shouldn't be.
>
> Sincerely,
> Watson Ladd
>
> --
> Astra mortemque praestare gradatim
>
> --
> Wimse mailing list -- wimse@ietf.org
> To unsubscribe send an email to wimse-leave@ietf.org
>
>
> --
> Wimse mailing list -- wimse@ietf.org
> To unsubscribe send an email to wimse-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status