[Wimse] Re: Token Exchange and Translation Protocol

John Kemp <stable.pseudonym@gmail.com> Mon, 12 August 2024 20:33 UTC

Return-Path: <stable.pseudonym@gmail.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A099C1CAF4E for <wimse@ietfa.amsl.com>; Mon, 12 Aug 2024 13:33:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AfL9yJjEM0Yh for <wimse@ietfa.amsl.com>; Mon, 12 Aug 2024 13:33:05 -0700 (PDT)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32BE7C1CAF48 for <wimse@ietf.org>; Mon, 12 Aug 2024 13:33:05 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id af79cd13be357-7a1d3874c1eso248929485a.2 for <wimse@ietf.org>; Mon, 12 Aug 2024 13:33:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723494784; x=1724099584; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=Jh67Kfi/AwFinc86MB2wDhXev5BQeeitozCB2YPDHVI=; b=Wzo9AuviENErMBu1Sr0OywowFj5YvzR5D37AThKCS4+dCHJdjEGQGNDnszj1q6la9o Wo9c931kDe8+qtbEenlGqlY6kvlqq1gOftOxgiOd/vbPmESkbGJ6YQlHS0z5eSzCgzND J4CtzxISzJfyBoRhnWX+jjw7c6YSpQ2RlOz6ltaxzdCDOMAyCB3+Zf7du2gDR9exZVm1 mvbtmzif+ZOJYDUftyzOcpOBmkVCPlITvqxjPkUPcV4nIRDaa6jTzHAHmOuSiPjkXO+k 9cdvcHTyfITt5nHkegebYNQATr4DlR7jygQ88PVE8MdtzWbPLVTPv/4mR944PrON4uhs KyUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723494784; x=1724099584; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Jh67Kfi/AwFinc86MB2wDhXev5BQeeitozCB2YPDHVI=; b=ti83MFrWoFT7Zs0K0t5XXtwV4wpoEz1DS89f/tAz1IHa49dzsVxvSSCnI6FgQakKI7 uOFogNhDIapVUUFV9RZpMfk+aMZFzscZwOjHWs8dnm7n5RAogFeG9iTQH7F//QIF8Pb+ DYCkQ7V9YDLqftxt+J0I1J9SCaR9cI9Q0E5weVYFeL2vrzktaImYGhkMHNzB2JoJ+Dzx Bd4bSc9fgaGJabMULbRoXU6LROwfcZsUxKyjYZbMnaFFVv/vHZ9GtqXnMsCV4X98mKBZ PAzHIXKIkGLa0UQvxfnpJfVbtAh1RSfH/UzRhgWd0LyKYZ6jQtIoWXMh8/pnozYCBZk+ 7/eQ==
X-Forwarded-Encrypted: i=1; AJvYcCW9yip4OyNPfQBUpMsCdVzII1w8dSm561oupKUhEhMdWtZjspiOi/n/XNxMKTRcO7mfmPOKIpkt5nHcXlGxGw==
X-Gm-Message-State: AOJu0YwZImMlURpLFz9QRzDAsbWKqMh4IVu0+dym99OCJkWBwfS8aPeU VJ+A26B0Qkr1j/Oi1skmePO3V8ZlpxnMA8sX9/Rsl/rmWEUZ6Rm0
X-Google-Smtp-Source: AGHT+IFeJw7LxgSv6HLlAoq/voBxdfp1QWFqmf1KoPOHTtXsqtCoFq13sSWpxzBPKY61LQdv45UPqA==
X-Received: by 2002:a05:620a:4411:b0:79f:66f:9daf with SMTP id af79cd13be357-7a4e15cc4cbmr153039885a.47.1723494783860; Mon, 12 Aug 2024 13:33:03 -0700 (PDT)
Received: from [192.168.1.89] (syn-066-066-241-066.res.spectrum.com. [66.66.241.66]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a4c7e045bbsm276422685a.109.2024.08.12.13.33.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Aug 2024 13:33:03 -0700 (PDT)
Message-ID: <b03ebc52-2b0e-4bf8-95dd-832e60234e38@gmail.com>
Date: Mon, 12 Aug 2024 16:33:02 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Joseph Salowey <joe@salowey.net>, "Flemming Andreasen (fandreas)" <fandreas=40cisco.com@dmarc.ietf.org>
References: <17054C45-D280-4F6D-92FA-69780E697C69@mit.edu> <a48794ca-6c54-4643-990b-88a06bd08c9b@cisco.com> <CALH0CC19PEpPZvEE=JNW4y-Y8Ew5tbMLtGKq9-qVcrECtD8RCA@mail.gmail.com> <970c8541-ce9d-4869-9397-a648734ed72b@cisco.com> <CAOgPGoCT7x0hdyYdfxS21TepMn482rNdc_Xj7s8jBzVP6gitZw@mail.gmail.com>
Content-Language: en-US
From: John Kemp <stable.pseudonym@gmail.com>
In-Reply-To: <CAOgPGoCT7x0hdyYdfxS21TepMn482rNdc_Xj7s8jBzVP6gitZw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: L7MV4PYGXA3OKKPHO3FVATROCI43Y7IP
X-Message-ID-Hash: L7MV4PYGXA3OKKPHO3FVATROCI43Y7IP
X-MailFrom: stable.pseudonym@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Dean Saxe <dean.saxe=40beyondidentity.com@dmarc.ietf.org>, Justin Richer <jricher@mit.edu>, "wimse@ietf.org" <wimse@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Token Exchange and Translation Protocol
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/LDFzjnt-T0HwNX_r1IToOuUOFzA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

I also support A, and related to Joe's comments below, I think we need 
to develop a deeper understanding of what token "translation" means, 
within the specific areas that Flemming pointed to in 
https://www.ietf.org/archive/id/draft-gilman-wimse-use-cases-00.html and 
also with particular regard to what is already in RFC8693.

In my opinion, there are three overlapping concepts:

1. Token (initial) issuance -- in my mind, this token is issued in 
response to a set of primary identity claims being validated enough to 
"authenticate" the maker of those claims. In particular, token issuance 
is part of the SSO dance in response to a (human) user authentication 
event where the user is pretty explicitly delegating an application to 
operate on the user's behalf.

2. Token exchange -- a token is offered to a "security token service" 
and the token is a set of identity claims that are self-contained within 
the token but can be authenticated cryptographically within the context 
of that session. The original token is exchanged for a (one or more) new 
token(s), which may have different semantics than that of the original.

3. Token translation -- a token is provided, and the original semantics 
of that token are maintained in the production of a new token (or 
something) usable in a different context. We could describe these 
contexts as token translation "profiles".

In the case of SPIFFE <-> "OAuth" we're pretty explicitly moving between 
a world where the root of identity is non-human, to one where the root 
of identity is (or started as) primarily human (and vice-versa). We may 
or may not need to maintain the human context (authorization of a human 
delegating to an application -- workload in/out of the context of a 
logged-in SSO session). In particular, I am mindful of "as a SPIFFE user 
with more than 10k workloads, I’d like to access OAuth protected 
resources without having to manage 10k OAuth Clients" (from the 
use-cases doc linked above).

There are, of course, humans involved in workloads. The human that runs 
an application which calls a workload to run some query across some 
nodes, and authorizes it to run even while the human is logged out, say. 
Or the sysadmin/devops human that bootstraps an orchestration framework 
that offers nodes upon which workloads may run.

Cheers,

- johnk

John Kemp
Independent Security Architect
e: stable.pseudonym@gmail.com
t: +1.413.645.4169

On 8/8/24 6:11 PM, Joseph Salowey wrote:
> I support A - continue to work on this document to develop it for 
> working group adoption.  While the document needs a fair amount of work, 
> I don't see anything that really hinders it from becoming something that 
> we could adopt.
> What I would like to see in this document:
> 1. I would like to see the more concrete use cases and examples fleshed 
> out more.  Maybe not all of them need to go into the document, but I 
> think we will need these going forward.
> 2. Do we think that all the use cases will need to use a new token 
> translation endpoint?  I'm not sure, but I really would like to 
> understand the functionality and characteristics of the new endpoint.  
> Also it seems token exchange would work for some of the use cases, would 
> the use of existing token exchange procedures be described in this 
> document as well?
> 3. I like that there already are some security considerations in the 
> document, but I'd like to see a bit more fleshed out before adoption, 
> but it does not need to be exhaustive at this point.
> 
> Thanks,
> 
> Joe
> 
> On Wed, Jul 31, 2024 at 2:04 PM Flemming Andreasen (fandreas) 
> <fandreas=40cisco.com@dmarc.ietf.org 
> <mailto:40cisco.com@dmarc.ietf.org>> wrote:
> 
>     __
>     Hi Dean
> 
>     I think we are largely on the same page here. Wrt. the use cases
>     I-D, I assume you are referring to
>     https://www.ietf.org/archive/id/draft-gilman-wimse-use-cases-00.html
>     <https://www.ietf.org/archive/id/draft-gilman-wimse-use-cases-00.html> ? If so, that draft expired in February, and I'm not clear on what the intent of it is going forward. Regardless, when you look at the use cases described in there, I don't see anything specifically talking about token exchange/translation. I think I generally understand the notion of token exchange based on RFC 8693, however I'm less clear on token translation as defined in the draft. The AWS-to-SPIFFE scenario described in the draft makes sense, and I am asking for more such examples to help guide the specific translations we shold be focusing on (profiles). From a documentation point of view, I like the more descriptive style of some of the use cases, but I also recognize the value of the user story approach taken in the use-cases draft above - a combination of the two would be ideal from my point of view.
> 
>     Cheers
> 
>     -- Flemming
> 
> 
>     On 7/31/24 14:47, Dean Saxe wrote:
>>     Flemming,
>>
>>     Thank you again for the feedback.
>>
>>
>>     For IETF 120 the most important output (IMHO) was to frame up the
>>     problem space and an approach to solving for the use cases we
>>     identified.  The doc is rough and at a high level because we
>>     really needed feedback to inform the next steps - are we
>>     approaching this problem from the right perspective?  Are we
>>     missing something in the existing RFCs?
>>
>>     I agree that there’s more work to be done on the use cases draft
>>     to inform this document.
>>
>>     Additional commentary/questions inline below.
>>
>>     -dhs
>>     --
>>     Dean H. Saxe, CIDPRO <https://idpro.org/cidpro/>
>>     Principal Engineer, Office of the CTO
>>     Beyond Identity
>>     dean.saxe@beyondidentity.com <mailto:dean.saxe@beyondidentity.com>
>>
>>
>>
>>
>>     On Jul 30, 2024 at 6:16:23 PM, Flemming Andreasen (fandreas)
>>     <fandreas=40cisco.com@dmarc.ietf.org
>>     <mailto:40cisco.com@dmarc.ietf.org>> wrote:
>>>     We have a charter item corresponding to this document and I don't
>>>     see any other candidate documents at this time, so I vote for A.
>>>
>>>     The document is pretty rough though and mostly introduces some of
>>>     the problems to consider. Additionally, the document would
>>>     benefit from the following:
>>>     - More work on the requirements to feed into this document (per
>>>     separate e-mail thread on requirements)
>>>     - A set of representative use case scenarios to illustrate what
>>>     we are after. This is especially important for the "token
>>>     translation" scenarios.
>>
>>     How is this different from the use cases described in the use
>>     cases I-D?  Are these more concrete examples or something entirely
>>     different?
>>
>>>     - Clarity on whether we aim to use (/profile) RFC 8693 for "token
>>>     translation" or whether that is only for "token exchange"
>>
>>     I have an action item to follow up with Brian Campbell on this as
>>     discussed in the WG last week.
>>
>>
>>>     - Clarity on which token formats we want to be able to
>>>     translate/exchange. While the document notes that these will be
>>>     provided as "translation profiles", we shold understand the
>>>     target ones early on, and develop at least some of them in
>>>     parallel with the basic translation/exchange protocol.
>>
>>     I am supportive of developing the profiles side-by-side with this
>>     ID.  I thought I had said that in the meeting, but if I did not,
>>     that was my intent.  My thought process was to enable profiles to
>>     be developed on a separate track to allow the WG to deliver RFC
>>     candidates more quickly without allowing one profile to bog down
>>     the work on the larger token translation doc.
>>
>>     If you have suggested token translations to focus on in the near
>>     term, please let me know.
>>
>>
>>>
>>>     Cheers
>>>
>>>     -- Flemming
>>>
>>>
>>>     On 7/29/24 08:25, Justin Richer wrote:
>>>>     Following discussion in Vancouver, the chairs would like to
>>>>     begin discussion on what the next steps should be for the Token
>>>>     Exchange and Translation Protocol document [1], an output of the
>>>>     Token Exchange Design Team. This is not a call for adoption as
>>>>     there was a clear indication in the room that the document was
>>>>     not yet ready for this stage.
>>>>
>>>>     Please reply to the list to indicate that:
>>>>
>>>>     A: You believe this document should be developed into a state
>>>>     that the WG can adopt it. (Please discuss what you believe would
>>>>     be required changes for this. Please keep in mind that a call
>>>>     for adoption is a starting point for a document, not a finished
>>>>     document.)
>>>>
>>>>     B: You believe this document should NOT be developed further by
>>>>     the WG. (Please indicate why if possible)
>>>>
>>>>     C: You need more information before making this decision.
>>>>     (Please indicate what information you’d need)
>>>>
>>>>     D: You don’t give a flying rat about this document (i.e., this
>>>>     is not a topic you care strongly about)
>>>>
>>>>
>>>>     Please reply to the list by August 12th, 2024.
>>>>
>>>>     — Justin and Pieter
>>>>
>>>>     [1]
>>>>     https://datatracker.ietf.org/doc/draft-saxe-wimse-token-exchange-and-translation/ <https://datatracker.ietf.org/doc/draft-saxe-wimse-token-exchange-and-translation/>
>>>>
>>>>
>>>>
>>>
>>>     -- 
>>>     Wimse mailing list -- wimse@ietf.org <mailto:wimse@ietf.org>
>>>     To unsubscribe send an email to wimse-leave@ietf.org
>>>     <mailto:wimse-leave@ietf.org>
> 
>     -- 
>     Wimse mailing list -- wimse@ietf.org <mailto:wimse@ietf.org>
>     To unsubscribe send an email to wimse-leave@ietf.org
>     <mailto:wimse-leave@ietf.org>
> 
>