IETF Logo Mail Archive

[Wimse] Re: Request for Agenda Item: Workload identity authenticator levels

Pieter Kasselman <pieter.kasselman@microsoft.com> Tue, 09 July 2024 09:54 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76747C1CAF3F for <wimse@ietfa.amsl.com>; Tue, 9 Jul 2024 02:54:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.253
X-Spam-Level:
X-Spam-Status: No, score=-7.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhNa1JxYQw8d for <wimse@ietfa.amsl.com>; Tue, 9 Jul 2024 02:54:45 -0700 (PDT)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on2122.outbound.protection.outlook.com [40.107.247.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFA42C17C8B0 for <wimse@ietf.org>; Tue, 9 Jul 2024 02:54:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ixoh0FXrLxwyf1Y6ewjM+HXFLZL6LNMcuGgdlqWaH13evp047smd0ftDKVs/UJNVWb0dcN71ZwkpClXiBPi8MvbGfps124j5oJApLlFIG5J3uVuJNte65N+FP0Qf+kTLQG302fE5AJZeGZPGMKZll/3tPVe9oWxWHQdPmwS/XWnQq5cN57kWgUmRpUOtkg0li6E/TaChHezbNIZnisGHzq/a1FUdwAF8JIj0EzvxJBuMmQsB+vwEzcOhpYnX/VFBXiPPERROO5h1P0JUIZugu/WsqHleV7owajWsMXby/TjJmteo/6ORbx+MGowy3lHLg87XtcwKFmPe+tUxHM8R3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=VtAOPP4j5JYXKmJFXPBqIcKpxd4tDeVPlyFEbg80/aA=; b=S+J6QsSVY3RKLne/P++x0hgr4cfdSN7euZ5bWw0hPBFPNxlMWJp1ZJiZO21coT2grfjKACWgecrrhqju6r02R+dodRQ37VfJNTfQX6uJNp8VF92IYY3lzwWOYRZDUC7ZlQSJ9alHcly6INQFgZeXJs9hX+zRqLqRX3wbE2DG/9ZpRks+Pm37xdT+VVf3YWHvXU0uYgMOlW1jRFD2WNUtzu7ZyDOhsZ9GumFEjQjUmpzMG4fIZ6IFlBVl7KzRk8r55oOwNIfDIq5thifvzmdSZy44fIsVwh8KU4+EUA/4ZopuE9FOVzdbRQmXBmm+5l14JkFTx7KwsmWGpCuuHeOq0w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VtAOPP4j5JYXKmJFXPBqIcKpxd4tDeVPlyFEbg80/aA=; b=ftMsNFkNkU1ku5DA4XzEqkX0ccUskvh1RWjcnrm7umIiHbhSq/7cHQqIdr6saMWiFjYMI+AxWJOHQ/jJFQaEfArdXd2rDrz3aP7Jb6+J2D7VoJ2xf147y++qsqY19iQxLiIGeUGEuAXANadjmJ1wrep3UmL3gMk/1voZsFxNiEA=
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com (2603:10a6:10:19e::6) by VI1PR83MB0400.EURPRD83.prod.outlook.com (2603:10a6:800:19e::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.5; Tue, 9 Jul 2024 09:54:40 +0000
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded]) by DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded%3]) with mapi id 15.20.7784.001; Tue, 9 Jul 2024 09:54:40 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: "Saxe, Dean" <deansaxe=40amazon.com@dmarc.ietf.org>, "wimse@ietf.org" <wimse@ietf.org>
Thread-Topic: [Wimse] Request for Agenda Item: Workload identity authenticator levels
Thread-Index: AdrRRtypWMkjLki2Q/mH2vk9AMsC9P//5jeA//6tmWA=
Date: Tue, 09 Jul 2024 09:54:40 +0000
Message-ID: <DBAPR83MB0437B1E1A87C9DDB4F2DFC3291DB2@DBAPR83MB0437.EURPRD83.prod.outlook.com>
References: <DBAPR83MB043778953C0CBEE5AF93CFD991DA2@DBAPR83MB0437.EURPRD83.prod.outlook.com> <26349E6F-7DFA-447D-977C-5E1C6E5E1F0D@amazon.com>
In-Reply-To: <26349E6F-7DFA-447D-977C-5E1C6E5E1F0D@amazon.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=3a287672-bdf6-4404-813e-e9f6476c4842;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-07-09T09:34:17Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0437:EE_|VI1PR83MB0400:EE_
x-ms-office365-filtering-correlation-id: 6e10e6ee-6aa5-4e3f-18b8-08dc9ffd26dc
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: xtxlBUzDlrseXzDKZ78NlgB3CtHYMy9kI+/1Mhg/XW5u8uN8BmXmvZ6zE2g/GdaVniPb7lqEFIQUrqpH4ykaHkbrfB0v4saDiDm47iI8UGw2p9Iy15f9zw4cKyRvHtBE0Cqa5V1waGzYI1ThxjA/Wj+3stMW7B6y79+gzpFvVzamzgrz+HZqeeExUqHSSfP87VkJfak0ESbErIHZMJDioFYH32QMqJ0LZoczJcWtMxigDxp7ndYwCdnT7AkeVxVRsaUKvDoRI+R2cLR2jlq9sgqAQfziUyApCAdT0/MthhQMPM1rcjUqC84uW9jmHNKKt1AzpqKLssDTZDo4PzgS4wvgnQ/S9XEtTAs8s6bhty4dByQK4JUNalvEmPkzSipmcPpjTe+UwZ8T2J2JE60z0RE/Mmdz3WUBDjg11EuCuID1IwGaYLUjb0XDPRqIHv+W7DeilwoIdfASpE7jLuBJ4kugH1FE5FnAAiih7nX0UP71f/8WsMT4Gh7Ks2g7QHnMuGuSMnx/dH0guiK+iVBDpYC2oeJdEEfki0gaoECfNodCmNFkbWtc2RALLzUW12a08XFqxRc/pCjsOUU2NBvylBcmRhv/fFVhXaDmlsKWfwVJII4zahWD9YnU+ZAbfUgR6gJlhov5W6QGPsSLIWS5CxaWLVKPtwuqD/oJ7cKSV1yR7dhsPnlmqaMquUrFy5OdDfplso3uVDRmiRCJ2MdprVfUkgoSpC2PXJPwJzZZvie/CK2iKr3P19EQbh9ow4oWjblDnf2YUEW0qfdEiNfl8HSGJlD9N9k8zWmkQEApsfedZPUNpXRAoiyPRYQdaTrntfTPNQiqpmF41tLW4tFfcq/2QAEHalLX5PqsH2LDT7fC9rFUV0pfwLwEDbsVspf/RUp1j59LC/6GtBLSaPCyLWRi4gTFSrsN29ZeSweyHGL5B5QFjh1MOxnZogkHWLTFzHlfj8gT+dirq1Mks/4Jo9BDhPlAsDnxS8sBemldMoSO7wihmPgM7pNtL88GO2FvbuRzug3e22w2krGnOXVy8flpn/g/A6i4zUHDTUwFiEY3SXW3Vq8Ee7eKhqkGzd67lG3zP5tHBFkPvedQZre/boRyzC4CgJnyofJ+0fg6S9D3U2T7XYWjMvgWkGQ1/rmZRmpn62FV7PGORYlci1RzG0MhuXB+SEGvUnXgqD8w2DrtS8y25WBVBGacca7/7s/mWdLuGfA0iUyYhtm065piSfNkBGBZj/9pIkPIhtY0uQ4JZEEueO8ZhNs8ud+47AF+IeyiARY+M3B09GqMkM+lXZW6hbKbUNO63btmPQWKkYNAnnFGILxraEk8OQBV1fFkaY/G330wEvm653LsMG8C0u+hiA+qPopGJZKWvaC/vNE=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBAPR83MB0437.EURPRD83.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: X2RZzSYYVPBBBdEJF1ZHMAqQJMa50KPIThYQgrKvcoXuIOgEJeiiUrSpAJEyZsgZw8M5fDdbLPgrxK45XB0a/eN0rWJXl+gNzmwXxsWrd5bkZoyUrVdpR2Eq4UYUl5auXmFtbVncd971/PVmEmy5RpVHnS9LOiCjoFH/fwlfFbU+Bbpkm8M0H+Ss0sFUIwvS6Xio4FQ1kkzCeMVpFHGFgBqN5c8hkw46/HVJJu3Ff0xdNd0bU6cxIQPWEP5MuKtscIV6bjAL7NMlCTEgRm6SMamuBtF5K+NXVNwmWiB72m4/88mvKQiH8pgPqtZBSX8BCncJVE886BowNGKJjvxbrZlceeSU2P75uT5yp9RnoLV4qh0gdFTymAxgNDOghsXZdnDJpIxyc8XlZyfC0IZhRBCaRPVHHkMBbq98n2/uPUkkevJVXq2cpH43G4RvRKAbO+Vq2nRZ76e/CFO1AroYSqTADrV70WX2xMYtgIJCjMJ0x6tJjXHPLEGwhE7Kfizc71XUeuRVuEhS6Lgg5G1y+euvaREZAb+czm2rWA1bKc3TKkoQkZFKCtqoiELrAVM58Jo42Ueub71vLMGOiMzO/QkCEyBQIzKPAhcLAj0xeTK7VT/juWJToxp3ljXzS3DDVEZZqouqU15VsO7KDo5rj4rb22q5K/iqUQOxj0yHKe2sXGklqx2mCYRKkcsmXuood+Sac0JJ0B/61mlfsu4ohN/+3qkhawfJkbG8d7aUREXK8IHynaTb/QnIldqht5M4w7jeBUWWsEJ6NYwbbT2I36+n5L/KFkm6Im36ON1T2FTih8C5mhJJ19K+0XhC1HgO3kwoPk8LJi6dLD9aUuYZK8SqGLZulal8xXdXWbqPbsO/zlmU/BhrmrPo5xdYlMSb9mQ2DW/x34hZ2upKGF+3yTGIir4x1+l2ZL0HwwJVmzZwvz4XDKeDu4+JQ4eDAoIfJBdeUQmyFlRWWGxaqcXV7ydBtD9rqouWW/jEZzpI78fXwMUWR+LR30NrEC+L/9St+cq8whyBnPpYCa3Co0+Bb8qwoO7DB1jmFnak1fJcKtTS9JbuDK9G06beQBc6zNp0kVt/s6BHLdnS8CAvq+2l9JUzg0XX+8MGdmmGkiaNWK5XKAl/zP1cHPi48UOd87HsLRR6QlnPH3BAxE7OO2l+qs3HkNPmTyus4FSYB7pLFkP5HPpb4M/GpN7CjbEtCAVfp1kgGGk+BDAvERZ4QfXoatpuQSmtIHV0sAtySS8Q7WcqCcuuHz6AlfNFb6vNwawHAqI/hJS9t8x2e5g4C4p1pytyAwF6IWzDayYrqmRklDs2jL/uDQHXbZw/2HmlfBH7oV0rntC8Y64t6ARlNPZe6V1AXfJ4IfmmGirNzoy7p2A/mUAjNYX7Hi5UGUxKSjqLu0LTHYezuhqmFAJSFBUHFMrn7fc6JtNZ9bRBrlvs8ll+qF+VHm6EEGIBtNhytruRyNfOhmESj4/WsHsJYc5PJfs7mjIbaTtylQUeHycrrX1UsP3ZdDlDvQ/t4kPadXlu
Content-Type: multipart/alternative; boundary="_000_DBAPR83MB0437B1E1A87C9DDB4F2DFC3291DB2DBAPR83MB0437EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0437.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e10e6ee-6aa5-4e3f-18b8-08dc9ffd26dc
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2024 09:54:40.7140 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5Des18ZxspqSuX87hYa0xzS5i3De9SvHwYbS3yFCP3snSeCNyrPGxxuaO6KD8kfh8GcqpHK1FlE3Ct0ftZdi4Iz11bA3+rKiN5YULLtBADE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR83MB0400
Message-ID-Hash: 4QB7RYF5ZWYCUN4O37IJBBA4FE3S75TM
X-Message-ID-Hash: 4QB7RYF5ZWYCUN4O37IJBBA4FE3S75TM
X-MailFrom: pieter.kasselman@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/NlTVGMU1h0CUOjKmoIpdtuCkylA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

Thanks Dean

Those are some great point to discuss - levels of granularity, additional metadata and time variance of authentication strength. I want to add another dimension, and that is ease of adoption.

Granularity: In terms of the granularity, I wonder if more precision would actually help, and whether it makes adoption harder. The more granularity, the more choices, the more sophisticated the person deploying the system needs to be. Course grained categorie may be very useful in simplifying decision making, but we may want a lot of fine grained information about the actual mechanisms used.

Additional Metadata: The additional metadata that may be interesting, not so much at deployment time, but at runtime. Knowing the details of the authentication mechanism may be used by identity threat and detection systems, provide richer audit information and provide additional context to evaluate runtime risk.

Time variance: I think we have examples of how other long-established standards try to represent this (for better or worse) . For example there is a ISO 9001, ISO 9001:2015, ISO 9001:2024 and so on. Perhaps the naming convention should include a reference to the data, maybe not only at the spec level, but perhaps even as part of describing the authentication level (e.g. AAL2:2024). I think this is a generally hard problem though as most security properties tend to erode over time (you could argue all of the post-quantum crypto work is a version of this). I do think we want some sort of scheme that is extensible and easily recognisable.

Adoption: When I think about adoption, I thinkabout the “expertise elsewhere” case. We need to make the decision of what to use easy for the non-expert. This is where coarse granularity is really helpful – if I understand that there are 3-5 classes, their distinguishing characteristics, and that each successive class is a superset of the previous classes, it creates a simple mental model – I need these characteristics, it maps to this class, it means I get all the security characteristics of the preceding classes. Suppliers can then create multiple implementations that meets the characteristics, and the details of those implementations (what kind of crypto is used, when was it used, how is it recovered etc), can then be logged at runtime where management systems can interpret and apply more fine grained risk rules (e.g. a authentication level may be met, but then a vulnerability is discovered, and a specific subset of implementations may be flagged for extra scrutiny).

The good news is, there is some lessons we can draw on from user authentication. Let’s see if it can be extended to workloads.

Cheers

Pieter

From: Saxe, Dean <deansaxe=40amazon.com@dmarc.ietf.org>
Sent: Monday, July 8, 2024 9:23 PM
To: Pieter Kasselman <pieter.kasselman@microsoft.com>; wimse@ietf.org
Subject: Re: [Wimse] Request for Agenda Item: Workload identity authenticator levels

Pieter,

With my work at the FIDO Alliance, I’ve been considering this topic quite a lot recently.  My sense is that authenticator levels as defined by NIST are a useful construct.  But over time, I fear that they lose value because a credential at Level 3 today might only meet Level 2 tomorrow.  The levels are large-grained and don’t sufficiently describe the full context of an authentication event.

Recently I have started talking with others about the idea of describing the properties of the authentication event.  Pam Dingle had two talks at Identiverse this year where she discussed this concept to include not only information about the authenticator, but also information about the account recovery process, what the activation factor was, etc.  These discussions have lead me back to read the Vectors of Trust (VoT) RFC 8485 (https://datatracker.ietf.org/doc/html/rfc8485)  Although I haven’t yet pursued anything down this path, I think the VoT mechanism is well suited to describe the authentication event as a set of vectors which can be parsed to determine the suitability of the event to authorize the workload (or human).

I’m absolutely interested in helping pursue standardization in this realm.  Please let me know how I can help.

-dhs

--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)
E: deansaxe@amazon.com<mailto:deansaxe@amazon.com> | M: 206-659-7293<tel:206-659-7293>

From: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org<mailto:pieter.kasselman=40microsoft.com@dmarc.ietf.org>>
Date: Monday, July 8, 2024 at 8:06 AM
To: "wimse@ietf.org<mailto:wimse@ietf.org>" <wimse@ietf.org<mailto:wimse@ietf.org>>
Subject: [EXTERNAL] [Wimse] Request for Agenda Item: Workload identity authenticator levels


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

WIMSE co-chair hat off, identity enthusiast hat on.

Hi folks,

For user authentication, the industry has well established concepts around different levels of user authentication. For example NIST Special Publication 800-63-3 defines Authenticator Assurance Levels [1]. This raises the question of whether we (workload identity practitioners) would benefit from a similar set of definitions for workload identities.

Consequently, I would like to request a short 10 minutes slot on the agenda at IETF 120 to discuss this topic, see if there are existing work we can leverage and see if there is interest in pursuing establishing some form of Workload Identity Authentication Levels.

Cheers

Pieter

[1] https://pages.nist.gov/800-63-3/sp800-63-3.html

v2.30.2 | Report a Bug | By Email | System Status