[Wimse] Re: Authentication Levels for Workloads
Pieter Kasselman <pieter.kasselman@microsoft.com> Tue, 13 August 2024 09:19 UTC
Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7077EC14F714 for <wimse@ietfa.amsl.com>; Tue, 13 Aug 2024 02:19:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.253
X-Spam-Level:
X-Spam-Status: No, score=-2.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZuMF84PTLDQ for <wimse@ietfa.amsl.com>; Tue, 13 Aug 2024 02:19:12 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2090.outbound.protection.outlook.com [40.107.22.90]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44C58C14F711 for <wimse@ietf.org>; Tue, 13 Aug 2024 02:19:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=bQ9M3qp4QSgcKfHff6RvEU3UsHgpzQQbTVCHWCgMRixqbAgVJIJPhh3G8OcHzFQ6r+82ZXHDf0bOhMpVaamJrtI7M1dFj+ewYLHtbZI8nFr6Pj1HvQvDrhVTo8OKhawp9BsQWoejktsQPNLqtyYWJWSsEojJhunttSJBzYZhD3OgvAJI997BzfYkkY2fNdK//bX4xks9J6esM+XB3KoIsxsqKxQQ90T2j7HaXvxg5n7MyLgzsYXmBOIG8hNKYE5ni2guMYLmVFiCQ/pmXE6XnJdaZJdy+0fkq/FKtw+Yv3OF4WuwHJJx+ABqqRlg483qAHsy+qzMj0OfJgmKMMQChw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=as20yvkJtKBjQDV12ZbVJjkK2jGreJx3k2HqaSc9j1g=; b=hoIuPf2t6ssqq8yjiLmSeaMEFXVpQDT1NQnmizIPJOmwL7hyjMDUV8xozmNyoxAj2hlkk3q6mcnm1PFWR12EgqVlcrypFIKVXmaORrUpjgZOjGqPtFUAMtQ+nvvcrh4fHq9Xy1widjMpfbGK1m4CXLFRPGv0iOX+PoVvmyYfiWRwEXAQzZ/mrNPoA+52YHBSjnZ1PK4f6+Te8hvIxHbTnUr8edrTQ5bGfw5lV6P7Dw3qez1JCd+ueCq9ihzIoL8BWyJSAk+9vRbidMSttX2hsVteItdXmlq64I6nMUll32LU+afLaCznvvuKXow/fkijqH1DjV60MFLMf8p7luI3tw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=as20yvkJtKBjQDV12ZbVJjkK2jGreJx3k2HqaSc9j1g=; b=Uc2bPoyUt1bkP66DQqj/NH0nVn0GTm83yYe6OPHB9JmdbZBDt7T69lLIUK6SNQEb+0R8LgHlZ0EwCTMkGlBO6dggo07VQI0QCSDNQ9Tqt+qU5CazZyPSOQV2zXjEYuGfUVexNRmHrUHOcu8srvDcBbZ2x9iyj9drapqEmsn5Fys=
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com (2603:10a6:10:19e::6) by PA1PR83MB0685.EURPRD83.prod.outlook.com (2603:10a6:102:44d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.7; Tue, 13 Aug 2024 09:19:09 +0000
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded]) by DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded%6]) with mapi id 15.20.7897.006; Tue, 13 Aug 2024 09:19:08 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: "A.J. Stein" <ajstein.standards@gmail.com>
Thread-Topic: [Wimse] Re: Authentication Levels for Workloads
Thread-Index: AQHa4bK4T9dP7/fDFE+iaUlCVa6wZrINwteAgAABXQCAFtoXgIAAYZUg
Date: Tue, 13 Aug 2024 09:19:07 +0000
Message-ID: <DBAPR83MB04371BEBBFF508FCFD68E54391862@DBAPR83MB0437.EURPRD83.prod.outlook.com>
References: <9F066930-20F3-4273-8E2A-8D42B087E668@mit.edu> <CAMvBLPK9xwivYV27fqYrJE1zxjxQ-KdT=1wCHEsybGh26HgptQ@mail.gmail.com> <DBAPR83MB04374828D370755D268AF23391B72@DBAPR83MB0437.EURPRD83.prod.outlook.com> <CAMvBLPLsBXwNanqNqcrMYXpzFYXT1PO=cp8j6A6=VT+S6x_N+Q@mail.gmail.com>
In-Reply-To: <CAMvBLPLsBXwNanqNqcrMYXpzFYXT1PO=cp8j6A6=VT+S6x_N+Q@mail.gmail.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=a78df9eb-0871-4d85-918c-ebf2ef412db7;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-08-13T09:17:36Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0437:EE_|PA1PR83MB0685:EE_
x-ms-office365-filtering-correlation-id: 044ef920-13ad-4d3d-2609-08dcbb78fc28
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|4022899009|366016|376014|38070700018;
x-microsoft-antispam-message-info: 9nYYIWbNKlSWWn5ojQTXc/nm0A1Gz6K6MIfCes9eJmKkhJ4KcYe0lG/egmb7gIen6f7tK4hbP+wVdJb0at4icE86jtpEfgVWkqTFee0XuUBApolXICeGS0MSOPjjPtzWUoYM8N0LbQbFOGjk8cSpathZ1sq17zN51gwSqUAOx4QptjeV+DuleUQW6EGo2+3pAykZD7UJcSdbsZ5q1nMrADOedMVyoJJxVB1rU02FYuTXbpgaaVNueu3luvfliDxWXDv1ApzhmmJ38Wdwq+HEy1O4HTxM5P/EBFDSge6iwljlqvazk3dXghcaC4E5fp9bKCryPU4wJPJzsls4JxArlMm3ejhakog7Zd8KAgy02HSSlHckPC3LcTcnjZsOeNwvYeCTLKiY+J0mW+DcACjGXtacVTjBXr9hK/VzIU/lvLKd5xbRA1wovIhCoMWA5KQS/5eD+EtbREAmpG8/pczQELSuDxQzQhtJsdm0MQpVZyVVlbUiklpS1KfzhUsYXuBmevtHBAQ6J3WFcJk775CUYQSBmk6LeV2g2vzHyKOfImcRoIZfZp5c6/L5Fhnfvrrje50qz+/bNY28gXsMTGzk5YL62XaczPzJURSLfbvaEKfeBDDzF9Hyku2IHxqw/oncPXx/SqmP5EGDYGwAtOJhujbQJTbZn2XMuVS8SprDQPEWZ20EhvlZFjy9V9pp+NMypGkWPRbU9APXg6CBGw2a4bbVL+iaMt7+uq/b9tpQDIvPWwpSnwdatWe1Xuf1WJ7vBAidAQ9k8RGn2KAsZ1Pt8pD02AG6Lv/RhMNmGsu1PlS3lWftasynyS2CO5W1CyZdV/wxHk2DNSlWZz4QXYz3oBbOa2kBVbwsb/uLu+t8LHp5FVhJEWGAaI9a7uM+l89l1+nj2MhfYIIG0/6NQ14fpE1Eseizf4tYpmD2H3VFBH0T3PZ0SrcuORzaKaU/LQQjm3rgKzKqgBlaxelqln/7hWALBiOE9laTDGhbLafVbPWgHcmRdcGtzfrfSHOb6GbopnSjmQZKAkthu5t8shP+7SBnEFr8JnW0dhgNIMV2CQaKP9SfwNarM/c++D9dlaFiQmJXnP1rnv50feaPToctafhIYVpoCJcK1tR1w0fS/SKvcBVEuMhuC/I3Vgkiti9uYZxyEks09XASnQR15+asj26bxi954L1Po42KDACWUEz3TsOlsbIM5btr4xP2ds7zsKkpWz0PcELb1PrirnRMxj5zNW/cFp/boVuHVNApxpNtmStb+2qOKeFzbR3IxzBFci5CHL6Ksg99y3pXNbUyte7U2cFJlhGXDZT1bZd2HBnvgRB/PnJ1pACUOWoaMAyazHT7ox/ddzvfWcgMgokX/0R1mzQ9oBzp3AIEGBsNSAk=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBAPR83MB0437.EURPRD83.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(4022899009)(366016)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8Ls3zrx+jcraHZe+Mx4xlRXKRBWlTVdnAPwfYNHhDJMS8yKXroM9v+a7W4cihD36vfwHCpz5U2h1MOZqC+4UQ1B+QPYOsPvTqcVhE4MbJKI1AX6jqSySq5mTpaYdzEZOiQDffzJTUp4YPVWxj3MxjfT0HbbmXSBBEBcm58J1Kbik7rGkeDK2LlsXd5cHuyn6cz2Ozej/3JMDvlFswOJiPKAUhnRGCPQTYCsDvvKymMs9b0DVbURd/XRpK/FjJBqFjR++axlvnGZ3j0V3cmxzEPiE4FAjEZXXckXWkNxhK+tb//N1DPzlldjiVg8+iErdyvh9DEsb+80jGkO9K63XwSke9W1HZCXfK48WCsu9rc1weYxReePYrOkyEv6h495EaGer3FWpForoaa0nKeDUceghtDjeGe+7/ovcGBRV/+qxjzngqVghntr6oYgLjlBhUCnM9Q7ILCGbXX+w4XR1YB+hYl9DZqgfqJCSgS0g5BzcpY0c9A596aWT8tChnzl+6JCk/sq1mLX0FKDk8W34b8Fe5a+8G8gkLXGrmm34kKTP7rXObbwcSZYjDe9+DmoZTC0sAGQuyl1kmjsxKvgQ5su6bhY6kG6nV0t3G0Nql3aoo1PkKG5YchLZScR2RnoOOKJG44tqyHuXAQ7YM++Fe5dXC4uiiOq3V/juvLeHA0NXypZ9fZxeaCbA2W0a+f9zHmJakAWyte2grMDYvVxfw+w7joNpZMjbq1TRmajuavpK7TsPrvdXlimvOdfcZntB/Pc+IjiycFnuOYvREAWg+mc854yOi2Nbgs3iQTsBEiZCJ4N5lUFoZECqOoULxal3NSeT0dADLKlu8BD5//WZNuhEeT2FHbubAZ3GGWir2XSc1mb6EwYXunmBpU2+PMB8KiCDV/UEPLVaL0A77oLL5alr7KTq+/YgLFCZZ8G9AJQIAZ3kFVBHLwYhMr7eUbUnEjCgKEMdvpgao59AYo6Yhb17Dnnp1urdwPIH64ZtKmF6gR5yOcI2CJqQDCa/7NOgVcVSgy1Z5yScOM5yphrfG8Dqx/BLy9YDsa5zaWVNGrf2VlxkNn8qZ1FLHj06JNaEG3cg4lm5WJUlsm9hTtIQZuTGKFfIjvzxYy2X4xOyiAPUnPL42poGyXXAxklCG7aNDEo80aYZu6I0O7260v8ywjAc5F3/T5j6haVemSzGJHuqL3fJNUyx92MnGT/SL6kJ0aPR0adXHmPI536YgfgYJ8HyoQ9MY2+fXKhPypGfEkWTCxspiOnchFqVvcqjibte6Dsm1oL0mxh+TSb4djQzhC6iEQUZUYnvYVbi/rurX05Sk0i5LX/nIEhwV9o/thp/Sl+Q0S17l0IoRDiovWZsJxG1v2+F12hqyh3M1bEhAq42eUsCW/WieFjpbfmzYLeubUBCVpRI2xyyZ+XJd3CcQtFxr6s/R4o0VNRLi4C2K/KS/wl5Awo2mEVY+AqSSrN+4lx3YmWvW806MVx28XdkC/l7YN2N9sf+QteJWRY0TL6LTEASUBEgN+nhNJmGe4xW
Content-Type: multipart/alternative; boundary="_000_DBAPR83MB04371BEBBFF508FCFD68E54391862DBAPR83MB0437EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0437.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 044ef920-13ad-4d3d-2609-08dcbb78fc28
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2024 09:19:08.0208 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RgNwdimuOKloGIdQRd/+q8sZs6MpoJZcf0+Xdd44aipzgG99WDMLmzHt399nRmDuWSc2bLwq3mfMe+qWk63qXCEhmArDCk9yZBsyHKrmlv8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA1PR83MB0685
Message-ID-Hash: XEHRFTQXJSHHSFW3X47ZYOZ3EPLQ5ESN
X-Message-ID-Hash: XEHRFTQXJSHHSFW3X47ZYOZ3EPLQ5ESN
X-MailFrom: pieter.kasselman@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Justin Richer <jricher@mit.edu>, "wimse@ietf.org" <wimse@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Authentication Levels for Workloads
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/SsAL8e9wst4lCwFhEboYyu7sW_E>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
Thanks A.J., that feels very well aligned with the intent of this work. Thanks for the clarification. From: A.J. Stein <ajstein.standards@gmail.com> Sent: Tuesday 13 August 2024 04:28 To: Pieter Kasselman <pieter.kasselman@microsoft.com> Cc: Justin Richer <jricher@mit.edu>; wimse@ietf.org Subject: Re: [Wimse] Re: Authentication Levels for Workloads On Mon, Jul 29, 2024 at 10:33 AM Pieter Kasselman <pieter.kasselman@microsoft.com<mailto:pieter.kasselman@microsoft.com>> wrote: Thanks A.J. Can you say a little more on how you would benefit if such a draft exists? First off, I apologize for the late reply. Re the benefit: I have worked in the public sector in digital services in the United States where "high assurance" requirements and practices obviate the need for better clarity here. I appreciate the interest thus far (I have looked at slides, not yet completed watching the WIMSE session on YouTube) to compare and contrast to something akin to SP 800-63 authenticator levels for workloads. I think that framing helped me quickly understand and I presume others (even if that comparison is not the only basis or framing, it will be a starting point for many). I had not even considered the significance of this gap as it existed in those environments where authenticating workloads instead of users or the user identities they proxy until this thread came up. So at least for me, a standard, interoperable approach for this (especially so it is not just use whatever the environment's predominant cloud service officers as a customer mapping or foundational layer) would be helpful to me. I hope that help explains my support for work in this area. Cheers Pieter From: A.J. Stein <ajstein.standards@gmail.com<mailto:ajstein.standards@gmail.com>> Sent: Monday, July 29, 2024 3:25 PM To: Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> Cc: wimse@ietf.org<mailto:wimse@ietf.org> Subject: [Wimse] Re: Authentication Levels for Workloads You don't often get email from ajstein.standards@gmail.com<mailto:ajstein.standards@gmail.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> On Mon, Jul 29, 2024 at 10:03 AM Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote: In the Vancouver meeting, there was a presentation from Ryan Hurst on Authentication Levels for Workloads. While this is not a current WG charter item, the energy in the room indicated that it is a topic of interest. As such, the chairs would like to encourage conversation on this topic. Please see the presentation slides [1] and recording [2] for more information. I had missed the WIMSE session and not reviewed the agenda. This presentation is informative to me based on the first few minutes, so thanks for bringing it up.I will now watch the full session later. I would also like to encourage the presenters to create an I-D to capture their thoughts on this topic to encourage further discussion. As one lurker and hardly active contributor, I would benefit from this I-D if they move forward with it. — Justin and Pieter [1] https://datatracker.ietf.org/meeting/120/materials/minutes-120-wimse-202407241630-00 [2] https://www.youtube.com/watch?v=-BVTXj94wbw -- Wimse mailing list -- wimse@ietf.org<mailto:wimse@ietf.org> To unsubscribe send an email to wimse-leave@ietf.org<mailto:wimse-leave@ietf.org>
- [Wimse] Authentication Levels for Workloads Justin Richer
- [Wimse] Re: Authentication Levels for Workloads A.J. Stein
- [Wimse] Re: Authentication Levels for Workloads Pieter Kasselman
- [Wimse] Re: Authentication Levels for Workloads A.J. Stein
- [Wimse] Re: Authentication Levels for Workloads Ryan Hurst
- [Wimse] Re: Authentication Levels for Workloads Pieter Kasselman