[Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
Watson Ladd <watsonbladd@gmail.com> Tue, 09 July 2024 17:34 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02ED6C15106C for <wimse@ietfa.amsl.com>; Tue, 9 Jul 2024 10:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1dGXoEG_R6Wo for <wimse@ietfa.amsl.com>; Tue, 9 Jul 2024 10:34:39 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2E52C15106E for <wimse@ietf.org>; Tue, 9 Jul 2024 10:34:39 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id ffacd0b85a97d-367963ea053so4512311f8f.2 for <wimse@ietf.org>; Tue, 09 Jul 2024 10:34:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720546478; x=1721151278; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9mU2SNUjPLG8jvK2qYup2m2kR6e/t0H40GhWzIVgDFQ=; b=GWMpARMuAtc45N4jCbx22bDNx/qkGUxMYKaFOYXp4rcy+73/qm+S0dciET5nMj6d77 LVb3laWF31NHLbzB9v5kOhEu7qNHKLklyYxxPvfVAhebv34lC77Y9dc41osAy1NAdr60 Oa9hmW5GuLHU4wmLPoFrle70ZR1PvAJxhtyQEz5GRSVeoODNBSad3j9kVKr2gtGOK0Bq HIgKkEDzWNGoUkmfThTptdodXWdQg2myxICtNj9mCwqcyDfPuUXEUitPyYi695L9cmkA /r9+XJ64E6RzhuVDSzIBcsKXnS74t+8I1FRqzgIm4CcMkPZ268CoUn5GAMTA/XEN2T0K 0T5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720546478; x=1721151278; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9mU2SNUjPLG8jvK2qYup2m2kR6e/t0H40GhWzIVgDFQ=; b=YP9BBa48ACHMxdJQ3YIROPLKpaY4yhIMshxxQ9cuf1H2HqVnR24BStwo5yeN3V0hw0 7YqRDDGPIGo8ITIr3TIo3p2TAzpuIz691X3HCxJ9JuUCiEUxFMgQxULQb7Yrg8mjNXjw oR/iEMAd5wVBl6qSb1PJbikcSQtpmC8zX6Vkdq3pl6HTCvJS9wNbvkDycw9hsKfn+Zx3 gddzceq4/eTWygupWR35FkJyMl4Tgkqz7DemKEWJW1Q7UEsPFbSb/CCXgqdbvx50rpe/ etx8OyOg7CcPuFnABKx0rX1Sv342SBsuS9vDyA2TqtrFoYRhNd32aAOKWS40M8vriNQH pLhQ==
X-Forwarded-Encrypted: i=1; AJvYcCWmg++kzYG4H5fQMpwQJQDDpZcWnPLQeFQ9HVeTx/nqri0t0uCGP+1/+loNeWV+9prttabSPHTrAt7jKWrJwA==
X-Gm-Message-State: AOJu0YwVWsK8Be9NH9pinkxXn0QUMggDCQbqfPAMZgBPAdhSaGg3tpiJ Q6b/uB7xuh9ZqcGZVAVjeE9MJxN4728PNcot6FEdaL6IdGw8tIB5Ky09pFBa96q7NdzY9Hc1QeK QknRmF3ky1ZPIfsjjERSVMHd/Lg/4Bw==
X-Google-Smtp-Source: AGHT+IENKI/EtA5StV9zX0ymgzg8w7ngD+lzQr7HPLlX+rc47xAw8pv7nUoyMcnSrBLM/wUW96KOu34KBZ6NZ1LlSHI=
X-Received: by 2002:adf:e985:0:b0:367:918e:a10a with SMTP id ffacd0b85a97d-367cea737b5mr2689080f8f.28.1720546477492; Tue, 09 Jul 2024 10:34:37 -0700 (PDT)
MIME-Version: 1.0
References: <DBAPR83MB043778953C0CBEE5AF93CFD991DA2@DBAPR83MB0437.EURPRD83.prod.outlook.com> <26349E6F-7DFA-447D-977C-5E1C6E5E1F0D@amazon.com> <DBAPR83MB0437B1E1A87C9DDB4F2DFC3291DB2@DBAPR83MB0437.EURPRD83.prod.outlook.com>
In-Reply-To: <DBAPR83MB0437B1E1A87C9DDB4F2DFC3291DB2@DBAPR83MB0437.EURPRD83.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 09 Jul 2024 10:34:26 -0700
Message-ID: <CACsn0ckJKiFUG_SD6vd_kOh-vymudeEdZ4uc3YfVJgAGStFjWw@mail.gmail.com>
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: EMQGZAZU26BZ3ZAQJNQNO7TGCFK7T5K4
X-Message-ID-Hash: EMQGZAZU26BZ3ZAQJNQNO7TGCFK7T5K4
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Saxe, Dean" <deansaxe=40amazon.com@dmarc.ietf.org>, "wimse@ietf.org" <wimse@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/Uzn5tZXRz0KspU9LqS0kwFcpd5g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
I am very confused and not following the conversation here. The orchestrator definitionally authenticates workloads in the same way that e.g. a PID on a kernel identifies a process. One cannot talk about two PIDs being the same process (yes, yes linux threads, etc.) or two processes having the same PID at the same time, because the relevant data structures are indexed by PID. Conversely absent the orchestrator being trusted there's no way to know what a workload "is": it's just some process executing on a compute environment that isn't trusted. When it comes to workload A directly authenticating to workload B, why not use strong crypto, per transaction? And if you have that, why do you need differentiation? It's easy to do service auth that's strong! There might be issues with chaining, but that's what the standards effort here is to solve. This is different from human authentication as humans cannot multiply 2048 bit numbers in their heads and thus have to make do with passwords, ssh keys, etc. each with their own drawbacks and hence need to talk about confidence in human to machine (and human to human: medallion signature guarentees are a real thing!) authentication. What's the usecase for weak auth in service to service? Sincerely, Watson Ladd
- [Wimse] Request for Agenda Item: Workload identit… Pieter Kasselman
- [Wimse] Re: Request for Agenda Item: Workload ide… Saxe, Dean
- [Wimse] Re: Request for Agenda Item: Workload ide… Pieter Kasselman
- [Wimse] Re: Request for Agenda Item: Workload ide… Watson Ladd
- [Wimse] Re: Request for Agenda Item: Workload ide… Pieter Kasselman
- [Wimse] Re: Request for Agenda Item: Workload ide… Watson Ladd
- [Wimse] Re: Request for Agenda Item: Workload ide… Saxe, Dean
- [Wimse] Re: Request for Agenda Item: Workload ide… Justin Richer
- [Wimse] Re: Request for Agenda Item: Workload ide… Dmitry Izumskiy