[Wimse] IDs from Token Exchange Design Team
"Saxe, Dean" <deansaxe@amazon.com> Mon, 08 July 2024 19:13 UTC
Return-Path: <prvs=912b77e60=deansaxe@amazon.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E43AEC1840CA for <wimse@ietfa.amsl.com>; Mon, 8 Jul 2024 12:13:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9mIOgTdDkuuQ for <wimse@ietfa.amsl.com>; Mon, 8 Jul 2024 12:13:11 -0700 (PDT)
Received: from smtp-fw-6002.amazon.com (smtp-fw-6002.amazon.com [52.95.49.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58352C16940C for <wimse@ietf.org>; Mon, 8 Jul 2024 12:13:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1720465992; x=1752001992; h=from:to:cc:subject:date:message-id:mime-version; bh=JmFf6uDDGL2CE0bjQorzEGdFApk00dccyLiI9rIhEn0=; b=QjUU3Ap+cAQWnClW9/givKAGCqkgAwQGodo24tOsL6wUOHviJSG73CET MMEP6/MTZFAhMYyJORPyNqlCHHezoc3Beve7ZpcymMDcrohGlpPUhIDiU 23ITjjBt1HNaOHgNcsljlOqU0uOw2gY7fPMT/Xux8OKdT1FZXnt+q7jnP s=;
X-IronPort-AV: E=Sophos;i="6.09,192,1716249600"; d="scan'208,217";a="418618519"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-6002.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jul 2024 19:13:10 +0000
Received: from EX19MTAUWA001.ant.amazon.com [10.0.21.151:17508] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.36.52:2525] with esmtp (Farcaster) id e3571c30-9b0e-4680-877e-7315b860602d; Mon, 8 Jul 2024 19:13:09 +0000 (UTC)
X-Farcaster-Flow-ID: e3571c30-9b0e-4680-877e-7315b860602d
Received: from EX19D003UWC004.ant.amazon.com (10.13.138.150) by EX19MTAUWA001.ant.amazon.com (10.250.64.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Mon, 8 Jul 2024 19:13:09 +0000
Received: from EX19D003UWC004.ant.amazon.com (10.13.138.150) by EX19D003UWC004.ant.amazon.com (10.13.138.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Mon, 8 Jul 2024 19:13:08 +0000
Received: from EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa]) by EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa%4]) with mapi id 15.02.1258.034; Mon, 8 Jul 2024 19:13:08 +0000
From: "Saxe, Dean" <deansaxe@amazon.com>
To: "wimse@ietf.org" <wimse@ietf.org>
Thread-Topic: IDs from Token Exchange Design Team
Thread-Index: AQHa0WreikdHrKugIk6YEpxZaoEgRw==
Date: Mon, 08 Jul 2024 19:13:08 +0000
Message-ID: <AD6A7885-D53C-4F40-AFDB-990C55FF7977@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.86.24062313
x-originating-ip: [10.187.171.39]
Content-Type: multipart/alternative; boundary="_000_AD6A7885D53C4F40AFDB990C55FF7977amazoncom_"
MIME-Version: 1.0
Message-ID-Hash: NCVEQD24ZWHKLIQJSGCJXJM6L7G35ZRC
X-Message-ID-Hash: NCVEQD24ZWHKLIQJSGCJXJM6L7G35ZRC
X-MailFrom: prvs=912b77e60=deansaxe@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andrii Deinega <andrii.deinega@gmail.com>, Dmitry Izumskiy <idimaster@gmail.com>, George Fletcher <george.fletcher@capitalone.com>, Yaroslav Rosomakho <yrosomakho@zscaler.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] IDs from Token Exchange Design Team
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/WB7NWgWfKttpotn_UGUXJ0HxCMk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
As of today, there are two IDs published from the Token Exchange Design team for discussion at IETF120: https://datatracker.ietf.org/doc/draft-rosomakho-wimse-tokentranslation-reqs/ describes the requirements and security considerations for a workload-focused token translation protocol. https://datatracker.ietf.org/doc/draft-saxe-wimse-token-exchange-and-translation/ describes the token translation protocol and its relationship with token exchange. In this draft we lay out a framework for discussing token exchange (as defined by RFC 8693) versus token translations which may “lose” data in translation. Further, we identify that specific translations between different token types must be profiled elsewhere. This choice was made to ensure that the draft does not have to define specific implementations where there may be a loss of context between different token types. In the long run, I hope that this will allow the draft to progress faster while profiles are drafted for specific token pairs in parallel. We have not yet specified the protocol for token translation to meet the requirements as defined in draft-rosomakho-wimse-tokentranslation-reqs-00. I expect that these choices will lead to discussion both on the mailing list as well as at IETF120. Two administrivia notes: 1. This is my last week with Amazon. I’m migrating my work with IETF to my personal email address, dean@thesax.es. 2. As part of this change, the GitHub repo for draft-saxe-wimse-token-exchange-and-translation has moved to a new location: https://github.com/deansaxe/wimse-token-exchange-and-translation. Thank you to Andrii Deinega, ˚Dmitry Izumskiy, George Fletcher, and Yaroslav Rosomakho for their collaboration developing these IDs. I look forward to discussing both IDs at IETF120 and hearing the WG’s input to help guide us. Respectfully, -dhs -- Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him) Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS) E: deansaxe@amazon.com<mailto:deansaxe@amazon.com> | M: 206-659-7293<tel:206-659-7293>
- [Wimse] IDs from Token Exchange Design Team Saxe, Dean
- [Wimse] Re: IDs from Token Exchange Design Team Pieter Kasselman