Re: [Wimse] WG Action: Formed Workload Identity in Multi System Environments (wimse)
Joseph Salowey <joe@salowey.net> Thu, 07 March 2024 22:45 UTC
Return-Path: <joe@salowey.net>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 220D9C14F5ED for <wimse@ietfa.amsl.com>; Thu, 7 Mar 2024 14:45:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JNAJQIssSl_M for <wimse@ietfa.amsl.com>; Thu, 7 Mar 2024 14:45:13 -0800 (PST)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D937C14F6A8 for <wimse@ietf.org>; Thu, 7 Mar 2024 14:45:12 -0800 (PST)
Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-2d3fd0e6832so15281821fa.2 for <wimse@ietf.org>; Thu, 07 Mar 2024 14:45:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1709851511; x=1710456311; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OoZNJWy5+L2VReOOZAgIabEbFlCdn0OCmmeTQkWOwu8=; b=bFmpHVMlAWG9HwpmO176Fb87wvm+U9Ea9ny88wOAWdLi/U3Pu2D/3X13iRcKi8hySo aM5+72HeYXYZhtbLizFfDLQb/Qr84ZuZzlSGNQDqZzjjC1AOo6JKsCL3UHhvSdyHYxbt kWavzzNVUE8h1YGRlK+71nIEkALsUb9xnWhK4tJdbuYXByXiUOmZw+6BPoYQaH6hPiuX lGOmTyId+MnH/Dd/22YNBAPXY3HoGJn8sAk25O54SXpO2gcT/Nm9EXjJctOicl8+UeED UWPZDuXNz2W9lW9mMWkZXbpEGwMqKtu5mP5CeGI/R/kEpUBNRRiAjZt0ay9fkBIvbrD+ 3IcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709851511; x=1710456311; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OoZNJWy5+L2VReOOZAgIabEbFlCdn0OCmmeTQkWOwu8=; b=vctvO31IUy+ABF2D6EaJ9KSBFx2wdOY+dCOkCQa8QULjRT1quMfC6hGwiC5LxSXyB0 jeqI6fbtX0moCtolR9ZeKd74B4F+Ip92fKthG9WearzuxdfezDQVoqErWKkxaL6Ebxsc UQjTNzhS2Wtak0ATv6Yksv5QwUDK43HSUfZSUuKOysRsPMJr4Vyap3gWOgndZ4C/FW3Z 222Wc3EHCd8QfHoZZAVtneiHT3TbTVs8qvbhBu364ZlmksCRUiW1yvfHfM70oylRf2sO ch/Q4crhDjZz2Rgj+U+EkWzSzo4Ad9F1lT7HjZ6ZNEwLrunHiomZOBr87BZsDyBBgSDe hVlw==
X-Forwarded-Encrypted: i=1; AJvYcCV1GQ7iOPMHcA9tW8fql37JW9k6clZPvU1z9fOiJVj1JN+xCejCB/VoaOIIi5W2H2InVsA38LLTY7TJ8AMW3g==
X-Gm-Message-State: AOJu0Yx3LdLuVU/Rg7R3bWyrwJAE9Ngxfb3dxlZIBrOdgFImoej1YY3K ygceKQEZ4wUYfF8PnllgWKUetSz7D5sNXq/O5GdyN6bG09+tgnMpdjvOOmWTbzfKed0IXcpsVgK JAhjcHsSJj8wpUeY1VH90QWRrtjUsB9/4kJgFezl4EIvxI37MRfloEw==
X-Google-Smtp-Source: AGHT+IGhaydJAJ/O0vQl6Wus88IKeisEUqNptddukY9QrFge101tZ095qF3GNy86IJGzEigXP94y9lRQKOYTEJJrzuQ=
X-Received: by 2002:a2e:978f:0:b0:2d3:f4d4:49de with SMTP id y15-20020a2e978f000000b002d3f4d449demr2384034lji.35.1709851510482; Thu, 07 Mar 2024 14:45:10 -0800 (PST)
MIME-Version: 1.0
References: <170983594265.53111.13168480497104013253@ietfa.amsl.com> <280242FE-B249-4870-80E6-4A621EB45785@mit.edu> <7FCD4334-0098-4303-8447-ACF44E324AB7@corp.intuit.net>
In-Reply-To: <7FCD4334-0098-4303-8447-ACF44E324AB7@corp.intuit.net>
From: Joseph Salowey <joe@salowey.net>
Date: Thu, 07 Mar 2024 14:44:58 -0800
Message-ID: <CAOgPGoA5bK8Q6PfTKFT3RKDaZCPAE7Ex3sbf7BKScUVO9BMXDg@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, "wimse@ietf.org" <wimse@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6c46a061319d38e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/XSW-Yns7zERxs2UtXQa7YUiDALk>
Subject: Re: [Wimse] WG Action: Formed Workload Identity in Multi System Environments (wimse)
X-BeenThere: wimse@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wimse>, <mailto:wimse-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse/>
List-Post: <mailto:wimse@ietf.org>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wimse>, <mailto:wimse-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2024 22:45:17 -0000
Congratulations to all involved, this was a real team effort and I'm looking forward to participating in the official working group. Thank You Yaron for being an excellent BOF co-chair and Justin for stepping up to chair the group! Cheers, Joe On Thu, Mar 7, 2024 at 1:41 PM Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > This has been quite a journey, and I’m very happy – and proud – we got the > working group chartered, and in time for Brisbane, too. Thanks to everybody > who contributed to countless discussions, and thank you Joe for your > partnership. > > > > And congratulations to our incoming WG chair, Justin. I’m looking forward > to continue contributing to this working group under your leadership. > > > > See you all in Brisbane, in person or virtually! > > > > Yaron > > > > > > *From: *Justin Richer <jricher@mit.edu> > *Date: *Thursday, 7 March 2024 at 10:46 > *To: *"wimse@ietf.org" <wimse@ietf.org> > *Subject: *Re: [Wimse] WG Action: Formed Workload Identity in Multi > System Environments (wimse) > > > > Greetings, WIMSE! It is my great pleasure to welcome all of you to the > brand-newly-formed WIMSE Working Group! I am honored to be serving as > chair, and my co-chair will be announced soon. Apologies for the wait while > we get some administrative details sorted out in the background. > > > > We will be meeting in Brisbane in about a week and a half, and the chairs > will be pulling together an agenda for our first meeting. If you have a > proposal for that, please reply to the list here and the chairs will > collate the proposals into an agenda. > > > > I want to apologize in advance that things might be a little rough around > the edges due to the compressed time frame, but the chairs will be working > to get as much put together for the first meeting as we can. Overall, I am > thrilled that we have been able to produce an initial charter and pass it > in time. A huge thanks to everyone who contributed to the many rounds of > work. > > > > And finally, I want to publicly give a GIGANTIC thank you to Yaron and Joe > for chairing the BoF and leading the effort for collecting the deliverables > and collating the charter text. Your leadership has been exemplary and I > look forward to continuing to work with you both in this space. > > > > For those coming to Brisbane, I’ll see you down under! For those that > can’t make it, I hope that you can at least join us virtually as we kick > things off. > > > > Whimsically, > > — Justin > > > > On Mar 7, 2024, at 1:25 PM, The IESG <iesg-secretary@ietf.org> wrote: > > > > A new IETF WG has been formed in the Applications and Real-Time Area. For > additional information, please contact the Area Directors or the WG Chair. > > Workload Identity in Multi System Environments (wimse) > ----------------------------------------------------------------------- > Current status: BOF WG > > Chairs: > Justin Richer <ietf@justin.richer.org> > > Assigned Area Director: > Murray Kucherawy <superuser@gmail.com> > > Applications and Real-Time Area Directors: > Murray Kucherawy <superuser@gmail.com> > Francesca Palombini <francesca.palombini@ericsson.com> > > Technical advisors: > Paul Wouters <paul@nohats.ca> > > Mailing list: > Address: wimse@ietf.org > To subscribe: https://www.ietf.org/mailman/listinfo/wimse > Archive: https://mailarchive.ietf.org/arch/browse/wimse/ > > Group page: https://datatracker.ietf.org/group/wimse/ > > Charter: https://datatracker.ietf.org/doc/charter-ietf-wimse/ > > Background & Motivation > > The increasing prevalence of cloud computing and micro service > architectures > has led to the rise of complex software functions being built and deployed > as > workloads, where a workload is defined as a running instance of software > executing for a specific purpose. This working group will focus on the > unique > identity and access management aspects of workloads at runtime and their > execution context, particularly focusing on the propagation, > representation, > and processing of workload identities. Though the following items are > relevant to the context of workloads, these items are not workloads and > this > working group will not define: > > * Static software identities and provenance, such as software bill of > materials (SBOM) > > * Personal identities > > * Deployment chains > > * Supply chain management > > The rise of diverse service platforms and the drive for business > flexibility, > cost-efficiency, resilience, and compliance make maintaining least > privilege > access for workloads increasingly complex. As a result of the adoption of > microservice architectures, services are composed of multiple workloads > that > need to authenticate to each other while making authorization decisions > based > on the original caller, their context, and the actions of other workloads > that acted on a transaction. These workloads are often distributed across > trust boundaries, without a single centralized controller managing the > different identities or authorization policies. > > Workloads are often associated with complex context, including user > identity, > software origin, and hardware-based attestation. Communicating this context > involves a unique set of challenges across different scenarios including > multi-hop, long-lived and asynchronous transactions. > > While several standards and open-source projects offer foundational > elements > for secure workload identity, there remains a lack of clarity in their > interoperation and combination. These technologies (specifically: OAuth, > JWT, > and SPIFFE) have been combined in a variety of ways in practice, but the > solutions have existed in relative isolation. This ambiguity can lead to > inconsistencies, interoperability issues, and potential security > vulnerabilities. > > Goals > > The Workload Identity in Multi-Service Environments (WIMSE) working group > is > chartered to address the challenges associated with implementing > fine-grained, least privilege access control for workloads deployed across > multiple service platforms, spanning both public and private clouds. The > work > will build on existing standards, open source projects, and community > practices, focusing on combining them in a coherent manner to address > multi-service workload identity use cases such as those identified in the > Workload Identity Use Cases I-D (draft-gilman-wimse-use-cases). > > The goal of the WIMSE working group is to identify, articulate, and bridge > the gaps and ambiguities in workload identity problems and define solutions > across a diverse set of platforms and deployments, building on various > protocols used in workload environments. The WG will standardize solutions > (as proposed standard) and document existing or best practices (as > informational or BCP) per the Program of Work. > > While recognizing that the broader workload ecosystem uses a variety of > application protocols (e.g., gRPC, Kafka and GraphQL), the WG will focus on > only specific REST-based technologies using HTTP. WIMSE will also serve as > a > standing venue to discuss operational experience and requirements with > workload identity. These discussions need not be restricted to > technologies > currently in scope to this charter. > > Dependencies and Liaisons > > The WIMSE working group will closely collaborate with: > > * Other IETF working groups that address topics related to identity, > authentication, and authorization, including, but not limited to, OAuth, > SCIM, SCITT, and RATS. > > * The Cloud Native Computing Foundation (CNCF), particularly with regard to > the SPIFFE/SPIRE project. > > * The OpenID Foundation. > > Program of Work > > The WIMSE WG will focus on the following program of work: > > * [I] WIMSE architecture: The group will develop a document that defines > common terminology, discusses workload attestation and identity, specifies > a > threat model, and defines a set of architectural components and several > compositions of those components. The document will describe 2-3 scenarios > and for each of them, it will identify key points needed for > interoperability. > > * [PS] Securing service-to-service traffic: a JOSE-based WIMSE token > solution > to protect a chain of HTTP/REST calls, within and across trust domains. The > document should support identification of microservices and cryptographic > binding of the token to the caller’s identity and optionally, binding to > the > transaction. It should support associating context with the token, > including > but not limited to user identity, platform attestation, and SBOM artifacts. > This deliverable includes both a token format and its usage, including > binding to the caller’s identity. > > * [PS] Token issuance: A document describing a method for local issuance of > WIMSE tokens where the local issuer operates with limited authority. The > local issuer can be the workload itself or another workload deployed > nearby. > > * [PS] Token exchange: Specify a protocol for exchanging an incoming token > of > one format for a workload-specific WIMSE token at security boundaries > (possibly based on RFC 8693). Additionally, this token exchange will > require > specifying as proposed standard a small set of token exchange profiles > (mapping of claims) between existing and new WIMSE token formats. > > * [I or BCP] Document and make recommendations based on operational > experience to existing token distribution practices for workloads. > > Milestones: > > Nov 2024 - Submit informational document describing considerations for > filesystem-based JWT delivery in Kubernetes to the IESG > > Mar 2025 - Submit proposed standard for a JOSE-based WIMSE token solution > to protect a chain of HTTP/REST calls for workloads to the IESG > > Mar 2025 - Submit proposed standard document specifying a token exchange > profile that maps claims from SPIFFE-identified services to > OAuth-protected > resources, and vice versa to the IESG > > Mar 2025 - Submit a proposed standard for a token exchange profile mapping > the JWT BCP [RFC9068] to the JOSE-based WIMSE token to the IESG > > Nov 2025 - Submit a protocol as proposed standard for exchanging an > incoming token of one format for a workload-specific token at security > boundaries to the IESG > > Jul 2026 - Submit informational document describing the WIMSE architecture > to the IESG > > > > -- > Wimse mailing list > Wimse@ietf.org > https://www.ietf.org/mailman/listinfo/wimse >
- [Wimse] WG Action: Formed Workload Identity in Mu… The IESG
- Re: [Wimse] WG Action: Formed Workload Identity i… Justin Richer
- Re: [Wimse] WG Action: Formed Workload Identity i… Yaron Sheffer
- Re: [Wimse] WG Action: Formed Workload Identity i… Joseph Salowey
- Re: [Wimse] WG Action: Formed Workload Identity i… Pieter Kasselman
- Re: [Wimse] WG Action: Formed Workload Identity i… Murray S. Kucherawy