IETF Logo Mail Archive

[Wimse] SPIFFE Trust Domain Bundles

Justin Richer <jricher@mit.edu> Mon, 01 July 2024 19:40 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25E88C1519A8 for <wimse@ietfa.amsl.com>; Mon, 1 Jul 2024 12:40:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ld3K_P9CDBN4 for <wimse@ietfa.amsl.com>; Mon, 1 Jul 2024 12:39:59 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2118.outbound.protection.outlook.com [40.107.244.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69E7AC15154E for <wimse@ietf.org>; Mon, 1 Jul 2024 12:39:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NrGBYTa3Eoukw2SCBnRsPiZgdr2VCHhjq/oFymXxc9T/5BISuofZunhGX5qO+9wkozfepU6NserbmAE+RboapUkWzMknwYsv3L7PBbKVIlHsAVB6H8VWs/HcURn5W9zXt4UFhd/vfZ7w5l1rrfFkB32IydW08ACLgG9qvtbkevGeNaOPRBcq9jBTBXuTpPvYk5Mz1bo3GSyRJNK+j98FFSjMtc+xzIPV702v3exFBv3MpWnT0pJVMin1EyNwEr/KG2HNPTfmUtqFbFxTV7qF+rvejlrbkcaUP5tYUmEyOkL3MiyH/Ns1klqBKVw5mBeVp1bREkqgwAmhGF2BraGwMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1s1RgRyFc8o8/J8IZHl6C6/ro2L7ZZlcb0AgrBdb+gw=; b=Kso9VsZTfE+DcX7EaDdZHheuM16xMll4wRCJVKiITLpbL5Nze7GhM9d3+NnalusmHxzYtZJyBAtrr0lF04tS+/SDpYZceKbFBnNqS7fZzyF3HRWX63lCOKO0BlvSK/ocgESLL0pRPRKfpXY1wiUs0ok8soPjJbEjsVAYZL7bPfvS3kfSSn/mjzt5ErqPhlbn55VhaOalOCSPlCMsrNPaMZeRiFTv1RyMOkgIbmdH5hg5/f/UGa+q4OJohN3OrCykWN4fJ+6cUtKK0U1jo77xeQhtFwVhgZQaI3ZE9zY04enhhaUMnNszJVkO7pNLc6w/vrlvKFFgz4soVVcI9eVZng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1s1RgRyFc8o8/J8IZHl6C6/ro2L7ZZlcb0AgrBdb+gw=; b=otth+xe8AgtIwS7QG1s5NWOrm9fzF4CxNU9/DrPjfPjnMgZzi0qknTIfEOrD2g+AOyYfv3joQMuoF7yOijrSHZVtWH/B3VpqWs41byj+ZrI0GSi0kWY+bhLQGldtvZuOHekXbk8rUUwoZPl3s4U89a328lHheNinzeUdrfYaPlQ=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by CH0PR01MB7172.prod.exchangelabs.com (2603:10b6:610:f4::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7719.32; Mon, 1 Jul 2024 19:39:47 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820%5]) with mapi id 15.20.7719.028; Mon, 1 Jul 2024 19:39:47 +0000
From: Justin Richer <jricher@mit.edu>
To: "wimse@ietf.org" <wimse@ietf.org>
Thread-Topic: SPIFFE Trust Domain Bundles
Thread-Index: AQHay+5uLwj9kLzh70ivOqRSkl0TEw==
Date: Mon, 01 Jul 2024 19:39:47 +0000
Message-ID: <C802286B-624B-403E-8B19-B5AB90BF4125@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|CH0PR01MB7172:EE_
x-ms-office365-filtering-correlation-id: be1688c3-23e5-45f3-af06-08dc9a0590d3
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|38070700018;
x-microsoft-antispam-message-info: A7XhBEtXNnr81CdDymk7BZ+apQ2dfCWpayFiMUj5uyqBuECcTmBzaoADoqspL2ostb7p6HD5rJ4tOwx1wfMJ3phVbnDpUDMljDHZe7f4V0fxmoh0j7wv9FSX9/cYn46xGePSesJQDjQtZVuHlf+gWJsbEuewNb+xV7i+Ido0KlXCe7mGp8GrEX3vetPLTJIv4OoefUAfqm4Ac0ZxBHMZDGSBmDMmGnJ9GJ+LQ6v5xDy8pJOBvmLXTYqWaq0U9QI8U4TKkTWgeCm59HY673x224uzIpTWRjR0Aht42XnWYcTEeaUG5Ge/RGLIvdHBGivQWQAGE2myapAPYsaaFj6fgj9S4QFMYdiMgpfOjze4JB2A1krpJZ0weO3kqOGsdHml6vAHyUjrj836MzonB/WP8mfuFSrPaUSyzy2GrjNAUY8gtJjECOdeOzzqiJMYwid6YJL+BQ/faR6XEsGFpbyD5bVG0qJehWLc2OEU6Q+F/uECxtJjmwDnbscAoHWlzGKkL18nAIWjXWTber3QDSKD6P31fTkHuP81RNMACF34fa0EttjDmsqx+naOo6kiySVw1f7VqdK7yrP+K5bhuVaa9GEPWzxkv4EbRnvYRjyZebviJc0S/lto1ROnGGYzmlizuwkNg3oSSGfKC8Tec1cfeWrYsUgdP4HNLQxCOvic+pJOn6ZVvLFsYQsctYvDp1/CEolIsuMmfYklvJaVMCS/EC4/2aDXQjmD7bnTQcjrBiGvdkn59RD66FKp2Kg+E5PqdjutsU1xiQL4oEwGluplYesN24CLa4rN9BFS1LZFLTVijBmk3iP6aE6/T6YegNom6VbF63RqWrKN5jq4Xzq729/NpUb0ZyIo6NdSU8hBxv9Lb9LxF8MVZ2dTlAs7yuTVYJCPpxViNONfo2VxIEZzAOK07IyFjgbSD10C5wBqDgGvTudD+sVjESY3Lf/4wYrDZ3MRin60cJhhbUphpbLGBGpIMCxiINUZHDUxuqGvWu9CXilMUrDp3mWbB5M6nNPZrntPw+n2g7vKg9g88l+FAcE0k1ZWkKyFzQSoyKgicPL+JpqpPteLu8njko18LwX1E3mc5s12NL8R/xUhpPZPwkW7UY4Gmt9WVvJPTXbwYcmY5xhWUmv2NC9RL53RUTSUyGGN08r9GuQNLoa/ZX5/QMPY1vbDQcQeUBu8ooVxmiyuKStmriDwjT07JErBQYZsVj8efhUX7H1V8nKjYQi++qDOVQ9iQZT2yd887SAgoxlv3DNmkUmjAysrAlCwep94mAhIkJ4aBC5Y2oVndNMOSSHeV3Iy5go7N+DPK5z6HsQ81rL6exQNdrj8r07D8r3xgMZeh7yU73qF2/oo8wF1EExm5v6y0PziTZwleWF29+I=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR01MB8677.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: aTSiZ2MRrlGtsRzAf+jnX/cPHQmzC8I5b6DYnLPD0BxLvI+QqxU1CPomB5GEw9RG3CVZmAZf99Cikem+7JD8KOoGe9D3Yo3KXE230h5Z7e5LHyy6YmVfkyI0UE7TA7iRnuRrG6xWppJh767pGt5utqt2jGfQ9/NRGcogg0K5+c12znwrzZnS20J98NtIIwTkXWpV6cZQmPmFQ1v7iHHTNMZq3KDGkKqwQ26RFBEFbLnw7OtIRdcWkbjU3H/EO9NkqYcHzceY1hBvGdAVLxwojw+VewV38VEL+VPkS7unzVszFkh0Mda6sjXM5uxhrFCsXlWnk1kAqlaxBFHIP9lprjgHeNtJzLn5BygM6NFkH73FHE7+ymKeokzTdXfQBdTzvHTb8xH/hfXOIWqeiqZQ/dLn4/+ac5CuJkqV5STjrwD8PPJOxnGwLZGeHwZJqCGKYlueGyAAeEV4zuPsEGF7XEfPq0wi1LtxWA7F61VxLM8UMy/QVdew1D1JFlQ3NPxI9k0SRR76DH8VX1n8TG7JOiEUuGcJMxlTB2a/6v25LEGn/hZydXx2iJ5MMIRkm5yamLeLTu+bZr+9ZWbz8TSnF+WCgfWxmvBEbfnxQQZcOlZx78tXllJh3bzVh9QMJ7e5Jgfv0dhj1M+PWa3uZ83jJgAifFwcAQRdrVChAl+mTiiLQ8UU6BJGGICCBvPwTM1cb4mYsd5ZvbgegD9v95FlSZlJlaFVoJO9LnSWdOLYFsjJvMNIthERTBRqNhWh1N7WSxwMwzkjwVPe3KYNYTygVvyR1pKGimo66kKfiRkfP8rpx0/qo+1i24RgbOpa2dmjM1Agm9BD3LCqEJMEAL+KbPlANBqOJtDEz5+LB+vo02XUas4nKW1/9YvL4eJc4rTr2QITghwPPrWUIy4NK8yBKFR+nqZtUgp8Ehuux7nU67t0gtZFnXVDIewX/6daNtVvlVSTbmm/EQZCmw8JirOnFNlZDJDLpkULtuHDfZjLKTsOKmFFdNKuE0vBhzBYRO1c5aeeph9+stg832Bylhvc65ljnI0zEitIWZpa9AuHeuRwgyyvOydNWxzGrbEh8IY+Wk19RgVhF4xV7UCkHSXzxZ0mrmJHCsRSYaDY653YQ9oWB6Sz71OWo2aTsz4uF5G0+CkuQ0YTA3DjOQC03qjYPWWaW4Sd95k+uE1JgSeITB4A5oPxJx3AHIdFqgpooG8ZLdgpJhaOBSda48hcReE7Q7gDqT1Tbk+exbAN6A039FUUNVYXvixvWqJIv1tQhW493uwkelOJdWjonjsvlDY9QPTGpBF8+g8XBbKsCI8AfPbu5qOIcT3mHuLnffOeAsNxv/s70J2Y7+areQxWf5AW7qmlO6fgwwHICs7ZfhHjEgkGsmv+WlSXOaBBeB0cVGWJTcjnIiF7BO9trkOS2dfGCGrxZWxjZPyH6C1oM0TN8PnPonbNO0+sKsm11hYFpVELkcA6xS+QGgeoFY0iaSC8EfWPK0AGYcCwwb3zohlcZtX8JI9ASYd0m7LCQoaSXVqGwwZ9i/39e4g8UhxMFotlDUot9ju4NCajprb6dBigRo+Bz8PrX1tHVCtGXS6H2gnl
Content-Type: multipart/alternative; boundary="_000_C802286B624B403E8B19B5AB90BF4125mitedu_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: be1688c3-23e5-45f3-af06-08dc9a0590d3
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Jul 2024 19:39:47.4885 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GvOsLySmcGaMSCiVTphghsp5qdLPDfAsa6NWdQFppIouaspepvEqH8F+UR4a1mli
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR01MB7172
Message-ID-Hash: Y6PKWG33RRCRBDIMVR4G5K7XTB3IQ7VV
X-Message-ID-Hash: Y6PKWG33RRCRBDIMVR4G5K7XTB3IQ7VV
X-MailFrom: jricher@mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] SPIFFE Trust Domain Bundles
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/heaznG8R4TBzFwz5-QxSJBRRCBA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

Hi WIMSE folks,

In case folks hadn’t seen it, I wanted to point people to the SPIFFE Trust Domain Bundle work that’s happening at CNCF: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md

The gist of it is a way to pass a set of trusted keys for different domains between systems. This technology aligns with WIMSE’s goals of multi-system security, and it re-uses a lot of IETF tech (like parts of the JOSE stack) to solve its problems. I think there are some interesting choices being made here, and since we’re talking about similar cross-domain reasoning here in WIMSE we should take a look at how one group is building out a real system to do just that right now.

— Justin

v2.31.3 | Report a Bug | By Email | System Status