IETF Logo Mail Archive

[Wimse] Re: Request for Agenda Item: Workload identity authenticator levels

"Saxe, Dean" <deansaxe@amazon.com> Mon, 08 July 2024 20:23 UTC

Return-Path: <prvs=912b77e60=deansaxe@amazon.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 589F1C22EF10 for <wimse@ietfa.amsl.com>; Mon, 8 Jul 2024 13:23:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.548
X-Spam-Level:
X-Spam-Status: No, score=-4.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wvad1wXideg4 for <wimse@ietfa.amsl.com>; Mon, 8 Jul 2024 13:23:10 -0700 (PDT)
Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A339C2356EF for <wimse@ietf.org>; Mon, 8 Jul 2024 13:23:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1720470190; x=1752006190; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=BuTBQIfivgUIdufpb+apOczTAJ9/WeF4xKJ/pldVy4U=; b=ftBeDU8T/3ughPn64Ukf5G8USEdtgsel3vxjWpNt4JyPURHv6ubyf5aO Dp5iQPKl8ZeyIp1eJc1enGQIYOXgd2he51CpHV7XGX44s6MRPPgP2lkkx x8vRN2y2OshH5q0d279qQFRnOBFdM5cgSiATn3nNTgOfJ5E0xkDRyEeu3 0=;
X-IronPort-AV: E=Sophos;i="6.09,192,1716249600"; d="scan'208,217";a="412999486"
Thread-Topic: [Wimse] Request for Agenda Item: Workload identity authenticator levels
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-2101.iad2.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jul 2024 20:23:09 +0000
Received: from EX19MTAUWB001.ant.amazon.com [10.0.38.20:7526] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.38.80:2525] with esmtp (Farcaster) id 7ca09c11-aa0f-4ef5-8c4e-28c1e736be8b; Mon, 8 Jul 2024 20:23:08 +0000 (UTC)
X-Farcaster-Flow-ID: 7ca09c11-aa0f-4ef5-8c4e-28c1e736be8b
Received: from EX19D003UWC003.ant.amazon.com (10.13.138.173) by EX19MTAUWB001.ant.amazon.com (10.250.64.248) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Mon, 8 Jul 2024 20:23:08 +0000
Received: from EX19D003UWC004.ant.amazon.com (10.13.138.150) by EX19D003UWC003.ant.amazon.com (10.13.138.173) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Mon, 8 Jul 2024 20:23:08 +0000
Received: from EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa]) by EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa%4]) with mapi id 15.02.1258.034; Mon, 8 Jul 2024 20:23:08 +0000
From: "Saxe, Dean" <deansaxe@amazon.com>
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, "wimse@ietf.org" <wimse@ietf.org>
Thread-Index: AdrRRtypWMkjLki2Q/mH2vk9AMsC9P//5jeA
Date: Mon, 08 Jul 2024 20:23:07 +0000
Message-ID: <26349E6F-7DFA-447D-977C-5E1C6E5E1F0D@amazon.com>
References: <DBAPR83MB043778953C0CBEE5AF93CFD991DA2@DBAPR83MB0437.EURPRD83.prod.outlook.com>
In-Reply-To: <DBAPR83MB043778953C0CBEE5AF93CFD991DA2@DBAPR83MB0437.EURPRD83.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.86.24062313
x-originating-ip: [10.187.171.39]
Content-Type: multipart/alternative; boundary="_000_26349E6F7DFA447D977C5E1C6E5E1F0Damazoncom_"
MIME-Version: 1.0
Message-ID-Hash: KBLAWYSPP2RAAZXYA4P7M23L6QA5HIX4
X-Message-ID-Hash: KBLAWYSPP2RAAZXYA4P7M23L6QA5HIX4
X-MailFrom: prvs=912b77e60=deansaxe@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Agenda Item: Workload identity authenticator levels
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/j4BqbNe5daEJHV1nuECFiZuKShM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

Pieter,

With my work at the FIDO Alliance, I’ve been considering this topic quite a lot recently.  My sense is that authenticator levels as defined by NIST are a useful construct.  But over time, I fear that they lose value because a credential at Level 3 today might only meet Level 2 tomorrow.  The levels are large-grained and don’t sufficiently describe the full context of an authentication event.

Recently I have started talking with others about the idea of describing the properties of the authentication event.  Pam Dingle had two talks at Identiverse this year where she discussed this concept to include not only information about the authenticator, but also information about the account recovery process, what the activation factor was, etc.  These discussions have lead me back to read the Vectors of Trust (VoT) RFC 8485 (https://datatracker.ietf.org/doc/html/rfc8485)  Although I haven’t yet pursued anything down this path, I think the VoT mechanism is well suited to describe the authentication event as a set of vectors which can be parsed to determine the suitability of the event to authorize the workload (or human).

I’m absolutely interested in helping pursue standardization in this realm.  Please let me know how I can help.

-dhs

--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)
E: deansaxe@amazon.com<mailto:deansaxe@amazon.com> | M: 206-659-7293<tel:206-659-7293>

From: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
Date: Monday, July 8, 2024 at 8:06 AM
To: "wimse@ietf.org" <wimse@ietf.org>
Subject: [EXTERNAL] [Wimse] Request for Agenda Item: Workload identity authenticator levels


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


WIMSE co-chair hat off, identity enthusiast hat on.

Hi folks,

For user authentication, the industry has well established concepts around different levels of user authentication. For example NIST Special Publication 800-63-3 defines Authenticator Assurance Levels [1]. This raises the question of whether we (workload identity practitioners) would benefit from a similar set of definitions for workload identities.

Consequently, I would like to request a short 10 minutes slot on the agenda at IETF 120 to discuss this topic, see if there are existing work we can leverage and see if there is interest in pursuing establishing some form of Workload Identity Authentication Levels.

Cheers

Pieter

[1] https://pages.nist.gov/800-63-3/sp800-63-3.html

v2.30.2 | Report a Bug | By Email | System Status