[Wimse] What is an identity and section 3.2.1 of draft-ietf-wimse-arch (or must identity be the compositum of all attributes?)
Watson Ladd <watsonbladd@gmail.com> Mon, 17 June 2024 23:59 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EEFAC1CAE7B for <wimse@ietfa.amsl.com>; Mon, 17 Jun 2024 16:59:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RI2KdFXy5Cov for <wimse@ietfa.amsl.com>; Mon, 17 Jun 2024 16:59:25 -0700 (PDT)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BA73C14CE55 for <wimse@ietf.org>; Mon, 17 Jun 2024 16:59:25 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id ffacd0b85a97d-35e1fcd0c0fso3996690f8f.0 for <wimse@ietf.org>; Mon, 17 Jun 2024 16:59:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1718668762; x=1719273562; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=7lHY4EM3X/Y6AKM7ad+baTps1Oys0IxrpQDisgJZPLs=; b=l0Gc3gQzBbfsbqkpsfjvHjZAYRC085qwFJe9mTNx7eFp25B3ct1O+AxD4OpcBiaAG5 qPpFE9rlMO6Eq9nhBB3Jtaxp2zlOF+q6oeDvrrL3Njqe6zusipjxIpEj18eP1E+ez5E7 SEvwO1h595Kl53n9pq31q/SDGppb+/99gQV2SmWRgwqtdeHopEGog7ZldBPYTeA00ERN Uln3tia/2jYgCP9tKb63o4uuEfGM43lRGyhgG4pAa05Dd01NNQedusFbeSQiZbdS4QqM wFvKxttp2QTPHZaF8ymXIeZH8afJnMhJybfGk5qkDFPIWOYT9B3+PiGRbIiOdbPmtzE2 VuEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718668762; x=1719273562; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=7lHY4EM3X/Y6AKM7ad+baTps1Oys0IxrpQDisgJZPLs=; b=gyvM4LIUQvbfaxXUKbyH2855Q4hlvQwQuTdXI/s+XCBoYr2hlpl1iX+hD0zIK4FXvF 9kxmzFlbPzRDwT+SntoqU6FyxMcRm+qWw8nbHCUMnzw1nqyxvsuKjHVGXoYk86ToiLVa MnB8WUajrSyk7SWRoDb54r4AgbvrsyC4m8t2xr7h00io4JEIe7Wjc+A4aNVf9EQdhMuz q4QjhIpqvFA/xAFBLauQZ4Py6thAV9apn2crdQtXHlGz4Tm1Gm0QNsdEx4fdqbPAr4tp vvERqK6r90NgsjYMI3Iggvf2aNXHSiE031k7jvY16/mA0K/Ro758d+rrtD38h3xYK6jZ MKYw==
X-Gm-Message-State: AOJu0YwQqNQXNRyOjvIwy9q40n+jmvXxJkiSUD3TM+CaSyb7EUE+BwBE i5PfYqfE1TiqRZnkMO/aOOYg/rRc3j3clVlZbwx7JECVweje9nOh3NsVuSPZ4YujWuPNfEKWO+D JTwtlpZ+HQPKQxuKoWApmyAbcJrYCwg==
X-Google-Smtp-Source: AGHT+IG9HGOY8NSenO+H7Pr+xonFQ4EE3EIr4qgGMvgQGDt3EXB6ScIrpa3XoHia/H0rGqmP4+XgsOUddKRup1o2eK0=
X-Received: by 2002:a5d:6e10:0:b0:360:7a1b:62f6 with SMTP id ffacd0b85a97d-3607a746a6amr8254745f8f.5.1718668762164; Mon, 17 Jun 2024 16:59:22 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 17 Jun 2024 16:59:10 -0700
Message-ID: <CACsn0ck4tzTV7xgYPbZ-_L1rR9RUiwmrPL4Dba_maNsuq+tdTw@mail.gmail.com>
To: wimse@ietf.org
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: IQEOTWML7RHVCVFZHKNNT7JCHJMCAQD4
X-Message-ID-Hash: IQEOTWML7RHVCVFZHKNNT7JCHJMCAQD4
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] What is an identity and section 3.2.1 of draft-ietf-wimse-arch (or must identity be the compositum of all attributes?)
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/lkBh5AS63J8gXxtgHqo5X4RxN6A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
Dear wimsyists, I must confess to never having read Leibnitz, but I think section 3.2.1 will force me to. I hope this long rambling email explains why and elucidates some of what confuses me in WISME, and hopefully others find out they are likewise confused. Section 3.2.1 implies the identity must include a bunch of information that's relevant to the problem of authorizing a request, that is conveyed by whatever ticket brings it alongside a request. There are two notions of identity at play here. The first is the concept that makes one thing not like the other. The other is the name by which we might call a thing not like the other. E.g a farmer might have cow 1, cow 2, cow 3, or Bessie, Jessie, and Daisy. Bessie does not convey any of the relevant information about that cow, but does identify it uniquely among the herd. To me this is also identity, and indeed is the identity that would be most convenient to convey. This is where Leibnitz comes in. Now given a request we might want to evaluate the fundamental question of "who get to do what to whom". And here I think the distinction between authorization and authentication has been elided a bit. Authentication only determines the who. Authorization is about answering the question of if the request is in fact authorized. A token could speak only to authentication, but it could also provide authorization information. The draft is pretty ambivalent about which: while there is a lean towards authentication it seems the token issuance is also supposed to be a gating function, and the token needing to carry more than a simple identifier means that it starts to blur the line. Lastly there's a huge gap for me around what sort of policies make sense. Many systems I've seen and worked with had a broad class of services provided by various elements, and the users of such services might be a very dynamic set. Others had a self-serve partitioning of a class of resources allocated to each service calling in. Other times we might have systemic policies, e.g. "Infosec says all services must do X, which we can determine at build time, and those that don't can't run". Expressing these policies in human understandable form argues for a simple identifier as a human readable policy depends on such identifier. I don't think a complex identifier works for that. In conclusion I think we need to make an explicit choice. Either the token carries a workload identifier (akin to a Service in K8S or something else?) or it carries a grab bag of attested environmental attributes over which policies run. And I think we need to figure out what policies should be expressable and which shouldn't be. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim
- [Wimse] Re: What is an identity and section 3.2.1… Justin Richer
- [Wimse] What is an identity and section 3.2.1 of … Watson Ladd
- [Wimse] Re: What is an identity and section 3.2.1… Joseph Salowey
- [Wimse] Re: What is an identity and section 3.2.1… Yogi Porla
- [Wimse] Re: What is an identity and section 3.2.1… Pieter Kasselman
- [Wimse] Re: What is an identity and section 3.2.1… Mingliang Pei
- [Wimse] Re: What is an identity and section 3.2.1… Mingliang Pei