IETF Logo Mail Archive

Re: [Wimse] Updated Proposed Charter Text

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 09 February 2024 15:38 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58F7DC14F71E for <wimse@ietfa.amsl.com>; Fri, 9 Feb 2024 07:38:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bSK0Idnwwosa for <wimse@ietfa.amsl.com>; Fri, 9 Feb 2024 07:38:10 -0800 (PST)
Received: from mail-oo1-xc31.google.com (mail-oo1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CE86C14F5EE for <wimse@ietf.org>; Fri, 9 Feb 2024 07:38:10 -0800 (PST)
Received: by mail-oo1-xc31.google.com with SMTP id 006d021491bc7-5961a2726aaso620028eaf.0 for <wimse@ietf.org>; Fri, 09 Feb 2024 07:38:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1707493089; x=1708097889; darn=ietf.org; h=mime-version:in-reply-to:references:thread-topic:message-id:cc:to :from:subject:date:user-agent:from:to:cc:subject:date:message-id :reply-to; bh=EaLIChaX9qOt+YTJyg650fGDrFzCDR/7Jc0qg6Aqbrk=; b=k9svTxAoaNFCfwmUNphKxvraUBPbReEMlEIm4pfX53+2M3/FOsX2AUh6FLmoxUNbvr Fr6MOVgsEG+FVZUG3u7jq3l+ZE+WuKmXmwpsEI/uIyEOwRcq5wula0nppBuy64nBhyY7 lBTh4WawHY3+sJhnWH9OSU1NjNRdq5nO4d1Vx5ou3VRodDltFA26zGI0oZvakXH6XbTs EjF33N6L0+7KfgMOoTCplZCxjF19U7YmdClGIQvcPFY1HZbPDdArboFbLx4HaBLJRG18 C0WK3D0tdJyNGz6N3vvdT6+hOlOGyvfXMpICnUO81qoXqbOrXvbuEZ3ehmHtmmc+zq/P jMkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707493089; x=1708097889; h=mime-version:in-reply-to:references:thread-topic:message-id:cc:to :from:subject:date:user-agent:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=EaLIChaX9qOt+YTJyg650fGDrFzCDR/7Jc0qg6Aqbrk=; b=cyVYt8JH7ZMTZtnhzgyxJf4s0SombnLbCoQJrJgU1tzMPPDqv/5inj5E9XKjL8vBhE nT4T1E1a3mnhwfhLTjHMsl3UhVOc//w/PWIT+Oa6pH4haRUnf3P1+KUC/6ai+7PIvtiB N0gdu1Et28/NAGY9pPSsc3ITWD1jYIBTvEp6CQm5dgEeLpK4nzzZXI1xNxoSETvs6mCy mVQVEA1Y84qlOagmKIAEN0v8zVfNplYw8D4Zyruc0GssIyYuCe8xEUROy6V+cY0OuqKl s+imqM5/OV43xAomYI39V3rYlSMcAJLmasTroJ625yjUU9mIpjiXdCyyjnCtO5Dcggoq hrNg==
X-Gm-Message-State: AOJu0YxVDi5Bf+t6POZUGICp7Hh3glybPjBlVQ3EWNv/1PI6Uw34b4v2 j6f2/LgZ2MAMGVx+GpaY73wh9SjZlnQ77OdbPFMqkL0pBXSDyPjd
X-Google-Smtp-Source: AGHT+IHe5QUjMNYce/QE2JOxiGXG0Jluc//Rn+wHbk05Vm88fVdEBuJrRLN8NBiP+270Wqqo0QoN2g==
X-Received: by 2002:a05:6870:718c:b0:21a:d38:9303 with SMTP id d12-20020a056870718c00b0021a0d389303mr2214923oah.5.1707493089081; Fri, 09 Feb 2024 07:38:09 -0800 (PST)
X-Forwarded-Encrypted: i=1; AJvYcCUppoGK6IgXy8cz5Ryt7aZVN5WecfEuMHGbMLksASRMiug421Y8c/G6gqtnB6ToheYyVix8lC3wN6axOVFzXg==
Received: from [192.168.68.107] ([77.125.223.103]) by smtp.gmail.com with ESMTPSA id w11-20020a05622a134b00b0042c5a47df18sm625338qtk.55.2024.02.09.07.38.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Feb 2024 07:38:08 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.81.24012117
Date: Fri, 09 Feb 2024 17:38:05 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Justin Richer <jricher@mit.edu>, "wimse@ietf.org" <wimse@ietf.org>
CC: "Murray S. Kucherawy" <superuser@gmail.com>
Message-ID: <40447E8D-736F-4A39-A9E8-FBC641355446@corp.intuit.net>
Thread-Topic: [Wimse] Updated Proposed Charter Text
References: <8F412FE3-8FE6-458F-BFCE-83191594C232@mit.edu> <66BF3A15-A0DD-48FC-88C7-405611FBDEE6@mit.edu>
In-Reply-To: <66BF3A15-A0DD-48FC-88C7-405611FBDEE6@mit.edu>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3790345087_1202781689"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/nX92oCZIMEDjKPbEbaVD-0O09z0>
Subject: Re: [Wimse] Updated Proposed Charter Text
X-BeenThere: wimse@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wimse>, <mailto:wimse-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse/>
List-Post: <mailto:wimse@ietf.org>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wimse>, <mailto:wimse-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2024 15:38:14 -0000

FYI, Murray just uploaded this text as a new revision of the charter, https://datatracker.ietf.org/doc/charter-ietf-wimse/

 

Thanks,

                Yaron

 

 

 

From: Justin Richer <jricher@mit.edu>
Date: Thursday, 8 February 2024 at 17:53
To: "wimse@ietf.org" <wimse@ietf.org>
Cc: "Murray S. Kucherawy" <superuser@gmail.com>
Subject: Re: [Wimse] Updated Proposed Charter Text

 

Hi everyone, updated text from today’s discussion is on the URL and I’ve pasted it here below. Please provide comments on the updated sections if you have them, and we’ll work with Murray to update the proposed text in the tracker as appropriate. 

 

 

Background & Motivation

 

The increasing prevalence of cloud computing and micro service architectures has lead to the rise of complex software functions being built and deployed as workloads, where a workload is defined as a running instance of software executing for a specific purpose. This working group will focus on the unique identity and access management aspects of workloads at runtime and their execution context, particularly focusing on the propagation, representation, and processing of workload identities. Though the following items are relevant to the context of workloads, these items are not workloads and this working group will not define:

 

- Static software identities and provenance, such as software bill of materials (SBOM)

- Personal identities

- Deployment chains

- Supply chain management

 

The rise of diverse service platforms and the drive for business flexibility, cost-efficiency, resilience, and compliance make maintaining least privilege access for workloads increasingly complex. As a result of the adoption of micro-service architectures, services are composed of multiple workloads that need to authenticate to each other while making authorization decisions based on the original caller, their context, and the actions of other workloads that acted on a transaction. These workloads are often distributed across trust boundaries, without a single centralized controller managing the different identities or authorization policies.

 

While several standards and open-source projects offer foundational elements for secure workload identity, there remains a lack of clarity in their interoperation and combination. These technologies (specifically: OAuth, JWT and SPIFFE) have been combined in a variety of ways in practice, but the solutions have existed in relative isolation. This ambiguity can lead to inconsistencies, interoperability issues, and potential security vulnerabilities.

 

Scope

 

The Workload Identity in Multi-Service Environments (WIMSE) working group is chartered to address the challenges associated with implementing fine-grained, least privilege access control for workloads deployed across multiple service platforms, spanning both public and private clouds. The work will leverage existing standards, open source projects, and community practices, focusing on combining them in a coherent manner to address multi-service workload identity use cases such as those identified in the Workload Identity Use Cases (draft-gilman-wimse-use-cases) I-D.

 

Goals

 

The goal of the WIMSE working group is to identify, articulate, and bridge the gaps and ambiguities in workload identity problems and define solutions across a diverse set of platforms and deployments, building on various protocols used in workload environments. Though initial deliverables will focus on specific REST-based technologies and HTTP, the group will also consider deliverables that use non-HTTP transport protocols that are found in workload deployments, such as GraphQL, gRPC, and Kafka.

 

The WIMSE working group aims to address the following major considerations through near-term and long-term deliverables:

 

    Establish Best Current Practices (BCPs): Define guidelines on effectively combining existing standards from different ecosystems to cater to various workload identity scenarios.

 

    Identify and Advocate for Gap-filling Work: Engage with other relevant working groups to pinpoint and address gaps in current standards. This will involve thorough collaboration, ensuring that emerging standards are consistent, holistic, and interoperable.

 

    Standardize New Solutions: Initiate and develop new standards that provide the needed functionality and ensure their widespread adoption to address propagating, representing, and processing of workload identity (unless there is a more direct fit in another working group).

 

Workloads are often associated with complex context, including user identity, software origin and hardware-based attestation. Communicating this context involves a unique set of challenges across different scenarios including multi-hop, long-lived and asynchronous transactions. WIMSE will consider this context in authorization decisions, record keeping and auditing solutions, and wire formats and protocols between elements of a workload, both within and across security boundaries.

 

Dependencies and Liaisons

 

The WIMSE working group will closely collaborate with:

 

    Other IETF working groups that address topics related to identity, authentication, and authorization, including, but not limited to, OAuth, SCIM, and RATS.

 

    The Cloud Native Computing Foundation (CNCF), particularly with regard to the SPIFFE/SPIRE project.

 

    The OpenID Foundation and other organizations working on similar standards.

 

Initial Deliverables

 

Please note that the order of items does not reflect their priority or expected delivery order.

 

    WIMSE architecture: The group will develop an Informational document that defines common terminology, discusses workload attestation and identity, and specifies a threat model. The WIMSE architecture will be drawn from experience with other working group documents and is not intended as a prerequisite for their completion. The document will describe 2-3 scenarios and for each of them, it will identify existing standards and gaps where a new standard (or a profile) is needed for interoperability. The document’s goals and format are inspired by the RATS architecture, RFC 9334.

 

    Securing service-to-service traffic: a JOSE-based token solution for service authn/authz to protect a chain of HTTP/REST calls, within and across trust domains. The document should support strong identification of microservices and cryptographic binding of the token to the caller’s identity and optionally, binding to the transaction. It should support associating arbitrary context with the token, including but not limited to user identity, platform attestation and SBOM artifacts. Context may also include authorization information, however defining the semantics of such information is out of scope. This deliverable includes both a token format and usage, including binding to the caller’s identity.

 

    Token issuance: A document describing a method for issuance of tokens within a workload component. In addition to generic token issuance, the deliverable will describe local token issuance where the issuer operates with limited authority in order to reduce risk, improve latency and enhance reliability.

 

    Token exchange: A document describing a method for exchanging an incoming token for a workload-specific token at security boundaries in the context of workload identities (possibly based on RFC 8693). It will include a small set of token exchange profiles (mapping of claims) that enable authorization in call chains, in addition to interoperable access from SPIFFE-identified services to OAuth-protected resources and vice versa.

 

    Document existing local token distribution practices for workloads: An Informational deliverable describing the considerations and best practices for filesystem-based token delivery in Kubernetes. A proposed starting point is draft-hofmann-wimse-workload-identity-bcp-00.

 

 

 

— Justin



On Feb 7, 2024, at 3:23 PM, Justin Richer <jricher@mit.edu> wrote:

 

Hi all, I’ve put together an update to the WIMSE charter text based on the recent thread, please read and review ahead of tomorrow’s call: 

 

https://notes.ietf.org/s/lpjvjT_mA#

 

— Justin

 

-- 
Wimse mailing list
Wimse@ietf.org
https://www.ietf.org/mailman/listinfo/wimse

v2.23.0 | Report a Bug | By Email