IETF Logo Mail Archive

Re: [Wimse] Is workload identity really the problem?

Joseph Salowey <joe@salowey.net> Fri, 08 September 2023 23:54 UTC

Return-Path: <joe@salowey.net>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BB74C151074 for <wimse@ietfa.amsl.com>; Fri, 8 Sep 2023 16:54:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.895
X-Spam-Level:
X-Spam-Status: No, score=-6.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id onqgCvjdSlrY for <wimse@ietfa.amsl.com>; Fri, 8 Sep 2023 16:54:37 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D750C14CF13 for <wimse@ietf.org>; Fri, 8 Sep 2023 16:54:37 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2bd6611873aso41783491fa.1 for <wimse@ietf.org>; Fri, 08 Sep 2023 16:54:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1694217275; x=1694822075; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=UUBvFaNTx8cY1WWMEg2HJeVA3tdgIzvRaqddKwy6Ww0=; b=V80cSwHy583i9T7dQeM/3Qfkhst/AvCOw1QAklSa0iSIpgnT1J9s8pmVmN7h4LAO2q 8fNWyIQI5fKN9mn4nCr15XV8U6MSXdd5Hk8MCHBIuldUUYyE8KpNzAxjCYXs0HHLr8ls dc2XuBSjg2F6m782ISuv1KdR9SiEcBIrlq4KDWj+c1q3kIqvRoAhyxJWqnJjO2DPXrPa A5vEkHBmv3lmJ5/2Nw30nrRjR6yyLOImbFzMtcZYLjx+PsLI/NBsE8jJnNpcJqRehj15 WOGSnfUtzpXux9zXoIJ191dzSHUFssuXnsgLpRBRtoNeO/AzDylL+/+xtnitzJubuP3s BAsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694217275; x=1694822075; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UUBvFaNTx8cY1WWMEg2HJeVA3tdgIzvRaqddKwy6Ww0=; b=d0f2EvthvOR0BqYBfQ6AVnCmzhmo1uWSUCz2cOWFBdSYwNBSo/igbUUDHkriTCzMnm olDLjhcrF7XaArKkdKkp/nop9ak8Rf6ZFfed+Jd+PY6WhQzezzXoepD1YljAedhZsoR3 oXyKkGyD3efbtbDxRtyBUrluoOVok4wBvBXOeeLt0uP/kJL+HcvA56GZRNevBB64UOyk Klq+VACnbkdhAF+SN+l4VxSwzLltxsr5b9fDQ43OPih4wEK71mEwyvl9ctEUXOxRD3fk BXsLl/oSmaAkyvdTiCmD1H4mq3fUZoC/moSUkxoa/lMV23Sk54o9F6cPh9ETjlNSnwPl lX8g==
X-Gm-Message-State: AOJu0YwUKH2hfsaqVjbCsvAdf5PKe7nbonUqlruSMTRzT/iF//xH4e2k gbI2nykXhzrjk7J5KT+VQ3sXuwDUEXL+LL+hk8Kx+g==
X-Google-Smtp-Source: AGHT+IGOm8TjeCjvYgcH2y1VQNpHFx6Lncm8cDPscmKA32yJAyAj5qgGIsfrgfUZuZvjjaWa9UB5xLnejhSexm5yvK4=
X-Received: by 2002:a2e:9988:0:b0:2bd:d4d:7fb6 with SMTP id w8-20020a2e9988000000b002bd0d4d7fb6mr3065923lji.2.1694217275434; Fri, 08 Sep 2023 16:54:35 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0cndpoTpmuy34E=eMcgpndhAHYozx90F23ErTrDWmgW+Sw@mail.gmail.com> <CAOB-mKkfoHsD=DfZtVOwTjHsvezQ=+_KUCJe1WLH=T5znnwDjA@mail.gmail.com> <AS8PR10MB74271C6BACDA62C1BFA48610EEEEA@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <DBAPR83MB042293872FF09269F060FA6B91EEA@DBAPR83MB0422.EURPRD83.prod.outlook.com> <AS8PR10MB74270B889FA59C065B2120ECEEEEA@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <DBAPR83MB04221816AEAC18B0DBBABC4491EEA@DBAPR83MB0422.EURPRD83.prod.outlook.com> <DM6PR01MB4444DE5FED18779EEFC2BF88BDEEA@DM6PR01MB4444.prod.exchangelabs.com> <CAOgPGoAeLrEMHuj4Jvnir1aVhArgiz8gP6D_QfEqXKtQeR3owQ@mail.gmail.com> <CAN8C-_+B-M3eWPFs-JOYr2VAg_q5cDKgHfFQoBUd--W77=qHYA@mail.gmail.com>
In-Reply-To: <CAN8C-_+B-M3eWPFs-JOYr2VAg_q5cDKgHfFQoBUd--W77=qHYA@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Fri, 08 Sep 2023 16:54:20 -0700
Message-ID: <CAOgPGoAkzjSjz76Ht59OzGvhYJvwZx9NA8LNLA6wax8LeL8xaQ@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Cc: Justin Richer <jricher@mit.edu>, Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, "Tschofenig, Hannes" <hannes.tschofenig=40siemens.com@dmarc.ietf.org>, "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>, evan <evan@spirl.com>, Watson Ladd <watsonbladd@gmail.com>, "wimse@ietf.org" <wimse@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e005130604e1b28b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/oZoKbDHJ61wnAQrWWI-61sdN8ZE>
Subject: Re: [Wimse] Is workload identity really the problem?
X-BeenThere: wimse@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wimse>, <mailto:wimse-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse/>
List-Post: <mailto:wimse@ietf.org>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wimse>, <mailto:wimse-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Sep 2023 23:54:41 -0000

On Fri, Sep 8, 2023 at 11:42 AM Orie Steele <orie@transmute.industries>
wrote:

> Sorry to float a solution to a problem I barely understand... but...
>
> On Fri, Sep 8, 2023 at 1:20 PM Joseph Salowey <joe@salowey.net> wrote:
>
>>
>>
>> On Thu, Sep 7, 2023 at 8:23 AM Justin Richer <jricher@mit.edu> wrote:
>>
>>> I think that this is an important aspect to capture: nobody coming into
>>> this is claiming that there are no tools or partial solutions. But the
>>> problem is that: they're partial, and one of the main goals of this work is
>>> to shine light on the gaps that people see when we bring these pieces
>>> together in different ways.
>>>
>>> Some problems are solved, but that doesn't make all problems solved. In
>>> fact I'd argue that it makes it a more compelling space for finding
>>> solutions because people want to use the parts that we have,where it makes
>>> sense.
>>>
>>> But to do that, first you need to make skat of where the existing parts
>>> fit, then you need to make sense of how they go together, then you need to
>>> write down the gaps and find those solutions, which is what I see as the
>>> core work of wimse. The use case document attempts to capture some of these
>>> as a starting point. Just about everything in there, I could cobble
>>> together something to make it work, and people are doing that. But now it's
>>> time to figure out what the common parts and patterns are, and that's why
>>> I'm interested.
>>>
>>>
>> [Joe] These are things we run into when trying to reuse OAUTH
>> for workloads. The result is solutions that lead to interop problems and
>> potential security issues when we try to reuse common libraries or federate
>> across organizations.   As an example, the defined integration between
>> OAUTH and X.509 is through TLS.  With a little duct tape you can patch
>> together solutions to address cases when end-to-end TLS is not available,
>> but you are limited in authentication mechanisms and the required
>> interactions fall outside the core OAUTH set of use cases that involve
>> public clients and web browsers/user controlled applications.
>>
>
> Is this a "sign in to a public client with a decentralized identifier use
> case" ? Or are you saying you don't want public clients and you don't have
> the OAuth block you are looking for?
>
> [Joe] The cases I'm dealing with don't use public clients in the way OAUTH
defines them (I think).  There probably are cases where workloads are
public clients, but I haven't been focused on that.


> The use case talked about private key jwt.... is there some duct tape
> version of this story with private key jwt and mtls that highlights its
> greatest weak points?
>
> [Joe] The short-comings I've run into with private key jwt is that the
certificate validation piece of it is undefined or at least un-implemented
in many cases (you are checking against a public key you learned in some
other way and that the exchange doesn't involve a nonce for freshness (in
many cases this may not seem important because if the attacker can generate
a signature they have access to the private key when we start looking at
workloads that can attest to have a secure method of key storage then
freshness makes some difference).


> Many of the pieces are there but how they fit together is ill-defined.
>> The problems also exist when trying to communicate information about what
>> has happened previously from one part of the system to another (which may
>> cross an organizational boundary) such as user
>> authentication/identification, hardware attestation or application specific
>> validation.  We have tools from the IETF and other places that can help us,
>> but we need to get out the duct tape to make it work with little chance of
>> interop with other solutions and a chance that there is an unforeseen
>> weakness (fortunately we can always apply more tape and maybe some chewing
>> gum).
>>
>
> Let's make it wrong first, so we can see how to make it right ; )
>

>
>>
>>
>>> -Justin
>>> ------------------------------
>>> *From:* Wimse <wimse-bounces@ietf.org> on behalf of Pieter Kasselman
>>> <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
>>> *Sent:* Thursday, September 7, 2023 10:59 AM
>>> *To:* Tschofenig, Hannes <hannes.tschofenig=40siemens.com@dmarc.ietf.org>;
>>> Tschofenig, Hannes <hannes.tschofenig@siemens.com>; evan <evan@spirl.com>;
>>> Watson Ladd <watsonbladd@gmail.com>
>>> *Cc:* wimse@ietf.org <wimse@ietf.org>
>>> *Subject:* Re: [Wimse] Is workload identity really the problem?
>>>
>>>
>>> Hi Hannes, thanks for the great clarifying questions.
>>>
>>>
>>>
>>> When I wrote “attested identity” I was thinking of an identity that was
>>> assigned to a workload following some kind of attestation process with the
>>> issuing authority (e.g. the sort of flow that happens in the SPIRE
>>> implementation).
>>>
>>>
>>>
>>> I think SPIFFE\SPIRE does an excellent job at solving the “zero turtle”
>>> problem – that is bootstrapping a workload with an identifier and a
>>> credential. There are some tweaks that will make things even better (e.g.
>>> adding some kind of proof-of-possession mechanism to SVID JWTs will help
>>> protect against credential/token theft problems that have become more
>>> commonplace than anyone should be comfortable with).
>>>
>>>
>>>
>>> However, to ensure that an identity system can deliver on the promise of
>>> ensuing that the right entity has access to the right information at the
>>> right time for the right reasons, you need a little bit more. For example,
>>> SPIFFE/SPIRE provides you with credentials that can be used for
>>> authentication (e.g. MTLS),  but does not define how that should be used
>>> with OAuth 2.0. OAuth 2.0 in turn requires that OAuth clients are
>>> registered with the Authorization Server, however, given the dynamic nature
>>> of workloads (add/remove in response to scale demands), these may not
>>> always be feasible (there is some interesting new work on attestation based
>>> client authentication in the OAuth WG that may help address this😉 ).
>>>
>>>
>>>
>>> This is one example that is also described in the use cases doc (see
>>> Section 3,2 in draft-gilman-wimse-use-cases-00 - Workload Identity Use
>>> Cases (ietf.org)
>>> <https://datatracker.ietf.org/doc/draft-gilman-wimse-use-cases/>). The
>>> other use cases attempt to capture similar scenarios where we don’t have
>>> good end-2-end stories solutions – mostly where different standards
>>> eco-systems are trying to connect.
>>>
>>>
>>>
>>> I hope that helps.
>>>
>>>
>>>
>>> Cheers
>>>
>>>
>>>
>>> Pieter
>>>
>>>
>>>
>>> *From:* Tschofenig, Hannes <hannes.tschofenig=
>>> 40siemens.com@dmarc.ietf.org>
>>> *Sent:* Thursday, September 7, 2023 12:51 PM
>>> *To:* Pieter Kasselman <pieter.kasselman@microsoft.com>; Tschofenig,
>>> Hannes <hannes.tschofenig@siemens.com>; evan <evan@spirl.com>; Watson
>>> Ladd <watsonbladd@gmail.com>
>>> *Cc:* wimse@ietf.org
>>> *Subject:* AW: [Wimse] Is workload identity really the problem?
>>>
>>>
>>>
>>> Hi Pieter,
>>>
>>>
>>>
>>> what do you mean by "attested identity"?
>>>
>>>
>>>
>>> Explain me where SPIFFE falls short in performing authentication, and
>>> authorization of what you want.
>>>
>>>
>>>
>>> Ciao
>>>
>>> Hannes
>>>
>>>
>>>
>>> *Von:* Wimse <wimse-bounces@ietf.org> *Im Auftrag von *Pieter Kasselman
>>> *Gesendet:* Donnerstag, 7. September 2023 13:10
>>> *An:* Tschofenig, Hannes <hannes.tschofenig=40siemens.com@dmarc.ietf.org>;
>>> evan <evan@spirl.com>; Watson Ladd <watsonbladd@gmail.com>
>>> *Cc:* wimse@ietf.org
>>> *Betreff:* Re: [Wimse] Is workload identity really the problem?
>>>
>>>
>>>
>>> My perspective is that SPIFFE is part the story and is excellent in
>>> getting us to a point where there is an attested identity provisioned with
>>> a credential and since it is platform agnostic, it lends itself to
>>> multi-service/multi-cloud environments. However, that is not sufficient for
>>> someone operating an identity management system. Connecting those standards
>>> to the rest of the standards eco-system to perform authentication,
>>> authorization (including taking user identity and call chain information
>>> into account), (automated) federation, monitoring and remediation
>>> infrastructure and compliance reporting is required to deliver a functional
>>> multi-service workload identity system.
>>>
>>>
>>>
>>> *From:* Wimse <wimse-bounces@ietf.org> *On Behalf Of *Tschofenig, Hannes
>>> *Sent:* Thursday, September 7, 2023 10:42 AM
>>> *To:* evan <evan@spirl.com>; Watson Ladd <watsonbladd@gmail.com>
>>> *Cc:* wimse@ietf.org
>>> *Subject:* Re: [Wimse] Is workload identity really the problem?
>>>
>>>
>>>
>>> From your response I think you are more referring to the management of
>>> credentials. This is something that is largely outside SPIFFE (but covered
>>> in the reference implementations). The IETF has done a tremendous amount of
>>> work on managing credentials. For example, if you want to request an X.509
>>> certificate, re-new a certificate, etc. there are various protocols
>>> available that can be used, such as EST or CMP.
>>>
>>>
>>>
>>> A question that is related to the topic of credential management: Would
>>> you consider the scope of the work in WIMSE to focus on what corresponds to
>>> the scope of SPIFFE or, the larger scope, the scope of SPIRE?
>>>
>>>
>>>
>>> Ciao
>>>
>>> Hannes
>>>
>>>
>>>
>>>
>>>
>>> *Von:* Wimse <wimse-bounces@ietf.org> *Im Auftrag von *Evan Gilman
>>> *Gesendet:* Mittwoch, 6. September 2023 01:54
>>> *An:* Watson Ladd <watsonbladd@gmail.com>
>>> *Cc:* wimse@ietf.org
>>> *Betreff:* Re: [Wimse] Is workload identity really the problem?
>>>
>>>
>>>
>>> On Tue, Sep 5, 2023 at 9:48 AM Watson Ladd <watsonbladd@gmail.com>
>>> wrote:
>>>
>>> Dear Wimse enthusiasts,
>>>
>>> I read the usecases draft and I'm not entirely sure that we're
>>> thinking about the problem in the right terms. A lot of the desired
>>> properties seem to be about authorization, and naming is not really
>>> relevant. ...
>>>
>>> ...
>>> Secondly credential capture and reuse  seem to have a different set of
>>> technical issues than naming. One could use asymmetric keys provided
>>> via sidecar so not exposed to the process/ use some of the ideas
>>> explored in the now closed LURK wg, but this seems largely orthogonal
>>> to identity issues.
>>>
>>>
>>>
>>> IMO, identity is a lot more than just naming. It's also about
>>> credentialing, credential exchange/validation, and authority federation (to
>>> name a few). I would ask, how useful is an identity scheme if credential
>>> format and use are not defined? Kerberos, OAuth, etc all define one. And
>>> works to prevent credential theft are also undertaken in those areas
>>>
>>>
>>>
>>> Further, I feel this layer exists largely in service of authorization.
>>> As such, I personally find it useful to frame shortcomings as authorization
>>> needs.
>>>
>>>
>>>
>>> Lastly there's the "what code do I have actually running" question.
>>> And this seems to be really outside of the domain of IETF in general,
>>> and the answers here are not useful to the other usecases. An external
>>> service doesn't care about what commit the latest update a team had
>>> was to make security decisions. It may care about what security
>>> standards were applied in the process, but this feels to me like logic
>>> about issuance of identity credentials not the service identity
>>> itself.
>>>
>>>
>>>
>>> I agree that this specific example is related to the issuance of
>>> identity credentials. The part that I think is worth highlighting is that
>>> the issuance system has much more information about the workload than
>>> appears in the identity itself. The authorization layer frequently wants
>>> this information (for e.g. ABAC), and it's not really clear where to put
>>> this information, how to distribute it, etc. It very well could be that it
>>> does not belong as a part of the issued credential, though I do think it's
>>> a worthwhile discussion
>>> --
>>> Wimse mailing list
>>> Wimse@ietf.org
>>> https://www.ietf.org/mailman/listinfo/wimse
>>>
>> --
>> Wimse mailing list
>> Wimse@ietf.org
>> https://www.ietf.org/mailman/listinfo/wimse
>>
>
>
> --
>
>
> ORIE STEELE
> Chief Technology Officer
> www.transmute.industries
>
> <https://transmute.industries>
>

v2.23.0 | Report a Bug | By Email