[Wimse] Re: Fwd: New Version Notification for draft-schwenkschuster-s2s-protocol-00.txt
Dag Sneeggen <dag.sneeggen@signicat.com> Tue, 23 September 2025 21:43 UTC
Return-Path: <dag.sneeggen@signicat.com>
X-Original-To: wimse@mail2.ietf.org
Delivered-To: wimse@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 88FD367BB9B0 for <wimse@mail2.ietf.org>; Tue, 23 Sep 2025 14:43:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=signicatas.onmicrosoft.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pglSImlhg0kJ for <wimse@mail2.ietf.org>; Tue, 23 Sep 2025 14:43:22 -0700 (PDT)
Received: from DB3PR0202CU003.outbound.protection.outlook.com (mail-northeuropeazon11020073.outbound.protection.outlook.com [52.101.84.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B9D2267BB866 for <wimse@ietf.org>; Tue, 23 Sep 2025 14:43:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=mBHJIqERrFZz6P/imIH41dxKdgqA/+1cIaXyueetDEHtKsKbFspClXcQFitk/kluQvRq/AL7dRYcA8qnnc4YSwzR7ZaW4HdHCqQhCNxS8BB2a8W6TtzWUjjzEOTvg/PTRkjEv937xbPm9aMu06mCUbpUAgcy3kTHTXMRM6AA84TTUSWxEfmTLyRXPzrBXD4bZSPpr1yJ/jGo1j/blNT13qnJ81D3sKA+bYRVV7kuVD6Mmf4MGLPe0t1n9fVIcVfrtm9j7TX2423cMSFPoCFAJ24D7CdXLUZy2G+ubnp3No0jCa+vNE60uP96iO7ge6yPJUNwV/yq7bOjkdpR+3YVpA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KPxqehi3mQXSnn5bVgM5bc8hOfZJKC9saC9uawCidjY=; b=Ex8NZ3US0ALltqt6YO63mXAxmY/j43tgcgfusAn1IpxzotkUCQ4vfUIk47DOBGGcaqcjsdWM7GDKSyJgfHeodP6eUvJ0mnO2jzG3Dl+Juv0AhE9CuhculjyzW/5H+vlnvWsFGVTMmZHIE+ljoaQnLTZKjjOctzy4V0x7RVNq5SNuKIlCx+vrNYfc+pYZLFdaVBgwEmYrTvbZMyS9YskHA7ElF5p2Vo9k2bgu77037cW3LrjD+cAoMJHUOw4zpVxaEWybJ/1bXaa3ZgUdBvwI060LR91CraGWcozPwxoR1zMqsRnFb2cPpMGNCeek3NV/XxOpypVfwRZF4zgH7Sq+OQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=signicat.com; dmarc=pass action=none header.from=signicat.com; dkim=pass header.d=signicat.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=signicatas.onmicrosoft.com; s=selector1-signicatas-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KPxqehi3mQXSnn5bVgM5bc8hOfZJKC9saC9uawCidjY=; b=X2QC3wSB/vuGNCmh8QFf5ZUazKrGd192+LW6+RnIfRncU8jpbL94wN4X9JkfaEKJGGbaSM6eLvWA/xPkfck3jm4EbLnwon0W8Qvfjj/5nyu/WiA+KaP1jn9VEENSFX/BUoBud9QRWZU7I8ATkHKr7jlrwOF6ckk2jc0mgP3DTLw=
Received: from DB5PR08MB10047.eurprd08.prod.outlook.com (2603:10a6:10:4a0::6) by AS8PR08MB6518.eurprd08.prod.outlook.com (2603:10a6:20b:33d::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9137.19; Tue, 23 Sep 2025 21:43:08 +0000
Received: from DB5PR08MB10047.eurprd08.prod.outlook.com ([fe80::b09b:9065:d316:9df3]) by DB5PR08MB10047.eurprd08.prod.outlook.com ([fe80::b09b:9065:d316:9df3%6]) with mapi id 15.20.9160.008; Tue, 23 Sep 2025 21:43:08 +0000
From: Dag Sneeggen <dag.sneeggen@signicat.com>
To: Arndt Schwenkschuster <arndts.ietf@gmail.com>, "wimse@ietf.org" <wimse@ietf.org>
Thread-Topic: [Wimse] Fwd: New Version Notification for draft-schwenkschuster-s2s-protocol-00.txt
Thread-Index: AQHcLHyvTrp1eN41JUGCQZmeMTsTC7ShPJnJ
Date: Tue, 23 Sep 2025 21:43:08 +0000
Message-ID: <DB5PR08MB100479E940A75A836B90343E8E31DA@DB5PR08MB10047.eurprd08.prod.outlook.com>
References: <175862632770.838882.5381592158475490440@dt-datatracker-6c6cdf7f94-h6rnn> <CAOEQX6f_hUVa4AmOa8jENxgwYa0SWMQsHVf=csohHuh_qNvB4g@mail.gmail.com>
In-Reply-To: <CAOEQX6f_hUVa4AmOa8jENxgwYa0SWMQsHVf=csohHuh_qNvB4g@mail.gmail.com>
Accept-Language: en-GB, nb-NO, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=signicat.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DB5PR08MB10047:EE_|AS8PR08MB6518:EE_
x-ms-office365-filtering-correlation-id: 1bddc07c-ffb4-4e4a-ea54-08ddfaea2faf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|13003099007|8096899003|38070700021|7053199007;
x-microsoft-antispam-message-info: GMY9F1QR8WgEtUBk3yl01CRfJ7UDu7DxFaRfrYdM5W+OcHQOnPEHnSxNq+jk/Zyrqwde8/bgiLA48vFV8jKSvofoXK3hQDXGV+vEUkHirF+aDIzB7MirYEYU2wtjx1dKaOjzsRPELGZ+MPlCIgptPIYGMJxaklV4qS9478adCsxjp9AUHIdIWuCZmvj0A1Et2v4uaIvhGrNt/RP+mtxbAlNR1q9YI099YZFSceR3bJp4io7ltuDyiGjZ3sdhRdxngBCaxo0hJObQ0jrozlXW/kCNRDkCIuLOnlK9rOslYmpBCEO9Om9p1k6MHUpd3ZRcWJwLSYtWX0US9NrkibBKu3xuhlj8Qhfe8h7yvoinTLAwouMXpjLnFbXbtKL2XfmBRf5tQHHgGNLiFcCAuRKk/ISAbhV5MyWNC9+BQs2XU/tc85NIh3MtGecWiM1kn5xOYZVy/fAcPAlG5OJzRFc8JH4atQFScZgBBEKDBRoghSElLRTKy6Mk3FBsEPHTSjC8P/jPd+bEIRtZEd7Y7EVwSDgdugFlPsb+Lfjs/sg9g9EvMTHrbnjv7zWfE8r2T7U+TtOXl41v7Wc6zQQ70A3q6odXmeSNzhK111CnSgq/h8FjAryr+LrhWy1lloSBFez3MlojRo/XmU7Di5DHx/6xoBijATc8m4LGWHGp6NRMnOdtOFaUXLRKHFy1k+wtGk2pi+p3VyAZ09TP+Rdsz4hKExP0UNyQet6rU6fwTl/JIG+G6uKhcLtKxWz4EWZqKQTl8ThNbFVKs7EL7B7Wa2k33nrwLQtpBKUKowA+bAKLm3mA3i8mP4kyk9QeVG0yF+tGcECQmRmaOCzwSunlEBLgKE3/62bgp1yRpMCjt0w6tZZtb0aEuI3g9z6IAL1hmg3dWe2PttfD6Qc6k6wCtdFIuItQBpQMy+re4f0QYEzc75Jz7H1zQ+6H8FdaiqB8PY91H6FpqtnlDSnz4T/HTXcoHFfe3oe/9qP3wjIA1Lu7A93Yt5PODi159rQw8jXyAPNnLE2NzqaElCnQk84T52JgbrgiZhvTorOJGvZIQcJFQxHQy93Zs1NsEyldaksic6O+Cy2d06VpsNvSj40W6fAU6B4DFVYzhe5e9dQvLwcEHj6XtXewXxLw3uXLBNwEsuHouAC1nsRKN0hme+nwqLglUluwZOm/IlWCeu4xtzDS7SigMySakHL+GIWtBepN2T+J507ibS6GdeOnwsf0mTODdPq0B6EQHjP6qnchuU5hncAJ69U4MPQMk9qiOljfLzjOVkKkmMyqk3Tw7xfiuZkPNqgA8uVpYqn7SNEIjbBtmz8MhVB0utuPBEso6fOZ3BLzRpDzHUrP827bEEo97XouJuzB0xOHtWgJMnUUyPWAu45faz7ShzHm3s1q7/CiZJ4MZdMkaA+tf3/XFD3mMNj+sYc6SjgRM3Buk72HXfCm1/Nkjg24lTCPX+CB4oPtMkErML8n5l4zXJJL9KJ2CjQZLUbzLL0pZXRkr1f+U4hjt+4=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB5PR08MB10047.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(13003099007)(8096899003)(38070700021)(7053199007);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 3Bil+KcDB/j7sXR1WTl8ldl8sXDRZN12Wh4xdz0RRmL/+eKM2pndKCHimmpLsk9lg3MhtPsfeU66D3GVbF9f9LdtUSDN7s/fB0jO0x9JuVGA7E0Onj5Ai2jPkszXsqok06uz1TCiUWe1fgMPWHsoCxhd9pjQhXyPAIkGhR6VYCYaGJcsDWMqvpxMn3FB6qAnfEe+1Etza3OEhVwmkCE9GDdX5q99MyGFUT7vGNdNCCkIPmB7zxD5vWcRxEHANoxvG4xd5KIaj5Y4PMaFFcZzyeIvTI1PRxqYQZZIcNV+9o8ecBer02DXk4Ly2B6GMtp6KPx5uPz71LNo2gjE8uErKL7fmN8SxtgpP/c7I6BtdRm/diaHZbCpj3PeaEJloKj1CadQMSF0/5LssgqE1D1nfohH4lVTZDL9Dp1N7EsnQAtEK/pikqf1nYvKqn3dejCV0y6wz6sEsVKiqK+2kTL3znuXHIx+idC6VVCx4mXhFSIBSFDOPOQACTyK4z9WVFRfXCxzgbrgpZgEBYEGpaHyGQEu16rj07el+aOAswCPVh/7WYPjZ9hu4FiXeAbLQHsD4GA+ryuQWqyktDf7R4Sk9fGWha7G+PWb05ujv+AcChbvnaSliT/Cn65Z82XQqAvZ317yJdmS7xal8Rtud4W/JMscWrAEqKvJMBOpJAQwiKm9vQ7jYVBeGmt04rCCuMBP0ikmhkZxNV14TeyaF2Z0zsbdgLFsnx1JNq+1Ku7qJrRoU2Jnu0Kid3lqrm7YalKWwX7caVDYJLFMQkc1qmnNLgo9VEPZ6HgdJrxfpTKSdefvQEBHHdJ1WxUKwYB4I/QtIqqObwqaSq3AaO/AiptvSri/VPqmc0+VMLiENT7mLCBgL6/vL5Cw5z1jpSgNJXXnDgNjW0N7umCN9a52zz7sSWb/Y6XFOcGQtj96wBKlwYschTAFfO0JR8XUtCZr0cboGe9Aq2ITnxwcMO5/7k8eEQ1NAKci5MJakCbKxG9YZCnOTxS86x9B1f4zkRsPjvHIdQxxrLLBPtCE9hQLOs6wUBa2l0CtF3jLUaf8iV/bGU0G6RWpr6OIjJFrg2D93Rcet155HiD6F678solt1fGjGM4Sh+14hpnWrh3shQmtHUQSEbzqn8GGjZf4T9cGpHvIt59+sTAXXMgOi+OBSHBOx7IziraYli2dQhV5HBuWuqgxCaPlq4oSxR5GG3SY6RSDfP5NcjJoQQJJMqf4IKyrAiSg7kLEN0b4F8H23aNLl43IftM7coXKU9hsjW5nT9NMe4lK79Ozvr736r1b+9cTJcz7+6wKPvtnjhEWW1o5M8VOUAbL2i5vULj6AlhTKf5464B9IYjqc7pkciXxk48DY9FCvdbZ8IOZOSUX447POlFXSFfD+0k4Zz1UqoFfYMCA2gwHBCySYC7YA9mmhj8w5xh1+H+JrnfwDMvk++AISuY5A6YQMnJKQGHKz0b+pOjet7YzZvxrUMv+lAC3d5luulIJRSswRsf5/74X72+S6kZx7sFowRSoiu9ltQpJwNX8nG9GEqLLfxFTXeK1eSiPkMmiHhiQfkYpU0Em/0YxBLdraKZdU2qqrtzSN1iCuQyvGU4Iwqninu2UbywYM4Drtw==
Content-Type: multipart/alternative; boundary="_000_DB5PR08MB100479E940A75A836B90343E8E31DADB5PR08MB10047eu_"
MIME-Version: 1.0
X-OriginatorOrg: signicat.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB5PR08MB10047.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1bddc07c-ffb4-4e4a-ea54-08ddfaea2faf
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Sep 2025 21:43:08.5598 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b50f17d5-e16f-42c3-9052-72b729d8fb91
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GTcGQ71EDl8XDiy2ob/L8VvI1E1O6qSV9uRrExYDpIp87dvxuGqSijZkKfzBpR+yuxQC0+UiKjVjvPcnlMaxTQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB6518
Message-ID-Hash: XOT3KIWTOG3K6YHYYOWOFZUKMWVXYTFG
X-Message-ID-Hash: XOT3KIWTOG3K6YHYYOWOFZUKMWVXYTFG
X-MailFrom: dag.sneeggen@signicat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Wimse] Re: Fwd: New Version Notification for draft-schwenkschuster-s2s-protocol-00.txt
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/rBQyJVeaCiEGJxuEqnWqUC5k4v4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
In my opinion we should consider taking a step back and a moment to pause. I feel that we might be losing sight of our goals: Strong trusted workload identity. 1. Workload authentication. IMO the best working implementation is SPIFFE SVIDs as either jwt or x509 certs. For instance, popular service meshes provides this, as does of course a SPIFFE/SPIRE implementation. 2. Workload authorization. The authorization context needs to be conveyed. Could be a bearer/access token, maybe a transaction token, or something similar. IMO the biggest win here is binding tokens to workload identity either with certificates using rfc8705, or some dpop-like (WPT) mechanism. 3. Secret sprawl is a huge problem that I think WIMSE should address in one way or another. The proliferation of long-lived and poorly managed secrets. There's many interesting drafts in the making now related to client authentication using various forms of token or attestation. I'm sure we're all quite aware of these. Everything else for me is tangential at best, irrelevant at worst. We need to further sharpen the message of this document to make it more impactful. For instance, for me the inclusion of HTTP message signing doesn't belong in a document declaring "the simplest, atomic unit of this architecture". Perhaps this could fit in a BCP-style document. I think we need to be much clearer about what is the "simplest, atomic unit of WIMSE (s2s) architecture". Everything else that is useful and/or interesting can be placed in other documents. In many ways I feel that the main "WIMSE architecture" document is much clearer in describing s2s communication, than the actual s2s document itself, which is probably not the best sign. Regards, Dag Sneeggen. ________________________________ From: Arndt Schwenkschuster <arndts.ietf@gmail.com> Sent: Tuesday, September 23, 2025 1:24:28 PM To: wimse@ietf.org <wimse@ietf.org> Subject: [Wimse] Fwd: New Version Notification for draft-schwenkschuster-s2s-protocol-00.txt You don't often get email from arndts.ietf@gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Dear Working Group, as discussed in the last interim here is also an alternative proposal to give the presentation of Workload Identity a dedicated document (s2s-protocol) and create specific documents for protocol-level proof of key possession: Workload Identity Presentation (Workload Identity Certificate & Workload Identity Token): https://datatracker.ietf.org/doc/draft-schwenkschuster-s2s-protocol/ Workload Proof Token Profile: https://datatracker.ietf.org/doc/draft-schwenkschuster-s2s-jwt-pop/ HTTP Message Signatures Profile: https://datatracker.ietf.org/doc/draft-schwenkschuster-s2s-http-sig/ I believe this creates a good level and focus on specific topics and allows for other protocols we don't anticipate at the moment. After thinking about it for a while I don't think that multiple options are a disadvantage as long as they don't overlap. This creates clear paths for implementers and SDK developers which profile to pick. Curious to hear your thoughts. Kind regards, Arndt ---------- Forwarded message --------- From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> Date: Tue, Sep 23, 2025 at 1:18 PM Subject: New Version Notification for draft-schwenkschuster-s2s-protocol-00.txt To: Arndt Schwenkschuster <arndts.ietf@gmail.com<mailto:arndts.ietf@gmail.com>> A new version of Internet-Draft draft-schwenkschuster-s2s-protocol-00.txt has been successfully submitted by Arndt Schwenkschuster and posted to the IETF repository. Name: draft-schwenkschuster-s2s-protocol Revision: 00 Title: WIMSE Workload-to-Workload Authentication Date: 2025-09-23 Group: Individual Submission Pages: 25 URL: https://www.ietf.org/archive/id/draft-schwenkschuster-s2s-protocol-00.txt Status: https://datatracker.ietf.org/doc/draft-schwenkschuster-s2s-protocol/ HTML: https://www.ietf.org/archive/id/draft-schwenkschuster-s2s-protocol-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-schwenkschuster-s2s-protocol Abstract: The WIMSE architecture defines authentication and authorization for software workloads in a variety of runtime environments, from the most basic ones up to complex multi-service, multi-cloud, multi- tenant deployments. This document defines the simplest, atomic unit of this architecture: the protocol between two workloads that need to verify each other's identity in order to communicate securely. The scope of this protocol is a single HTTP request-and-response pair. To address the needs of different setups, we propose two protocols, one at the application level and one that makes use of trusted TLS transport. These two protocols are compatible, in the sense that a single call chain can have some calls use one protocol and some use the other. Workload A can call Workload B with mutual TLS authentication, while the next call from Workload B to Workload C would be authenticated at the application level. The IETF Secretariat
- [Wimse] Fwd: New Version Notification for draft-s… Arndt Schwenkschuster
- [Wimse] Re: Fwd: New Version Notification for dra… Dag Sneeggen
- [Wimse] Re: Fwd: New Version Notification for dra… Arndt Schwenkschuster
- [Wimse] Re: Fwd: New Version Notification for dra… Dag Sneeggen